Scheduled Audit¶

Generic base workflow for scheduled audits — investigate the repository and file an issue when something needs attention.

Workflow source: gh-aw-scheduled-audit.md

How it works¶

The audit agent follows a standard 4-step process (gather context, analyze, quality gate, report) defined by the scheduled-audit fragment. You provide the Report Assignment via the additional-instructions input, which tells the agent what to investigate, what to look for, and how to report findings.

This is the base workflow. For domain-specific audits, see the specialized workflows: - Bug Hunter — find reproducible bugs - Text Auditor — find text quality issues - Code Duplication Detector — find duplicate code - Breaking Change Detector — find breaking changes

Quick Install¶

mkdir -p .github/workflows && curl -sL \
  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/scheduled-audit/example.yml \
  -o .github/workflows/scheduled-audit.yml

Trigger¶

Event	Schedule
`schedule`	Weekdays
`workflow_dispatch`	Manual

Inputs¶

Input	Description	Required	Default
`additional-instructions`	What the audit agent should investigate (the Report Assignment)	Yes	—
`issue-title-prefix`	Title prefix for created issues, e.g. `[my-audit]`	Yes	—
`issue-label`	Label to apply to created issues	No	`""`
`setup-commands`	Shell commands run before the agent starts	No	`""`
`allowed-bot-users`	Allowlisted bot actor usernames (comma-separated)	No	`github-actions[bot]`

Safe Outputs¶

create-issue — file an audit report (max 1, auto-closes older reports)

Example Workflow¶

name: Scheduled Audit
on:
  schedule:
    - cron: "0 11 * * 1-5"
  workflow_dispatch:

permissions:
  contents: read
  issues: write
  pull-requests: read

jobs:
  run:
    uses: elastic/ai-github-actions/.github/workflows/gh-aw-scheduled-audit.lock.yml@v0
    with:
      issue-title-prefix: "[my-audit]"
      issue-label: "my-audit"
      additional-instructions: |
        Describe what the audit agent should investigate here.

        ### Data Gathering
        - What to examine (recent commits, open PRs, config files, etc.)

        ### What to Look For
        - What constitutes a finding worth reporting

        ### What to Skip
        - What to ignore
    secrets:
      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}