Auto-recompile gh-aw lock files on Dependabot PRs

[theletterf]

Summary

• Adds .github/workflows/recompile-aw-on-bump.yml. On any Dependabot PR that touches .github/workflows/gh-aw-*.lock.yml, it installs the pinned gh-aw (currently v0.71.5), runs gh aw compile, and pushes the result back to the Dependabot branch.
• Triggers on pull_request (Dependabot branches are same-origin, so checkout/push work) and gates on github.actor == 'dependabot[bot]'. Workflow-level permissions: declarations are honored on Dependabot pull_request runs, so id-token: write for the OIDC token still works.
• Pushes via an ephemeral GitHub token from a dedicated Vault policy — token-policy-7e01f3cdb012 — added in elastic/catalog-info#3784. This policy is bound to recompile-aw-on-bump.yml@* only and grants the minimum required permissions (contents:write, workflows:write, pull_requests:read).

Why

Dependabot pins actions to commit SHAs (e.g. actions/github-script@3a2844b…), but gh aw compile resolves the same v9 tag to its annotated tag object SHA (373c709c…). They disagree, so every Dependabot bump that lands inside the gh-aw lock files trips the compile-workflows pre-commit hook. We hit this on #112 and will keep hitting it. This workflow makes the fix automatic instead of manual.

Why a separate token policy

The existing token-policy-elastic-docs-actions (token-policy-8749eaab83f2) is bound to check-aw-updates.yml@refs/heads/main only, so the OIDC workflow_ref claim from this workflow's pull_request runs (different file, different ref) won't validate against it. Rather than widening that policy and coupling two unrelated workflows to one credential, this PR adds a separate, narrower policy in elastic/catalog-info#3784. Pattern follows token-policy-apm-server-update-dependabot, which uses @* for the same Dependabot use case.

Dependencies

• elastic/catalog-info#3784 merged and propagated.

Test plan

• After both PRs merge, watch the next Dependabot github-actions PR: confirm a follow-up commit "Recompile gh-aw lock files after Dependabot bump" appears and pre-commit passes.
• Optional dry-run: trigger by pushing a no-op SHA edit on a Dependabot branch and verify the workflow runs and is a no-op (Lock files already match a fresh compile).

Known limitation (separate, not addressed here)

The paths: '.github/workflows/gh-aw-*.lock.yml' filter only fires when the PR diff already includes lock-file changes. Dependabot PRs don't pre-include those — pre-commit fails before the lock files get updated. To make this auto-fix actually trigger on every relevant Dependabot bump, a follow-up should either drop the path filter (and rely on the dependabot[bot] actor gate) or move the trigger to workflow_run after pre-commit. Left as a separate PR to keep scope tight here.

🤖 Generated with Claude Code

[theletterf]

@reakaleek @Mpdreamz This should avoid Dependabot PRs getting stuck on AW lock files.

[Mpdreamz]

Does this require a new policy? this is reusing a token which is bound to a different workflow ref?

[theletterf]

Checking!

[theletterf]

You're right — checked the policy in catalog-info. It's bound to a single workflow_ref:

bound_claims:
  workflow_ref: elastic/docs-actions/.github/workflows/check-aw-updates.yml@refs/heads/main

So this workflow gets rejected on two counts:

1. Wrong workflow file (recompile-aw-on-bump.yml ≠ check-aw-updates.yml).
2. Trigger is pull_request, so workflow_ref will be …@refs/pull/N/merge, not …@refs/heads/main.

I'll hold this PR until I can open a catalog-info PR to broaden the binding — either a list of allowed refs or a glob covering both workflows and refs/pull/*/merge. Open to a different approach if you'd prefer not to widen this policy (e.g., a separate policy just for this workflow, or a Dependabot-secret PAT). What's your preference?

[theletterf]

New policy https://github.com/elastic/catalog-info/pull/3784

[theletterf]

@cotti Is this still needed after #142 ?