Recompile agentic workflows to gh-aw v0.37.19 (#8323)

* Initial plan * Initial plan: Recompile agentic workflows to latest gh-aw version Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> * Update gh-aw instruction files with latest features Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>
2026-01-28 21:08:43 +00:00 · 2026-01-24 12:08:16 -08:00 · 2026-01-24 12:08:16 -08:00 · d87aa87ae4
commit d87aa87ae4
parent c88c781f3b
11 changed files with 168 additions and 431 deletions
--- a/.github/aw/create-agentic-workflow.md
+++ b/.github/aw/create-agentic-workflow.md
@ -181,7 +181,7 @@ DO NOT ask all these questions at once; instead, engage in a back-and-forth conv
     - 📋 **DO NOT include other fields with good defaults** - Let the compiler use sensible defaults unless customization is needed.
   - Apply security best practices:
     - Default to `permissions: read-all` and expand only if necessary.
-     - Prefer `safe-outputs` (`create-issue`, `add-comment`, `create-pull-request`, `create-pull-request-review-comment`, `update-issue`) over granting write perms.
+     - Prefer `safe-outputs` (`create-issue`, `add-comment`, `create-pull-request`, `create-pull-request-review-comment`, `update-issue`, `dispatch-workflow`) over granting write perms.
     - For custom write operations to external services (email, Slack, webhooks), use `safe-outputs.jobs:` to create custom safe output jobs.
     - Constrain `network:` to the minimum required ecosystems/domains.
     - Use sanitized expressions (`${{ needs.activation.outputs.text }}`) instead of raw event text.
--- a/.github/aw/create-shared-agentic-workflow.md
+++ b/.github/aw/create-shared-agentic-workflow.md
@ -34,7 +34,7 @@ You are a conversational chat agent that interacts with the user to design secur
 **Move Write Operations to Safe Outputs**
 - Never grant direct write permissions in shared components
 - Use `safe-outputs:` configuration for all write operations
- Common safe outputs: `create-issue`, `add-comment`, `create-pull-request`, `update-issue`
+- Common safe outputs: `create-issue`, `add-comment`, `create-pull-request`, `update-issue`, `dispatch-workflow`
 - Let consuming workflows decide which safe outputs to enable

 **Process Agent Output in Safe Jobs**
--- a/.github/aw/github-agentic-workflows.md
+++ b/.github/aw/github-agentic-workflows.md
@ -465,6 +465,16 @@ The YAML frontmatter supports these fields:
        target-repo: "owner/repo"                   # Optional: cross-repository
    ```
    When using `safe-outputs.add-labels`, the main job does **not** need `issues: write` or `pull-requests: write` permission since label addition is handled by a separate job with appropriate permissions.
+  - `remove-labels:` - Safe label removal from issues or PRs
+    ```yaml
+    safe-outputs:
+      remove-labels:
+        allowed: [automated, stale]  # Optional: restrict to specific labels
+        max: 3                       # Optional: maximum number of operations (default: 3)
+        target: "*"                  # Optional: "triggering" (default), "*" (any issue/PR), or number
+        target-repo: "owner/repo"    # Optional: cross-repository
+    ```
+    When `allowed` is omitted, any labels can be removed. Use `allowed` to restrict removal to specific labels. When using `safe-outputs.remove-labels`, the main job does **not** need `issues: write` or `pull-requests: write` permission since label removal is handled by a separate job with appropriate permissions.
  - `add-reviewer:` - Add reviewers to pull requests
    ```yaml
    safe-outputs:
@ -558,6 +568,14 @@ The YAML frontmatter supports these fields:
        target-repo: "owner/repo"       # Optional: cross-repository
    ```
    Publishes workflow artifacts to an orphaned git branch for persistent storage. Default allowed extensions include common non-executable types. Maximum file size is 50MB (51200 KB).
+  - `dispatch-workflow:` - Trigger other workflows with inputs
+    ```yaml
+    safe-outputs:
+      dispatch-workflow:
+        workflows: [workflow-name]          # Required: list of workflow names to allow
+        max: 3                              # Optional: max dispatches (default: 1, max: 3)
+    ```
+    Triggers other agentic workflows in the same repository using workflow_dispatch. Agent output includes `workflow_name` (without .md extension) and optional `inputs` (key-value pairs). Not supported for cross-repository operations.
  - `create-code-scanning-alert:` - Generate SARIF security advisories
    ```yaml
    safe-outputs: