update to use safe outputs

Author: dsyme

workflows/ci-doctor.md

@@ -15,6 +15,7 @@ permissions: read-all
 
 safe-outputs:
   create-issue:
+    title-prefix: "${{ github.workflow }}"
   add-issue-comment:
 
 tools:

workflows/daily-accessibility-review.md

@@ -12,6 +12,7 @@ permissions: read-all
 
 safe-outputs:
   create-issue:
+    title-prefix: "${{ github.workflow }}"
     max: 5
   add-issue-comment:
     max: 5

workflows/daily-dependency-updates.md

@@ -8,15 +8,11 @@ on:
 
 timeout_minutes: 15
 
-permissions:
-  contents: write # needed to push changes to a new branch in the repository in preparation for the pull request
-  pull-requests: write # needed to create pull requests for the changes
-  issues: read
-  discussions: read
-  actions: read
-  checks: read
-  statuses: read
-  security-events: read
+permissions: read-all
+
+safe-outputs:
+  create-pull-request:
+    draft: true
 
 tools:
   github:

workflows/daily-perf-improver.md

@@ -8,12 +8,16 @@ on:
 
 timeout_minutes: 30
 
+permissions: read-all
+
 safe-outputs:
   create-issue:
+    title-prefix: "${{ github.workflow }}"
     max: 5
   add-issue-comment:
     max: 5
   create-pull-request:
+    draft: true
 
 tools:
   github:
@@ -186,8 +190,6 @@ Your name is ${{ github.workflow }}. Your job is to act as an agentic coder for
 
    5e. Add a very brief comment to the issue from step 1a if it exists, saying you have worked on the particular performance goal and linking to the pull request you created.
 
-   5f. If you were able to push your branch to the repo, but unable to create a pull request, then the GitHub Actions setting "Choose whether GitHub Actions can create pull requests" may be off. Create an issue describing the problem with a link to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests and exit the entire workflow. 
-
 6. If you didn't succeed in improving performance, create an issue with title starting with "${{ github.workflow }}", summarizing similar information to above.
 
 7. If you encounter any unexpected failures or have questions, add comments to the pull request or issue to seek clarification or assistance.

workflows/daily-plan.md

@@ -8,20 +8,18 @@ on:
 
   stop-after: +30d # workflow will no longer trigger after 30 days. Remove this and recompile to run indefinitely
 
-permissions:
-  issues: write  # needed to create or update issues
-  contents: read
-  pull-requests: read
+permissions: read-all
+
+safe-outputs:
+  create-issue: # needed to create the project plan issue
+    title-prefix: "${{ github.workflow }}"
+  update-issue: # needed to update the project plan issue if it already exists
+    target: "*" # can update one single issue
+    body: # can update the issue body only
 
 timeout_minutes: 15
 
 tools:
-  github:
-    allowed:
-      [
-        create_issue,
-        update_issue,
-      ]
   claude:
     allowed:
       WebFetch:
@@ -36,21 +34,21 @@ Your job is to act as a planner for the GitHub repository ${{ github.repository
 
 1. First study the state of the repository including, open issues, pull requests, completed issues.
 
-   - As part of this, look for the issue labelled "project-plan", which is the existing project plan. Read the plan, and any comments on the plan. If no issue is labelled "project-plan" ignore this step.
+   1a. As part of this, look for the open issue labelled "project-plan", which is the existing project plan. Read the plan, and any comments on the plan. If no issue is labelled "project-plan" ignore this step.
 
-   - You can read code, search the web and use other tools to help you understand the project and its requirements.
+   1b. You can read code, search the web and use other tools to help you understand the project and its requirements.
 
 2. Formulate a plan for the remaining work to achieve the objectives of the project.
 
-3. Create or update a single "project plan" issue, ensuring it is labelled with "project-plan".
+   2a. The project plan should be a clear, concise, succinct summary of the current state of the project, including the issues that need to be completed, their priority, and any dependencies between them.
 
-   - The project plan should be a clear, concise, succinct summary of the current state of the project, including the issues that need to be completed, their priority, and any dependencies between them.
+   2b. The project plan should be written into the issue body itself, not as a comment. If comments have been added to the project plan, take them into account and note this in the project plan. Never add comments to the project plan issue.
 
-   - The project plan should be written into the issue body itself, not as a comment. If comments have been added to the project plan, take them into account and note this in the project plan. Never add comments to the project plan issue.
+   2c. In the plan, list suggested issues to create to match the proposed updated plan. Don't create any issues, just list the suggestions. Do this by showing `gh` commands to create the issues with labels and complete bodies, but don't actually create them. Don't include suggestions for issues that already exist, only new things required as part of the plan!
 
-   - In the plan, list suggested issues to create to match the proposed updated plan. Don't create any issues, just list the suggestions. Do this by showing `gh` commands to create the issues with labels and complete bodies, but don't actually create them. Don't include suggestions for issues that already exist, only new things required as part of the plan!
+3. You will either create or update the planning issue so it contains a project plan in its body. 
 
-   - Do not create any other issues, just the project plan issue. Do not comment on any issues or pull requests or make any other changes to the repository.
+   3a. If in step (1a) you found a "project plan" issue, update its body with the project plan. If in step (1a) you didn't find a "project issue", create one with an appropriate title starting with "${{ github.workflow }}", using the project plan as the body, and ensure the issue is labelled with "project-plan".
 
 @include agentics/shared/tool-refused.md
 

workflows/daily-progress.md

@@ -147,8 +147,6 @@ Your name is ${{ github.workflow }}. Your job is to act as an agentic coder for
 
    5e. Add a very brief comment to the issue from step 1a if it exists, saying you have worked on the particular goal and linking to the pull request you created.
 
-   5f. If you were able to push your branch to the repo, but unable to create a pull request, then the GitHub Actions setting "Choose whether GitHub Actions can create pull requests" may be off. Create an issue describing the problem with a link to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests and exit the entire workflow. 
-
 6. If you didn't succeed, create an issue with title starting with "${{ github.workflow }}", summarizing similar information to above.
 
 7. If you encounter any unexpected failures or have questions, add comments to the pull request or issue to seek clarification or assistance.

workflows/daily-qa.md

@@ -9,8 +9,11 @@ on:
 
 timeout_minutes: 15
 
+permissions: read-all
+
 safe-outputs:
   create-issue:
+    title-prefix: "${{ github.workflow }}"
   add-issue-comment:
     max: 5
 
@@ -70,7 +73,7 @@ Your name is ${{ github.workflow }}. Your job is to act as an agentic QA enginee
 
 4. Search for any previous "Daily QA Report" open issues in the repository. Read the latest one. If the status is essentially the same as the current state of the repository, then add a very brief comment to that issue saying you didn't find anything new and exit. Close all the previous open Daily QA Report issues.
 
-5. Create a new issue with title starting with "Daily QA Report", very very briefly summarizing the problems you found and the actions you took. Use note form. Include links to any issues you created or commented on, and any pull requests you created. In a collapsed section highlight any bash commands you used, any web searches you performed, and any web pages you visited that were relevant to your work. If you tried to run bash commands but were refused permission, then include a list of those at the end of the issue.
+5. Create a new issue with title starting with "${{ github.workflow }}", very very briefly summarizing the problems you found and the actions you took. Use note form. Include links to any issues you created or commented on, and any pull requests you created. In a collapsed section highlight any bash commands you used, any web searches you performed, and any web pages you visited that were relevant to your work. If you tried to run bash commands but were refused permission, then include a list of those at the end of the issue.
 
 6. Create a file in the root directory of the repo called "workflow-complete.txt" with the text "Workflow completed successfully".
 

workflows/daily-team-status.md

@@ -7,13 +7,16 @@ on:
 
   stop-after: +30d # workflow will no longer trigger after 30 days. Remove this and recompile to run indefinitely
 
+permissions: read-all
+
 safe-outputs:
   create-issue:
+    title-prefix: "${{ github.workflow }}"
+  update-issue:
+    target: "*" # can update one single issue
 
 timeout_minutes: 15
 
-permissions: read-all
-
 tools:
   claude:
     allowed:
@@ -57,7 +60,7 @@ tools:
      * all files you read to generate the data for the report
      * places you didn't have time to read or search, but would have liked to
 
-   Create a new GitHub issue with title starting with "Daily Team Status" containing a markdown report with your findings. Use links where appropriate.
+   Create a new GitHub issue with title starting with "${{ github.workflow }}" containing a markdown report with your findings. Use links where appropriate.
 
    Only a new issue should be created, no existing issues should be adjusted.
 

workflows/daily-test-improver.md

@@ -9,27 +9,18 @@ on:
 
 timeout_minutes: 30
 
-permissions:
-  contents: write # needed to create branches, files, and pull requests in this repo without a fork
-  issues: write # needed to create report issue
-  pull-requests: write # needed to create results pull request
-  actions: read
-  checks: read
-  statuses: read
+permissions: read-all
+
+safe-outputs:
+  create-issue: # needed to create report issue
+    title-prefix: "${{ github.workflow }}"
+  update-issue: # needed to update the report issue if it already exists
+    target: "*" # can update any one single issue
+    body: # can update the issue body only
+  create-pull-request: # needed to create results pull request
+    draft: true
 
 tools:
-  github:
-    allowed:
-      [
-        create_issue,
-        update_issue,
-        add_issue_comment,
-        create_or_update_file,
-        create_branch,
-        delete_file,
-        push_files,
-        update_pull_request,
-      ]
   claude:
     allowed:
       Edit:
@@ -119,9 +110,9 @@ Your name is ${{ github.workflow }}. Your job is to act as an agentic coder for
 
    3d. Check for any other pull requests you created before with title starting with "${{ github.workflow }}". Don't work on adding any tests that overlap with what was done there.
 
-   3e. Based on all of the above, select multiple areas of relatively low coverage to work on that appear tractable for further test additions.
+   3e. Based on all of the above, select an area of relatively low coverage to work on that appear tractable for further test additions.
 
-4. For each area identified, do the following:
+4. Do the following:
 
    4a. Create a new branch
 
@@ -159,8 +150,6 @@ Your name is ${{ github.workflow }}. Your job is to act as an agentic coder for
 
    4i. Add a very brief comment (at most two sentences) to the issue from step 1a if it exists, saying you have worked on this area and created a pull request, with a link to the pull request.
 
-   4j. If you were able to push your branch to the repo, but unable to create a pull request, then the GitHub Actions setting "Choose whether GitHub Actions can create pull requests" may be off. Create an issue describing the problem with a link to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests and exit the entire workflow. 
-
 5. If you think you found bugs in the code while adding tests, also create one single combined issue for all of them, starting the title of the issue with "${{ github.workflow }}". Do not include fixes in your pull requests unless you are 100% certain the bug is real and the fix is right.
 
 6. If you encounter any problems or have questions, include this information in the pull request or issue to seek clarification or assistance.

workflows/issue-triage.md

@@ -5,14 +5,14 @@ on:
   stop-after: +30d # workflow will no longer trigger after 30 days. Remove this and recompile to run indefinitely
   reaction: eyes
 
+permissions: read-all
+
 safe-outputs:
   add-issue-label:
     max: 3
   add-issue-comment:
     max: 1
 
-permissions: read-all
-
 tools:
   claude:
     allowed: