Org-wide GitHub Actions reusable workflows. Consumer repos in Xylem-Group/* reference these workflows via uses: to get a uniform PR automation pipeline: triage → optional fix → auto-merge.
Three reusable workflows. Composable; a repo can opt into any subset.
| Workflow | Trigger | What it does | AI? |
|---|---|---|---|
pr-triage.yml |
pull_request: [opened, synchronize, reopened] |
Reads diff + CI status, classifies risk, posts structured comment, sets labels (risk:*, trunk-broken, auto-mergeable). |
Yes (Haiku 4.5) |
pr-fix.yml |
issue_comment containing /fix (or workflow_dispatch) |
Pulls failing CI logs, attempts fix as new commit on PR branch. Hard caps: 2 attempts, scope locked to files already in PR diff. | Yes (Sonnet 4.6, headless claude-code CLI) |
pr-auto-merge.yml |
check_suite: completed |
Squash-merges when all conditions pass: auto-merge label, CI green, risk:low, deny-list clean, author allowed. |
No (pure logic) |
Two files. Drop them in:
.github/workflows/pr-automation.yml # references the reusable workflows
.github/automation.yml # per-repo policy (risk thresholds, deny-list, allowlist)
See examples/consumer-workflow.yml.template and examples/automation.yml.template.
ANTHROPIC_API_KEY is an org-level Actions secret on Xylem-Group, scoped to repos that opt into PR automation. GITHUB_TOKEN is per-job (auto-injected). secrets: inherit in the consumer workflow flows both through.
# Risk levels: low | medium | high. Set by the triage agent based on
# scope and the deny-list match.
auto_merge:
enabled: true # global kill switch for this repo
max_risk: low # never auto-merge above this
required_labels: [auto-merge] # opt-in label; absence blocks
allowed_authors: [andnasnd] # GitHub usernames; bot accounts ok
auto_label_low_risk: false # if true, triage auto-adds `auto-merge` when risk:low
deny_globs: # files that block auto-merge regardless
- ".github/workflows/**"
- "flake.lock"
- "flake.nix"
- "**/disko.nix"
- "**/ADR-*.md"
- "docs/adr/**"
- "**/secrets/**"
- "**/*.key"
- "**/*.crt"
- "**/*.pem"
fix:
enabled: true
max_attempts: 2
scope_lock: true # only modify files already in PR diff
model: sonnet # sonnet | haiku
command_trigger: "/fix" # PR comment text that triggers fix
triage:
enabled: true
model: haiku # haiku | sonnet
max_diff_lines: 5000 # truncate diff above thisDefaults if no .github/automation.yml exists:
- triage: enabled, haiku, 5000 lines
- fix: enabled, sonnet, 2 attempts, scope_lock on
- auto_merge: disabled (must explicitly opt in)
- Triage agent has comment + label perms only. No code writes.
- Fix agent: branch writes only, capped attempts, scope-locked, never touches deny-list files.
- Auto-merge: never to non-
trunktargets; never--force; squash-merge with--delete-branch. - Branch protection on
trunkshould require thetriagecheck to have completed (status check) so auto-merge can't race triage.
| Comment | Effect |
|---|---|
/fix |
Run fix workflow on the PR. |
/triage |
Re-run triage (rare — synchronize event normally covers this). |
/merge |
Force-add auto-merge label (if author is in allowlist). Auto-merge workflow then checks remaining conditions. |
/hold |
Remove auto-merge label; pauses any pending auto-merge. |
- Triage (Haiku, ~2k in / ~500 out): ~$0.01–0.05 per PR
- Fix (Sonnet, ~10k in / ~5k out per attempt, 2 attempts max): ~$0.30–1.50 per
/fixinvocation - Auto-merge: free
At ~50 PRs/week across Xylem-Group, expect ~$2–5/week steady state; spikes when fix is used heavily.
Land trunk fix for date-fenced guardrails so baseline is green.(kulen PR #6, 2026-05-13)- Week 1: Triage only, kulen + sigflow. Observe comments for accuracy. Don't enable auto-merge.
- Week 2: Add
/fixslash. Manually invoke on 3–5 failing PRs to validate scope-lock + attempt cap. - Week 3: Enable auto-merge for sigflow (research code, lower blast radius). Keep kulen manual.
- Week 4+: Expand to remaining Xylem-Group repos via the same consumer-workflow template.