Roll out built-in Copilot auth and Elastic docs skill mapping (#185)

* Use APM skills in docs review workflow

Install Elastic docs review skills through APM in the reusable PR review workflow so we can test cross-repo skill imports from a private caller repo without losing the embedded review guidance fallback.

Co-signed-by: OpenAI GPT-5.4
Co-authored-by: Cursor <cursoragent@cursor.com>

* Recompile docs review with gh-aw v0.79.6

Use the latest gh-aw compiler for the docs review workflow so the branch picks up the new Copilot auth behavior and no longer requires a dedicated COPILOT_GITHUB_TOKEN for smoke testing.

Co-signed-by: OpenAI GPT-5.4
Co-authored-by: Cursor <cursoragent@cursor.com>

* Roll out built-in Copilot auth and skill mapping.

Update the gh-aw workflows and docs to use the built-in GitHub token path, and map Elastic docs skills to the reusable review and sweep workflows.

Co-authored-by: GPT-5.4 <gpt-5.4@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* Fix generated workflow pre-commit handling.

Exclude the gh-aw maintenance workflow from actionlint until the generator stops emitting an invalid empty choice, and keep the repo's EOF normalization in sync.

Co-authored-by: GPT-5.4 <gpt-5.4@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* Exclude generated workflow from whitespace hook.

Skip the gh-aw maintenance workflow in trailing-whitespace as well as actionlint so the generated header formatting no longer causes pre-commit failures.

Co-authored-by: GPT-5.4 <gpt-5.4@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: GPT-5.4 <gpt-5.4@openai.com>

Author: 3 people

.github/aw/actions-lock.json

@@ -50,15 +50,15 @@
       "version": "v7.0.1",
       "sha": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
     },
-    "github/gh-aw-actions/setup-cli@v0.79.3": {
+    "github/gh-aw-actions/setup-cli@v0.79.6": {
       "repo": "github/gh-aw-actions/setup-cli",
-      "version": "v0.79.3",
-      "sha": "ff3d7ecc684ffaf8c99e9ac7e40536e955a9776b"
+      "version": "v0.79.6",
+      "sha": "5c2fe865bb4dc46e1450f6ee0d0541d759aea73a"
     },
-    "github/gh-aw-actions/setup@v0.79.3": {
+    "github/gh-aw-actions/setup@v0.79.6": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.79.3",
-      "sha": "ff3d7ecc684ffaf8c99e9ac7e40536e955a9776b"
+      "version": "v0.79.6",
+      "sha": "5c2fe865bb4dc46e1450f6ee0d0541d759aea73a"
     },
     "microsoft/apm-action@v1.4.1": {
       "repo": "microsoft/apm-action",
@@ -69,6 +69,11 @@
       "repo": "microsoft/apm-action",
       "version": "v1.5.0",
       "sha": "4489b4be0069e2c8c4d44305c3d273fb9d50e647"
+    },
+    "microsoft/apm-action@v1.7.2": {
+      "repo": "microsoft/apm-action",
+      "version": "v1.7.2",
+      "sha": "b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd"
     }
   }
 }

.github/workflows/agentics-maintenance.yml

@@ -10,7 +10,7 @@ jobs:
     name: Recompile lock files and open PR if changed
     runs-on: ubuntu-latest
     env:
-      GH_AW_VERSION: v0.79.3
+      GH_AW_VERSION: v0.79.6
     permissions:
       id-token: write
       contents: read

.github/workflows/check-aw-updates.yml

@@ -7,6 +7,11 @@ description: |
 
 inlined-imports: true
 imports:
+  - uses: shared/apm.md
+    with:
+      target: copilot
+      packages:
+        - elastic/elastic-docs-skills/skills/authoring/applies-to-tagging
   - gh-aw-fragments/formatting.md
   - gh-aw-fragments/rigor.md
   - gh-aw-fragments/mcp-pagination.md
@@ -61,11 +66,12 @@ on:
         default: ""
     secrets:
       COPILOT_GITHUB_TOKEN:
-        required: true
+        required: false
 concurrency:
   group: gh-aw-docs-applies-to-sweep-${{ github.run_id }}
   cancel-in-progress: false
 permissions:
+  copilot-requests: write
   contents: read
   issues: read
 strict: false
@@ -252,6 +258,10 @@ steps:
 
 You are an `applies_to` validator for an Elastic documentation repository. Your job is to audit the `applies_to` frontmatter key on a deterministically-selected slice of pages and emit a single labeled fix-issue with structured findings.
 
