Skip to content

Add opt-in multi-repository auditing#176

Open
mrfelton wants to merge 2 commits into
githubnext:mainfrom
LN-Zap:feat/multi-repo-auditing
Open

Add opt-in multi-repository auditing#176
mrfelton wants to merge 2 commits into
githubnext:mainfrom
LN-Zap:feat/multi-repo-auditing

Conversation

@mrfelton

@mrfelton mrfelton commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Adds opt-in multi-repository auditing to the audit and optimizer workflows. Today both audit only the repository they run in; this lets one central repository monitor AI-credit (AIC) spend across many repositories.

When a new .github/agentic-ops.yml config lists repos:, both workflows collect each repository's agentic-workflow logs and aggregate AIC spend per repository and per workflow. With no config file present, behavior is unchanged — each workflow audits only the repository it runs in (fully backward compatible).

How it works

  • New config .github/agentic-ops.yml: a repos: list (owner/repo) plus an optional source-repo: (defaults to githubnext/agentic-ops).
  • Collection: for the current repository, agentic workflows are resolved from the local checkout by tracker-id (unchanged). For every other repository they are resolved by display name via the GitHub Actions API, then queried with gh aw logs "<name>" --repo <owner/repo> — because gh aw logs resolves a remote workflow only by its display name (a remote tracker-id/lock-filename lookup returns nothing). Runs are stamped with their source repository and de-duplicated on (repository, run_id) — run IDs are only unique per repo, so the previous unique_by(.run_id) could collide same-numbered runs across repos.
  • Aggregation: grouped by [repository, workflow_name], so identically named workflows in different repos are never conflated. The audit report gains an optional per-repository rollup, and run links use each run's own url.
  • Optimizer: selects/analyzes across repos and reads the target workflow's source from its own repository. The previously hardcoded githubnext/agentic-ops family-exclusion (in three places) is now driven by the configurable source-repo.
  • Auth: cross-repo collection needs a token with actions: read on the listed repos. The workflows use gh-aw's standard GH_AW_GITHUB_TOKEN "magic" secret (auth reference), falling back to GITHUB_TOKEN (current repo only) when unset. No bundle-specific secret is introduced.

Security review (per gh-aw strict mode)

  • Uses gh-aw's standard GH_AW_GITHUB_TOKEN magic secret — read-only here (actions: read; collection only, never exposed to the agent), falling back to GITHUB_TOKEN. No new bundle-specific secret.
  • No new actions beyond what the bundle already uses; no network/redirect changes.

Also

  • Adds a LICENSE file (separate commit) — the README declares MIT but no LICENSE existed. Happy to split this into its own PR if you prefer.

Testing

  • Single-repo (no-config) path verified equivalent to current behavior.
  • Multi-repo path validated against a live org of 8 repositories: cross-repo collection returns real AIC for every repo with agentic activity, and the remote display-name resolution was confirmed necessary (tracker-id + --repo returns nothing remotely).
  • gh aw compile (v0.79.6): 0 errors / 0 warnings; actionlint + shellcheck clean for the changed shell.

Lock files compiled with gh-aw v0.79.6.

🤖 Generated with Claude Code

mrfelton and others added 2 commits June 22, 2026 14:39
@mrfelton @claude
feat: audit and optimize AI-credit spend across multiple repositories
0fda0e2 
Add opt-in multi-repository support to the audit and optimizer workflows.
When `.github/agentic-ops.yml` lists `repos:`, both workflows collect each
repository's agentic-workflow logs and aggregate AI-credit spend per
repository and per workflow, so one central repository can monitor an entire
org's agentic workflows.

- New `.github/agentic-ops.yml` config (`repos:` + optional `source-repo:`).
- For the current repository, agentic workflows are resolved from the local
  checkout by tracker-id (unchanged single-repo behavior). For every other
  repository they are resolved by display name via the GitHub Actions API and
  queried with `gh aw logs --repo`, because gh aw logs resolves a remote
  workflow only by its name. Runs are stamped with their source repository and
  de-duplicated on (repository, run_id).
- Audit groups and reports per repository; optimizer selects, analyzes, and
  reads the target workflow's source from its own repository.
- The hardcoded `githubnext/agentic-ops` family-exclusion is now driven by a
  configurable `source-repo` (defaults to githubnext/agentic-ops).
- Cross-repo reads use gh-aw's standard GH_AW_GITHUB_TOKEN magic secret (a token
  with actions: read on the listed repos), falling back to GITHUB_TOKEN.

With no config file present, behavior is unchanged: each workflow audits only
the repository it runs in.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mrfelton @claude
docs: add MIT LICENSE file
3d8dd3f 
The README declares the project MIT-licensed but no LICENSE file existed.
Add the standard MIT license text.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mrfelton mrfelton force-pushed the feat/multi-repo-auditing branch from b948639 to 3d8dd3f Compare June 22, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrfelton