Merge branch 'main' into token-getter

Author: mnkiefer

.github/aw/github-agentic-workflows.md

@@ -108,6 +108,8 @@ jobs:
 
       - name: Test full install script (without dummy version)
         shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           chmod +x install-gh-aw.sh
           

.github/workflows/install.yml

@@ -216,6 +216,11 @@ on:
     names: []
       # Array items: Label name
 
+    # Whether to lock the issue for the agent when the workflow runs (prevents
+    # concurrent modifications)
+    # (optional)
+    lock-for-agent: true
+
   # Issue comment event trigger
   # (optional)
   issue_comment:

docs/src/content/docs/reference/frontmatter-full.md

@@ -195,6 +195,22 @@ The process of checking workflow files for errors, security issues, and best pra
 ### Cache Memory
 Persistent storage for workflows that preserves data between runs. Configured using `cache-memory:` in the tools section, it enables workflows to remember information and build on previous interactions.
 
+### Campaign
+A finite, enterprise-scale initiative with explicit ownership, approval gates, and executive visibility. Campaigns orchestrate business outcomes (security remediation, dependency updates, compliance enforcement) across multiple repositories with governance, accountability, and ROI tracking. Unlike regular workflows that execute operations, campaigns manage business initiatives with measurable outcomes, defined budgets, stakeholder reporting, and compliance audit trails.
+
+**Key characteristics:**
+- Finite duration (days to months) with clear start and end
+- Named owners and executive sponsors
+- Formal approval gates and change control
+- Budget tracking with ROI metrics
+- Stateful execution using repo-memory for audit trails
+- Cross-team and cross-repository coordination
+- Executive dashboards and KPI reporting
+
+**File naming:** Use `.campaign.md` extension (e.g., `security-compliance.campaign.md`)
+
+See the [Campaigns Guide](/gh-aw/guides/campaigns/) for implementation patterns and examples.
+
 ### Command Triggers
 Special triggers that respond to slash commands in issue and PR comments (e.g., `/review`, `/deploy`). Configured using the `command:` section with a command name.
 

docs/src/content/docs/reference/glossary.md

@@ -112,6 +112,9 @@ var sanitizeWorkflowNameScript string
 //go:embed js/load_agent_output.cjs
 var loadAgentOutputScript string
 
+//go:embed js/lock-issue.cjs
+var lockIssueScript string
+
 //go:embed js/staged_preview.cjs
 var stagedPreviewScript string
 
@@ -278,6 +281,7 @@ func GetJavaScriptSources() map[string]string {
 		"sanitize_label_content.cjs":        sanitizeLabelContentScript,
 		"sanitize_workflow_name.cjs":        sanitizeWorkflowNameScript,
 		"load_agent_output.cjs":             loadAgentOutputScript,
+		"lock-issue.cjs":                    lockIssueScript,
 		"staged_preview.cjs":                stagedPreviewScript,
 		"assign_agent_helpers.cjs":          assignAgentHelpersScript,
 		"safe_output_helpers.cjs":           safeOutputHelpersScript,

pkg/workflow/js.go

@@ -0,0 +1,40 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+/**
+ * Lock a GitHub issue without providing a reason
+ * This script is used in the activation job when lock-for-agent is enabled
+ * to prevent concurrent modifications during agent workflow execution
+ */
+
+async function main() {
+  // Get issue number from context
+  const issueNumber = context.issue.number;
+
+  if (!issueNumber) {
+    core.setFailed("Issue number not found in context");
+    return;
+  }
+
+  const owner = context.repo.owner;
+  const repo = context.repo.repo;
+
+  core.info(`Locking issue #${issueNumber} for agent workflow execution`);
+
+  try {
+    // Lock the issue without providing a lock_reason parameter
+    await github.rest.issues.lock({
+      owner,
+      repo,
+      issue_number: issueNumber,
+    });
+
+    core.info(`✅ Successfully locked issue #${issueNumber}`);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    core.error(`Failed to lock issue: ${errorMessage}`);
+    core.setFailed(`Failed to lock issue #${issueNumber}: ${errorMessage}`);
+  }
+}
+
+await main();