Agentic Workflows update

[aaronpowell]

Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.
• I am targeting the staged branch for this pull request.

---

Description

---

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

---

Additional Notes

---

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

[Copilot]

Pull request overview

This PR updates the repository’s agentic workflows by enhancing the “Resource Staleness Report” workflow prompt and regenerating multiple compiled workflow lockfiles with a newer gh-aw compiler/tooling version.

Changes:

• Extend the Resource Staleness Report instructions to include a deeper, content-based review of the oldest stale resources.
• Regenerate several *.lock.yml workflow files with gh-aw v0.72.1 / AWF v0.25.41, including new steps/artifact paths (e.g., inline sub-agent restore, additional prompt artifacts).
• Update .github/aw/actions-lock.json to reflect the new gh-aw setup action versions and SHAs.

Show a summary per file

File	Description
.github/workflows/resource-staleness-report.md	Adds a “deep review” section and output format guidance for prioritizing stale resources.
.github/workflows/resource-staleness-report.lock.yml	Regenerated lockfile with updated gh-aw/AWF versions and workflow step changes.
.github/workflows/pr-duplicate-check.lock.yml	Regenerated lockfile with updated gh-aw/AWF versions and workflow step changes.
.github/workflows/learning-hub-updater.lock.yml	Regenerated lockfile; adds a base-branch extraction step and other gh-aw/AWF updates.
.github/workflows/duplicate-resource-detector.lock.yml	Regenerated lockfile with updated gh-aw/AWF versions and workflow step changes.
.github/workflows/codeowner-update.lock.yml	Regenerated lockfile; adds a base-branch extraction step and other gh-aw/AWF updates.
.github/workflows/cli-for-beginners-sync.lock.yml	Regenerated lockfile; adds a base-branch extraction step and other gh-aw/AWF updates.
.github/aw/actions-lock.json	Bumps pinned gh-aw setup action entries to v0.72.1 with updated SHAs.

Copilot's findings

Comments suppressed due to low confidence (3)

.github/workflows/learning-hub-updater.lock.yml:1358

• This workflow adds an "Extract base branch from agent output" step, but its output isn’t used anywhere (e.g., actions/checkout still hardcodes ref: staged). Please either wire steps.extract-base-branch.outputs.base-branch into the later steps that need the base branch, or remove this step to avoid dead code and unnecessary execution.

      - name: Extract base branch from agent output
        id: extract-base-branch
        if: steps.download-agent-output.outcome == 'success'
        shell: bash
        run: |
          if [ -f "/tmp/gh-aw/agent_output.json" ]; then
            GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
            BASE_BRANCH=$("$GH_AW_NODE" -e "
              try {
                const data = JSON.parse(require('fs').readFileSync('/tmp/gh-aw/agent_output.json', 'utf8'));
                const item = (data.items || []).find(i =>
                  (i.type === 'create_pull_request' || i.type === 'push_to_pull_request_branch') &&
                  i.base_branch
                );
                if (item) process.stdout.write(item.base_branch);
              } catch(e) {}
            " 2>/dev/null || true)
            # Validate: only allow safe git branch name characters
            if [[ "$BASE_BRANCH" =~ ^[a-zA-Z0-9/_.-]+$ ]] && [ ${#BASE_BRANCH} -le 255 ]; then
              printf 'base-branch=%s\n' "$BASE_BRANCH" >> "$GITHUB_OUTPUT"
              echo "Extracted base branch from safe output: $BASE_BRANCH"
            fi
          fi
      - name: Checkout repository
        if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request')
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: staged
          token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/codeowner-update.lock.yml:1418

• This workflow adds an "Extract base branch from agent output" step, but its output isn’t used anywhere (e.g., actions/checkout still hardcodes ref: staged). Please either wire steps.extract-base-branch.outputs.base-branch into the later steps that need the base branch, or remove this step to avoid dead code and unnecessary execution.

      - name: Extract base branch from agent output
        id: extract-base-branch
        if: steps.download-agent-output.outcome == 'success'
        shell: bash
        run: |
          if [ -f "/tmp/gh-aw/agent_output.json" ]; then
            GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
            BASE_BRANCH=$("$GH_AW_NODE" -e "
              try {
                const data = JSON.parse(require('fs').readFileSync('/tmp/gh-aw/agent_output.json', 'utf8'));
                const item = (data.items || []).find(i =>
                  (i.type === 'create_pull_request' || i.type === 'push_to_pull_request_branch') &&
                  i.base_branch
                );
                if (item) process.stdout.write(item.base_branch);
              } catch(e) {}
            " 2>/dev/null || true)
            # Validate: only allow safe git branch name characters
            if [[ "$BASE_BRANCH" =~ ^[a-zA-Z0-9/_.-]+$ ]] && [ ${#BASE_BRANCH} -le 255 ]; then
              printf 'base-branch=%s\n' "$BASE_BRANCH" >> "$GITHUB_OUTPUT"
              echo "Extracted base branch from safe output: $BASE_BRANCH"
            fi
          fi
      - name: Checkout repository
        if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request')
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: staged
          token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/cli-for-beginners-sync.lock.yml:1368

• This workflow adds an "Extract base branch from agent output" step, but its output isn’t used anywhere (e.g., actions/checkout still hardcodes ref: staged). Please either wire steps.extract-base-branch.outputs.base-branch into the later steps that need the base branch, or remove this step to avoid dead code and unnecessary execution.

      - name: Extract base branch from agent output
        id: extract-base-branch
        if: steps.download-agent-output.outcome == 'success'
        shell: bash
        run: |
          if [ -f "/tmp/gh-aw/agent_output.json" ]; then
            GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
            BASE_BRANCH=$("$GH_AW_NODE" -e "
              try {
                const data = JSON.parse(require('fs').readFileSync('/tmp/gh-aw/agent_output.json', 'utf8'));
                const item = (data.items || []).find(i =>
                  (i.type === 'create_pull_request' || i.type === 'push_to_pull_request_branch') &&
                  i.base_branch
                );
                if (item) process.stdout.write(item.base_branch);
              } catch(e) {}
            " 2>/dev/null || true)
            # Validate: only allow safe git branch name characters
            if [[ "$BASE_BRANCH" =~ ^[a-zA-Z0-9/_.-]+$ ]] && [ ${#BASE_BRANCH} -le 255 ]; then
              printf 'base-branch=%s\n' "$BASE_BRANCH" >> "$GITHUB_OUTPUT"
              echo "Extracted base branch from safe output: $BASE_BRANCH"
            fi
          fi
      - name: Checkout repository
        if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'create_pull_request')
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: staged
          token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

• Files reviewed: 8/8 changed files
• Comments generated: 7