Skip to content

Add opt-in multi-repository auditing#176

Open
mrfelton wants to merge 2 commits into
githubnext:mainfrom
LN-Zap:feat/multi-repo-auditing
Open

Add opt-in multi-repository auditing#176
mrfelton wants to merge 2 commits into
githubnext:mainfrom
LN-Zap:feat/multi-repo-auditing

Conversation

@mrfelton

@mrfelton mrfelton commented Jun 22, 2026

Copy link
Copy Markdown

Summary

Adds opt-in multi-repository auditing to the audit and optimizer workflows. Today both audit only the repository they run in; this lets one central repository monitor AI-credit (AIC) spend across many repositories.

When a new .github/agentic-ops.yml config lists repos:, both workflows collect each repository's agentic-workflow logs and aggregate AIC spend per repository and per workflow. With no config file present, behavior is unchanged — each workflow audits only the repository it runs in (fully backward compatible).

How it works

  • New config .github/agentic-ops.yml: a repos: list (owner/repo) plus an optional source-repo: (defaults to githubnext/agentic-ops).
  • Collection: for the current repository, agentic workflows are resolved from the local checkout by tracker-id (unchanged). For every other repository they are resolved by display name via the GitHub Actions API, then queried with gh aw logs "<name>" --repo <owner/repo> — because gh aw logs resolves a remote workflow only by its display name (a remote tracker-id/lock-filename lookup returns nothing). Runs are stamped with their source repository and de-duplicated on (repository, run_id) — run IDs are only unique per repo, so the previous unique_by(.run_id) could collide same-numbered runs across repos.
  • Aggregation: grouped by [repository, workflow_name], so identically named workflows in different repos are never conflated. The audit report gains an optional per-repository rollup, and run links use each run's own url.
  • Optimizer: selects/analyzes across repos and reads the target workflow's source from its own repository. The previously hardcoded githubnext/agentic-ops family-exclusion (in three places) is now driven by the configurable source-repo.
  • Auth: cross-repo collection needs a token with actions: read on the listed repos. The workflows use gh-aw's standard GH_AW_GITHUB_TOKEN "magic" secret (auth reference), falling back to GITHUB_TOKEN (current repo only) when unset. No bundle-specific secret is introduced.

Security review (per gh-aw strict mode)

  • Uses gh-aw's standard GH_AW_GITHUB_TOKEN magic secret — read-only here (actions: read; collection only, never exposed to the agent), falling back to GITHUB_TOKEN. No new bundle-specific secret.
  • No new actions beyond what the bundle already uses; no network/redirect changes.

Also

  • Adds a LICENSE file (separate commit) — the README declares MIT but no LICENSE existed. Happy to split this into its own PR if you prefer.

Testing

  • Single-repo (no-config) path verified equivalent to current behavior.
  • Multi-repo path validated against a live org of 8 repositories: cross-repo collection returns real AIC for every repo with agentic activity, and the remote display-name resolution was confirmed necessary (tracker-id + --repo returns nothing remotely).
  • gh aw compile (v0.79.6): 0 errors / 0 warnings; actionlint + shellcheck clean for the changed shell.

Lock files compiled with gh-aw v0.79.6.

🤖 Generated with Claude Code

mrfelton and others added 2 commits June 22, 2026 14:39
Add opt-in multi-repository support to the audit and optimizer workflows.
When `.github/agentic-ops.yml` lists `repos:`, both workflows collect each
repository's agentic-workflow logs and aggregate AI-credit spend per
repository and per workflow, so one central repository can monitor an entire
org's agentic workflows.

- New `.github/agentic-ops.yml` config (`repos:` + optional `source-repo:`).
- For the current repository, agentic workflows are resolved from the local
  checkout by tracker-id (unchanged single-repo behavior). For every other
  repository they are resolved by display name via the GitHub Actions API and
  queried with `gh aw logs --repo`, because gh aw logs resolves a remote
  workflow only by its name. Runs are stamped with their source repository and
  de-duplicated on (repository, run_id).
- Audit groups and reports per repository; optimizer selects, analyzes, and
  reads the target workflow's source from its own repository.
- The hardcoded `githubnext/agentic-ops` family-exclusion is now driven by a
  configurable `source-repo` (defaults to githubnext/agentic-ops).
- Cross-repo reads use gh-aw's standard GH_AW_GITHUB_TOKEN magic secret (a token
  with actions: read on the listed repos), falling back to GITHUB_TOKEN.

With no config file present, behavior is unchanged: each workflow audits only
the repository it runs in.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The README declares the project MIT-licensed but no LICENSE file existed.
Add the standard MIT license text.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mrfelton mrfelton force-pushed the feat/multi-repo-auditing branch from b948639 to 3d8dd3f Compare June 22, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant