Add MkDocs docs site

.github/workflows/mkdocs.yml

@@ -0,0 +1,45 @@
+name: Docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - docs/**
+      - mkdocs.yml
+      - docs/requirements.txt
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install docs dependencies
+        run: python -m pip install -r docs/requirements.txt
+      - name: Build site
+        run: python -m mkdocs build --strict
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: site
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - id: deployment
+        uses: actions/deploy-pages@v4

.gitignore

@@ -22,3 +22,4 @@ env/
 # OS
 .DS_Store
 Thumbs.db
+site/

Makefile

@@ -35,7 +35,7 @@ define download-file
 	fi
 endef
 
-.PHONY: help setup setup-actionlint setup-action-validator setup-gh setup-gh-macos setup-gh-debian setup-gh-aw compile sync lint-workflows lint-actions release
+.PHONY: help setup setup-actionlint setup-action-validator setup-gh setup-gh-macos setup-gh-debian setup-gh-aw compile sync lint-workflows lint-actions docs-install docs-serve docs-build release
 
 help:
 	@echo "This repository contains GitHub Actions workflows and gh-agent-workflows templates."
@@ -175,6 +175,15 @@ lint-actions: setup-action-validator
 
 lint: lint-workflows lint-actions
 
+docs-install:
+	@python -m pip install -r docs/requirements.txt
+
+docs-serve: docs-install
+	@python -m mkdocs serve
+
+docs-build: docs-install
+	@python -m mkdocs build --strict
+
 # Release a new version
 # Usage: make release VERSION=1.0.0
 release:

README.md

@@ -2,94 +2,20 @@
 
 AI-powered GitHub workflows for Elastic repositories.
 
-## GitHub Agent Workflows (Recommended)
+## Documentation
 
-[GitHub Agentic Workflows](https://github.com/github/gh-aw) with safe-output guardrails. Engine and model are configurable per workflow.
+Full documentation lives at https://elastic.github.io/ai-github-actions/.
 
-Copy a workflow's `example.yml` from `gh-agent-workflows/` and customize inputs. No `gh-aw` CLI needed:
+- GitHub Agent Workflows (recommended): https://elastic.github.io/ai-github-actions/workflows/gh-agent-workflows/
+- Claude Composite Actions: https://elastic.github.io/ai-github-actions/workflows/claude-workflows/
+- Developing: https://elastic.github.io/ai-github-actions/developing/
+- Security: https://elastic.github.io/ai-github-actions/security/
+- Release process: https://elastic.github.io/ai-github-actions/release/
 
-```yaml
-# .github/workflows/trigger-pr-review.yml
-name: PR Review
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
-jobs:
-  run:
-    uses: elastic/ai-github-actions/.github/workflows/gh-aw-pr-review.lock.yml@v0
-    secrets:
-      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-```
+## Overview
 
