Add agentic-wiki-writer and agentic-wiki-coder workflows#210
Add agentic-wiki-writer and agentic-wiki-coder workflows#210
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mkdir inside the sandbox bash allowlist doesn't work reliably. Move directory creation to a pre-step that runs before the agent. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous prompting was too conservative, causing the agent to almost never generate diagrams even for architecture/flow pages. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds two new agentic workflow prompt definitions intended to keep a repository’s GitHub wiki and source code in sync via automated wiki generation and wiki-driven implementation.
Changes:
- Add
Agentic Wiki Writerworkflow to generate wiki pages from a.github/agentic-wiki/PAGES.mdtemplate with incremental regeneration via repo-memory. - Add
Agentic Wiki Coderworkflow to react to wiki edits (gollum), implement corresponding code changes, run tests, and open a PR.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| workflows/agentic-wiki-writer.md | New workflow prompt for generating wiki pages from source code and a PAGES.md template (includes incremental memory design and intended wiki push). |
| workflows/agentic-wiki-coder.md | New workflow prompt for turning wiki edits into code changes + tests + PRs (includes pre-staging event payload and pre-cloning the wiki). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| --- | ||
| name: Agentic Wiki Writer | ||
| description: > | ||
| Generates GitHub wiki pages from source code using a PAGES.md template. | ||
| Runs on PR merge or manual dispatch with agent-driven triage. | ||
| on: |
There was a problem hiding this comment.
Repo convention: every workflows/*.md entry should have a matching docs/*.md page and a README entry (enforced by the Daily Repo Goal Achiever). This PR adds the workflow but not its docs/README counterparts, so it will immediately be flagged by automation after merge—please add docs/agentic-wiki-writer.md and update README.md in this PR.
| --- | ||
| name: Agentic Wiki Coder | ||
| description: > | ||
| Analyzes wiki edits for new or changed functionality, implements code changes, | ||
| runs tests, and creates a PR. The reverse of agentic-wiki-writer. | ||
| on: gollum |
There was a problem hiding this comment.
Repo convention: every workflows/*.md entry should have a matching docs/*.md page and a README entry (enforced by the Daily Repo Goal Achiever). This PR adds the workflow but not its docs/README counterparts, so it will immediately be flagged by automation after merge—please add docs/agentic-wiki-coder.md and update README.md in this PR.
| --- | ||
| name: Agentic Wiki Coder | ||
| description: > | ||
| Analyzes wiki edits for new or changed functionality, implements code changes, | ||
| runs tests, and creates a PR. The reverse of agentic-wiki-writer. | ||
| on: gollum | ||
| permissions: | ||
| contents: read | ||
| tools: | ||
| bash: true | ||
| edit: | ||
| write: true | ||
| github: | ||
| toolsets: [repos] | ||
| repo-memory: | ||
| branch-name: memory/wiki-to-code | ||
| description: "Wiki-to-source mappings, processed edit SHAs, and implementation notes" | ||
| allowed-extensions: [".json", ".md"] | ||
| max-file-size: 1048576 | ||
| max-file-count: 50 |
There was a problem hiding this comment.
The agent prompt requires running dependency installs and tests (e.g., bun install, bun test, bunx tsc), but the workflow doesn’t declare any network: allowance. In this repo, workflows that run package managers typically set network: defaults (and/or node) so the sandbox can reach registries—without it, these steps are likely to fail at runtime.
| max-file-size: 1048576 | ||
| max-file-count: 50 | ||
| github: | ||
| toolsets: [repos] |
There was a problem hiding this comment.
The prompt expects the agent to create/update .github/agentic-wiki/PAGES.md and to persist repo-memory files via the write tool, but tools: does not enable write (or edit). As-is, the agent won’t be able to write templates or memory files, and PR creation won’t have any workspace changes to include—please enable the required file-write tools.
| toolsets: [repos] | |
| toolsets: [repos] | |
| write: {} |
| create-pull-request: | ||
| title-prefix: "[agentic-wiki]" | ||
| labels: [documentation, automated] | ||
| jobs: | ||
| push-wiki: | ||
| description: > | ||
| Push generated wiki pages to the repository wiki. | ||
| Pass a JSON object mapping filenames to markdown content. | ||
| runs-on: ubuntu-latest | ||
| output: "Wiki pages pushed successfully" | ||
| permissions: | ||
| contents: write | ||
| inputs: | ||
| files: | ||
| description: "JSON object mapping filenames to markdown content, e.g. {\"Home.md\": \"...\", \"_Sidebar.md\": \"...\"}" | ||
| required: true | ||
| type: string | ||
| steps: | ||
| - name: Checkout wiki | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: ${{ github.repository }}.wiki | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Write wiki pages | ||
| run: | | ||
| FILES=$(jq -r '.items[] | select(.type == "push_wiki") | .files' "$GH_AW_AGENT_OUTPUT") | ||
| echo "$FILES" | jq -r 'to_entries[] | @base64' | while read entry; do | ||
| FILENAME=$(echo "$entry" | base64 -d | jq -r '.key') | ||
| CONTENT=$(echo "$entry" | base64 -d | jq -r '.value') | ||
| echo "$CONTENT" > "$FILENAME" | ||
| done | ||
| - name: Commit and push | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add -A | ||
| git diff --cached --quiet && echo "No changes to commit" && exit 0 | ||
| git commit -m "Update wiki pages [agentic-wiki]" | ||
| git push |
There was a problem hiding this comment.
