diff --git a/.github/labels.yml b/.github/labels.yml
index ff1f2e9..f217a4b 100644
--- a/.github/labels.yml
+++ b/.github/labels.yml
@@ -168,3 +168,11 @@
 - name: "renovate"
   color: "A5B4FC"
   description: "Renovate bot - Automated dependency management"
+
+- name: "cloud-routine"
+  color: "1D4ED8"
+  description: "PR/issue created by a Claude Code cloud routine (claude-code-routines)"
+
+- name: "agentic-workflows"
+  color: "10B981"
+  description: "PR/issue created by a reusable workflow from ai-workflows"
diff --git a/.github/workflows/_gh-aw-pin-refresh.yml b/.github/workflows/_gh-aw-pin-refresh.yml
index 04a6f61..93be176 100644
--- a/.github/workflows/_gh-aw-pin-refresh.yml
+++ b/.github/workflows/_gh-aw-pin-refresh.yml
@@ -99,15 +99,24 @@ jobs:
           sign-commits: true
           branch: gh-aw/refresh-action-pins
           delete-branch: true
-          title: "fix(deps): refresh gh-aw action SHA pins"
+          title: "fix(deps): refresh gh-aw action SHA pins [aw:gh-aw-pin-refresh]"
           body: |
             Automated refresh of action SHA pins via `gh aw compile --force-refresh-action-pins`.
 
             Updates `actions-lock.json`, all `*.lock.yml` workflows, and
             `agentics-maintenance.yml` with consistent, freshly-resolved SHAs.
             SHAs younger than 24h are held back to their predecessor (supply-chain soak).
-          labels: dependencies
-          commit-message: "fix(deps): refresh gh-aw action SHA pins"
+
+            ---
+
+            ## Provenance
+
+            - **Generated by:** [`_gh-aw-pin-refresh` reusable workflow](https://github.com/JacobPEvans/.github/blob/main/.github/workflows/_gh-aw-pin-refresh.yml) - called from `ai-workflows/.github/workflows/gh-aw-pin-refresh.yml` and consumer repos' wrappers
+            - **Triggered:** Scheduled (Mon/Thu 12:00 UTC) or manual `workflow_dispatch`.
+            - **Why this PR:** Refreshes pinned action SHAs so workflows pick up upstream fixes without breaking supply-chain soak (no SHAs younger than 24h).
+            - **Label:** `agentic-workflows`
+          labels: dependencies,agentic-workflows
+          commit-message: "fix(deps): refresh gh-aw action SHA pins [aw:gh-aw-pin-refresh]"
 
       # Disable+re-enable handles RC3 (stale auto-merge queue: PR is CLEAN
       # with auto-merge enabled but GitHub never executes the merge). The