-## Secrets
-
-These workflows require a Copilot PAT stored as `COPILOT_GITHUB_TOKEN`.
-
-1. Create a Copilot PAT with the `copilot-requests` scope (the scope is only available for public repositories).
-2. Store it as a repository secret:
-
-````bash
-gh aw secrets set COPILOT_GITHUB_TOKEN --value "(pat)"
-````
-
-UI path: Settings → Secrets and variables → Actions → New repository secret.
-
-See the upstream [gh-aw auth docs](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx) for canonical steps.
-
-### Human-coordinated workflows
-
-| Workflow | Trigger | Description |
-| --- | --- | --- |
-| PR Review | PR opened/updated | Automated code review with inline comments |
-| Issue Triage | New issues | Investigate and provide implementation plans |
-| Mention in Issue | `/ai` command | Answer questions, debug, create PRs |
-| Mention in PR | `/ai` command | Review, fix code, push changes |
-| PR CI Detective | Failed PR checks | Diagnose failures and recommend fixes |
-| PR CI Fixer | Manual (workflow_dispatch) | Opt-in fixes for failed PR checks |
-
-### Continuous improvement / agent factory workflows
-
-| Workflow | Trigger | Description |
-| --- | --- | --- |
-| Small Problem Fixer | Weekday schedule | Fix a small, related issue set and open a focused PR |
-| Code Simplifier | Weekday schedule | Simplify overcomplicated code with high-confidence refactors |
-| Test Improvement | Weekly schedule | Add targeted tests and clean up redundant coverage |
-| Release Update Check | Weekly schedule | Open a PR updating pinned ai-github-actions workflow SHAs and suggest workflow changes |
-| Agent Suggestions | Weekly schedule | Suggest new agent workflows based on repo and downstream needs |
-| Bug Hunter | Weekday schedule | Find a reproducible, user-impacting bug and file an issue |
-| Bug Exterminator | Weekday schedule | Fix bug-hunter issues and open a focused PR |
-| Docs Drift | Weekday schedule | Detect code changes needing doc updates |
-| Docs New Contributor Review | Weekly schedule | Review docs from a new contributor perspective |
-| Project Summary | Daily schedule | Summarize recent activity and priorities |
-| Breaking Change Detect | Weekday schedule | Detect undocumented public breaking changes |
-| Semantic Function Clustering | Weekday schedule | Identify semantic function clustering refactor opportunities |
-
-See **[gh-agent-workflows/](gh-agent-workflows/)** for install commands, customization, and updating.
-
-## Choosing an Approach
-
-| Feature | GitHub Agent Workflows | Claude Composite Actions |
-| --- | --- | --- |
-| **Engine** | Copilot (default) or Claude | Claude only |
-| **Install** | Copy trigger YAML (recommended) or `gh aw add` + `gh aw compile` | Copy `example.yml` to `.github/workflows/` |
-| **Guardrails** | Safe-outputs framework (structured API outputs) | Read-only/RWX/RWXP variants via permissions |
-| **Customization** | `additional-instructions` input, `setup-commands` input, or full shim edit | Edit YAML directly, adjust composite action inputs |
-
-GitHub Agent Workflows are recommended for new deployments — they're more flexible and have better guardrails. Claude Composite Actions are still supported for legacy deployments.
-
-## Composite Actions (Claude Code)
-
-Traditional GitHub Actions wrapping [Claude Code](https://github.com/anthropics/claude-code-action). Consumed via `uses:` in standard YAML workflows.
-
-```yaml
-uses: elastic/ai-github-actions/claude-workflows/pr-review/rwx@v0
-```
-
-Includes review agents, assistant agents, build failure analyzers, and report generators — each with configurable permission levels (RO, RWX, RWXP).
-
-See **[claude-workflows/](claude-workflows/)** for the full catalog and configuration.
-
-> **Note:** `claude-workflows/` was renamed from `workflows/`. A symlink ensures backwards compatibility.
+- GitHub Agent Workflows provide safe-output guardrails with configurable engines (Copilot or Claude).
+- Claude Composite Actions provide direct Claude Code actions with RO/RWX/RWXP permission variants.
 
 ## License
 

claude-workflows/README.md

@@ -1,83 +1,8 @@
 # Claude Workflows (Composite Actions)
 
-Composite GitHub Actions wrapping [Claude Code](https://github.com/anthropics/claude-code-action). Consumed via `uses:` in standard GitHub Actions YAML.
+This directory contains the composite actions for Claude Code.
 
-> **Note:** This directory was renamed from `workflows/` to `claude-workflows/`. A symlink ensures backwards compatibility — existing `uses: elastic/ai-github-actions/claude-workflows/...@v0` references continue to work.
+Full documentation and configuration details live in the docs site:
+https://elastic.github.io/ai-github-actions/workflows/claude-workflows/
 
