From cf23ade223c94febe5b3b72877a1639c9d5c7617 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Sat, 23 May 2026 22:14:50 -0400 Subject: [PATCH 1/2] feat(labels): add cloud-routine and agentic-workflows source labels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two new labels for attribution of automated PRs/issues: - cloud-routine (blue) — applied by Claude Code cloud routines from JacobPEvans/claude-code-routines. - agentic-workflows (emerald) — applied by reusable workflows from JacobPEvans/ai-workflows. The existing label-sync.yml workflow propagates both to every public repo on push to main, so routines and workflows can apply them without per-repo `gh label create` calls. Assisted-by: Claude --- .github/labels.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index ff1f2e9..f217a4b 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -168,3 +168,11 @@ - name: "renovate" color: "A5B4FC" description: "Renovate bot - Automated dependency management" + +- name: "cloud-routine" + color: "1D4ED8" + description: "PR/issue created by a Claude Code cloud routine (claude-code-routines)" + +- name: "agentic-workflows" + color: "10B981" + description: "PR/issue created by a reusable workflow from ai-workflows" From f2112a7a9d4f4bbbb04d9268b0c4fabd17af580f Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Sat, 23 May 2026 22:40:20 -0400 Subject: [PATCH 2/2] chore(_gh-aw-pin-refresh): add aw:gh-aw-pin-refresh attribution Adds the [aw:gh-aw-pin-refresh] title suffix, the agentic-workflows label, and a Provenance block to the PR body so the source of every gh-aw pin-refresh PR is self-evident in the consumer repo's PR queue. Pairs with JacobPEvans/ai-workflows attribution PR (composite-action preamble + per-workflow source_slug) and JacobPEvans/claude-code-routines attribution PR (cloud-routine label + Provenance blocks). Assisted-by: Claude --- .github/workflows/_gh-aw-pin-refresh.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_gh-aw-pin-refresh.yml b/.github/workflows/_gh-aw-pin-refresh.yml index 04a6f61..93be176 100644 --- a/.github/workflows/_gh-aw-pin-refresh.yml +++ b/.github/workflows/_gh-aw-pin-refresh.yml @@ -99,15 +99,24 @@ jobs: sign-commits: true branch: gh-aw/refresh-action-pins delete-branch: true - title: "fix(deps): refresh gh-aw action SHA pins" + title: "fix(deps): refresh gh-aw action SHA pins [aw:gh-aw-pin-refresh]" body: | Automated refresh of action SHA pins via `gh aw compile --force-refresh-action-pins`. Updates `actions-lock.json`, all `*.lock.yml` workflows, and `agentics-maintenance.yml` with consistent, freshly-resolved SHAs. SHAs younger than 24h are held back to their predecessor (supply-chain soak). - labels: dependencies - commit-message: "fix(deps): refresh gh-aw action SHA pins" + + --- + + ## Provenance + + - **Generated by:** [`_gh-aw-pin-refresh` reusable workflow](https://github.com/JacobPEvans/.github/blob/main/.github/workflows/_gh-aw-pin-refresh.yml) - called from `ai-workflows/.github/workflows/gh-aw-pin-refresh.yml` and consumer repos' wrappers + - **Triggered:** Scheduled (Mon/Thu 12:00 UTC) or manual `workflow_dispatch`. + - **Why this PR:** Refreshes pinned action SHAs so workflows pick up upstream fixes without breaking supply-chain soak (no SHAs younger than 24h). + - **Label:** `agentic-workflows` + labels: dependencies,agentic-workflows + commit-message: "fix(deps): refresh gh-aw action SHA pins [aw:gh-aw-pin-refresh]" # Disable+re-enable handles RC3 (stale auto-merge queue: PR is CLEAN # with auto-merge enabled but GitHub never executes the merge). The