This workflow prompt relies on calling a noop safe-output in multiple places (e.g., PR closed without merge / no wiki impact), but safe-outputs: doesn’t declare noop. Also, safe-outputs.jobs.push-wiki doesn’t match any safe-outputs pattern used elsewhere in this repo and may not be supported by gh aw compile, which would break the workflow. Suggest adding a declared noop output and implementing wiki pushing via a supported safe-output handler or a standard post-agent job that consumes agent output.
| create-pull-request: | |
| title-prefix: "[agentic-wiki]" | |
| labels: [documentation, automated] | |
| jobs: | |
| push-wiki: | |
| description: > | |
| Push generated wiki pages to the repository wiki. | |
| Pass a JSON object mapping filenames to markdown content. | |
| runs-on: ubuntu-latest | |
| output: "Wiki pages pushed successfully" | |
| permissions: | |
| contents: write | |
| inputs: | |
| files: | |
| description: "JSON object mapping filenames to markdown content, e.g. {\"Home.md\": \"...\", \"_Sidebar.md\": \"...\"}" | |
| required: true | |
| type: string | |
| steps: | |
| - name: Checkout wiki | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ github.repository }}.wiki | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Write wiki pages | |
| run: | | |
| FILES=$(jq -r '.items[] | select(.type == "push_wiki") | .files' "$GH_AW_AGENT_OUTPUT") | |
| echo "$FILES" | jq -r 'to_entries[] | @base64' | while read entry; do | |
| FILENAME=$(echo "$entry" | base64 -d | jq -r '.key') | |
| CONTENT=$(echo "$entry" | base64 -d | jq -r '.value') | |
| echo "$CONTENT" > "$FILENAME" | |
| done | |
| - name: Commit and push | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add -A | |
| git diff --cached --quiet && echo "No changes to commit" && exit 0 | |
| git commit -m "Update wiki pages [agentic-wiki]" | |
| git push | |
| noop: | |
| description: > | |
| No-op safe output used when there is no wiki impact or the PR | |
| did not result in any changes that require wiki updates. | |
| output: "No operation performed" | |
| create-pull-request: | |
| title-prefix: "[agentic-wiki]" | |
| labels: [documentation, automated] | |
| push-wiki: | |
| description: > | |
| Push generated wiki pages to the repository wiki using a JSON | |
| object mapping filenames to markdown content. | |
| output: "Wiki pages pushed successfully" |
| pull_request: | ||
| types: [closed] | ||
| branches: [main] | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Pre-stage event payload for sandbox | ||
| run: | | ||
| cp "$GITHUB_EVENT_PATH" /tmp/gh-aw/event.json | ||
| echo "Event payload staged to /tmp/gh-aw/event.json" | ||
| cat /tmp/gh-aw/event.json | ||
| - name: Create agentic-wiki directory | ||
| run: mkdir -p .github/agentic-wiki | ||
| tools: | ||
| bash: | ||
| - "find * -type f -not -path '*/node_modules/*' -not -path '*/.git/*'" | ||
| - "tree *" | ||
| - "wc *" | ||
| repo-memory: | ||
| branch-name: memory/agentic-wiki | ||
| description: "Source file mappings, content hashes, and file summaries for incremental wiki regeneration" | ||
| allowed-extensions: [".json", ".md"] | ||
| max-file-size: 1048576 | ||
| max-file-count: 50 | ||
| github: | ||
| toolsets: [repos] |
There was a problem hiding this comment.
The triage steps require reading PR metadata and listing changed files, but the workflow only grants contents: read and configures github.toolsets: [repos]. Other workflows that read PRs use pull-requests: read permissions and broader GitHub toolsets (e.g., default/all) to access pull_request_read APIs. Please add pull-requests: read and adjust the GitHub toolset accordingly so PR inspection works at runtime.
| bash: | ||
| - "find * -type f -not -path '*/node_modules/*' -not -path '*/.git/*'" | ||
| - "tree *" | ||
| - "wc *" |
There was a problem hiding this comment.
The agent instructions say cat, ls, and head are allowed and required to discover repo-memory paths and read files, but tools.bash is configured with an allowlist that only includes find, tree, and wc. If the allowlist is enforced, the agent will be blocked from running the documented read-only commands—please add the needed commands to the bash allowlist (or switch to bash: true if appropriate).
| - "wc *" | |
| - "wc *" | |
| - "ls" | |
| - "cat *" | |
| - "head *" |
| GH_TOKEN: ${{ github.token }} | ||
| GITHUB_REPOSITORY: ${{ github.repository }} | ||
| run: | | ||
| git clone "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.wiki.git" /tmp/gh-aw/wiki |
There was a problem hiding this comment.
The git clone command embeds GH_TOKEN directly in the clone URL, which causes the GitHub token to be stored in plaintext in .git/config inside /tmp/gh-aw/wiki, making it accessible to the sandboxed agent despite the intent to withhold $GITHUB_TOKEN. An attacker who can influence wiki content or prompt the agent could read .git/config and exfiltrate or misuse this token from within the sandbox. Use a cloning approach that does not persist the token in repository config (e.g., credentials helpers or checkout-style mechanisms) or ensure credentials are scrubbed from .git/config before exposing the clone to the agent.
| git clone "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.wiki.git" /tmp/gh-aw/wiki | |
| gh repo clone "${GITHUB_REPOSITORY}.wiki" /tmp/gh-aw/wiki |
Summary
.github/agentic-wiki/directory outside sandbox (mkdir in bash allowlist doesn't work reliably)Test plan
agentic-wiki-writerongithubnext/w3kviagh aw add-wizard githubnext/agentics/agentic-wiki-writer@wiki-workflows🤖 Generated with Claude Code