-## Security
-
-> **Important:** RWX and RWXP agents can run arbitrary commands, including git commit and git push. To prevent pushes, set `contents: read` (or `contents: none`) in your workflow's `permissions:`. Prompt constraints alone are not sufficient.
-
-> Workflows triggered by user actions should restrict who can trigger Claude. The example workflows include an `author_association` check allowing only `OWNER`, `MEMBER`, and `COLLABORATOR`. See [SECURITY.md](../SECURITY.md) for detailed guidance.
-
-## Available Actions
-
-### Review Agents
-
-| Action | Description | R | W | X | Git | Push |
-|--------|-------------|---|---|---|-----|------|
-| [Issue Triage (RO)](issue-triage/ro/README.md) | Triage new issues (read-only) | ✅ | ❌ | ❌ | ✅ | ❌ |
-| [Issue Triage (RWX)](issue-triage/rwx/README.md) | Triage new issues (can execute tests) | ✅ | ✅ | ✅ | ✅ | ❌** |
-| [PR Review (RO)](pr-review/ro/README.md) | Review PRs (suggestions only) | ✅ | ❌ | ❌ | ✅ | ❌ |
-| [PR Review (RWX)](pr-review/rwx/README.md) | Review PRs (with test execution) | ✅ | ✅ | ✅ | ✅ | ❌** |
-
-### Assistant Agents
-
-| Action | Description | R | W | X | Git | Push |
-|--------|-------------|---|---|---|-----|------|
-| [Mention in Issue (RWX)](mention-in-issue/rwx/README.md) | @claude in issues (no push) | ✅ | ✅ | ✅ | ✅ | ❌** |
-| [Mention in Issue (RWXP)](mention-in-issue/rwxp/README.md) | @claude in issues (full access) | ✅ | ✅ | ✅ | ✅ | ✅ |
-| [Mention in PR (RWX)](mention-in-pr/rwx/README.md) | @claude in PRs (no push) | ✅ | ✅ | ✅ | ✅ | ❌** |
-| [Mention in PR (RWXP)](mention-in-pr/rwxp/README.md) | @claude in PRs (full access) | ✅ | ✅ | ✅ | ✅ | ✅ |
-| [Build Failure Buildkite (RWX)](build-failure-buildkite/rwx/README.md) | Analyze Buildkite CI failures | ✅ | ✅ | ⚙️ | ✅ | ❌ |
-| [Build Failure GitHub Actions (RWX)](build-failure-github-actions/rwx/README.md) | Analyze GitHub Actions failures | ✅ | ✅ | ⚙️ | ✅ | ❌ |
-
-### Overview Agents
-
-| Action | Description | R | W | X | Git | Push |
-|--------|-------------|---|---|---|-----|------|
-| [Generate Report (RO)](generate-report/ro/README.md) | Scheduled report generation | ✅ | ❌ | ⚙️ | ✅ | ❌ |
-| [Project Manager (RO)](project-manager/ro/README.md) | Periodic project state reviews | ✅ | ❌ | ❌ | ✅ | ❌ |
-
-> ✅ = default, ⚙️ = via config, ❌ = unavailable, ❌** = prompt-discouraged (enforce with `contents: read`)
-
-## Usage
-
-```yaml
-- uses: elastic/ai-github-actions/claude-workflows/pr-review/rwx@v0
-  with:
-    prompt: "Review this PR"
-    claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-    github-token: ${{ github.token }}
-```
-
-### Base Action
-
-The [base action](base/action.yml) provides full configurability:
-
-| Input | Description | Required | Default |
-|-------|-------------|----------|---------|
-| `prompt` | Prompt to pass to Claude | Yes | — |
-| `claude-oauth-token` | Claude OAuth token | Yes | — |
-| `github-token` | GitHub token for Claude | Yes | — |
-| `allowed-tools` | Comma-separated allowed tools | No | `""` |
-| `model` | Model to use | No | `claude-opus-4-5-20251101` |
-| `allowed-bots` | Allowed bot usernames, or `*` for all | No | `""` |
-| `mcp-servers` | MCP server configuration JSON | No | See below |
-
-### MCP Servers
-
-All workflow actions include default MCP servers (the base action does not):
-
-- **agents-md-generator** — Generates repository summaries from AGENTS.md. Called automatically at startup.
-- **public-code-search** — Search public GitHub repos for usage patterns and reference implementations.
-
-Override with your own:
-
-```yaml
-- uses: elastic/ai-github-actions/claude-workflows/base@v0
-  with:
-    prompt: "Your prompt"
-    claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-    mcp-servers: '{"mcpServers":{"my-server":{"type":"http","url":"https://my-server.example.com/mcp"}}}'
-```
+Each action directory includes an `example.yml` and README for specific usage.

docs/developing.md

@@ -0,0 +1,23 @@
+# Developing
+
+## Repository structure
+
+| Directory | What | Docs |
+| --- | --- | --- |
+| `.github/workflows/` | Workflow `gh-aw-*.md` sources, compiled `gh-aw-*.lock.yml` files, trigger copies, fragments | https://github.com/elastic/ai-github-actions/blob/main/gh-agent-workflows/DEVELOPING.md |
+| `gh-agent-workflows/` | Per-workflow READMEs and `example.yml` triggers (examples + dogfood), consumer docs | https://github.com/elastic/ai-github-actions/blob/main/gh-agent-workflows/DEVELOPING.md |
+| `claude-workflows/` | Composite actions wrapping Claude Code | https://github.com/elastic/ai-github-actions/blob/main/claude-workflows/DEVELOPING.md |
+
+Internal-only workflows (e.g., `gh-aw-upgrade-check.md`, `ci.yml`, `release.yml`) also live in `.github/workflows/`.
+
+## Quick start
+
+```bash
+make setup            # install actionlint, action-validator, gh CLI, gh-aw compiler
+make compile          # sync triggers + compile to lock files
+make lint             # run all linters
+```
+
+## Releasing
+
+See [Release process](release.md) and the full guide in https://github.com/elastic/ai-github-actions/blob/main/RELEASE.md.

docs/index.md

@@ -0,0 +1,26 @@
+# AI GitHub Actions
+
+AI-powered GitHub workflows for Elastic repositories.
+
+## Choose an approach
+
+| Feature | GitHub Agent Workflows | Claude Composite Actions |
+| --- | --- | --- |
+| Engine | Copilot (default) or Claude | Claude only |
+| Install | Copy trigger YAML (recommended) or `gh aw add` + `gh aw compile` | Copy `example.yml` to `.github/workflows/` |
+| Guardrails | Safe-outputs framework (structured API outputs) | Read-only/RWX/RWXP variants via permissions |
+| Customization | `additional-instructions`, `setup-commands`, or full shim edit | Edit YAML directly, adjust composite action inputs |
+
+GitHub Agent Workflows are recommended for new deployments; Claude Composite Actions remain supported for legacy deployments.
+
+## Workflows
+
+- [GitHub Agent Workflows](workflows/gh-agent-workflows.md)
+- [Claude Composite Actions](workflows/claude-workflows.md)
+
+## More
+
+- [Developing](developing.md)
+- [Security](security.md)
+- [Release process](release.md)
+- [Repository README](https://github.com/elastic/ai-github-actions/blob/main/README.md)

docs/release.md

@@ -0,0 +1,8 @@
+# Release process
+
+This repository uses semver tags with floating major tags. For the full release guide, see https://github.com/elastic/ai-github-actions/blob/main/RELEASE.md.
+
+## Summary
+
+- Use `@v0` for the floating major tag, or `@v0.1.0` for an exact release.
+- Run `make release VERSION=x.y.z` from `main` to create a new tag and trigger the release workflow.

docs/requirements.txt

@@ -0,0 +1,2 @@
+mkdocs>=1.6.0,<2.0
+mkdocs-material>=9.5.0

docs/security.md

@@ -0,0 +1,10 @@
+# Security considerations
+
+This page summarizes key guidance. For the full policy and examples, see https://github.com/elastic/ai-github-actions/blob/main/SECURITY.md.
+
+## Key practices
+
+- Restrict triggers with `author_association` checks for issue and comment events.
+- Use minimum `permissions:` and prefer `contents: read` to prevent unintended pushes.
+- Treat user-controlled text as untrusted and avoid interpolating it into shell commands.
+- Review action pinning guidance and consider SHA pinning for production use.