+This workflow also installs the `docs-applies-to-tagging` APM skill from `elastic/elastic-docs-skills`.
+
+Use that installed skill when it helps interpret version, deployment, product, or lifecycle applicability rules. Treat it as additive guidance, not as permission to skip the verified references and explicit rule checks in this workflow.
+
 ## Pre-fetched data
 
 A pre-step has computed the in-scope file list:
@@ -264,7 +274,7 @@ Read with `cat` / `jq`. If `in_scope_count` is `0`, call `noop` with a path-awar
 
 ## Step 1: Validate applies_to autonomously
 
-This workflow is autonomous. Do not invoke runtime skills or depend on a skill package being installed. For each in-scope file, read the frontmatter block at the top of the copy under `/tmp/gh-aw/sweep-data/scope/` and inspect the `applies_to` key.
+This workflow is autonomous. For each in-scope file, read the frontmatter block at the top of the copy under `/tmp/gh-aw/sweep-data/scope/` and inspect the `applies_to` key.
 
 Audit only. Do not edit repo originals or scope copies. This sweep emits an issue, not a PR.
 
@@ -276,6 +286,8 @@ Before filing any validity finding, verify the rule from one of these sources:
 
 Use the published reference as the source of truth for allowed dimensions, keys, lifecycle states, and version formats. If the MCP server is unavailable and no local schema is available, call `noop` with `"applies_to reference unavailable; skipping applies_to sweep"` rather than emitting unverified findings.
 
+When a finding depends on interpreting lifecycle, version-range, or dimension rules, explicitly use the installed `docs-applies-to-tagging` skill guidance.
+
 Apply these rules after verification:
 
 - Every page should include page-level `applies_to` frontmatter.

.github/workflows/gh-aw-docs-applies-to-sweep.lock.yml

@@ -67,11 +67,12 @@ on:
         default: ""
     secrets:
       COPILOT_GITHUB_TOKEN:
-        required: true
+        required: false
 concurrency:
   group: gh-aw-docs-coherence-sweep-${{ github.run_id }}
   cancel-in-progress: false
 permissions:
+  copilot-requests: write
   contents: read
   issues: read
 strict: false

.github/workflows/gh-aw-docs-applies-to-sweep.md

@@ -8,6 +8,12 @@ description: |
 
 inlined-imports: true
 imports:
+  - uses: shared/apm.md
+    with:
+      target: copilot
+      packages:
+        - elastic/elastic-docs-skills/skills/review/frontmatter-audit
+        - elastic/elastic-docs-skills/skills/authoring/frontmatter-description
   - gh-aw-fragments/formatting.md
   - gh-aw-fragments/rigor.md
   - gh-aw-fragments/mcp-pagination.md
@@ -62,11 +68,12 @@ on:
         default: ""
     secrets:
       COPILOT_GITHUB_TOKEN:
-        required: true
+        required: false
 concurrency:
   group: gh-aw-docs-frontmatter-sweep-${{ github.run_id }}
   cancel-in-progress: false
 permissions:
+  copilot-requests: write
   contents: read
   issues: read
 strict: false
@@ -253,6 +260,13 @@ steps:
 
 You are a frontmatter quality reviewer for an Elastic documentation repository. Your job is to audit the frontmatter (`---` block at the top of each `.md` file) of a deterministically-selected slice of pages, and emit a single labeled fix-issue with structured findings that a human (and later, a fix-agent) can act on.
 
+This workflow also installs these APM skills from `elastic/elastic-docs-skills`:
+
+- `docs-frontmatter-audit`
+- `docs-frontmatter-description`
+
+Use those installed skills when they help validate frontmatter requirements or judge whether a description is missing, weak, or mis-scoped. Treat them as additive guidance, not as permission to skip the deterministic repository evidence and explicit checks in this workflow.
+
 ## Pre-fetched data
 
 A pre-step has computed the in-scope file list for this run:
@@ -276,10 +290,15 @@ If `in_scope_count` is `0`, call `noop` with a short message including the corpu
 
 ## Step 1: Audit the frontmatter
 
-This workflow is autonomous. Do not invoke runtime skills or depend on a skill package being installed. For each in-scope file, read the frontmatter block at the top of the copy under `/tmp/gh-aw/sweep-data/scope/` and inspect only the fields covered by this sweep.
+This workflow is autonomous. For each in-scope file, read the frontmatter block at the top of the copy under `/tmp/gh-aw/sweep-data/scope/` and inspect only the fields covered by this sweep.
 
 Use local repository evidence first. If a repository schema or docs-builder frontmatter reference is present in the checked-out source, use it for required-field confirmation. Use the Elastic docs MCP server only for targeted authoring guidance, not for broad corpus searches. Prefer `elastic-docs.get_document_by_url` for known guidance pages such as `/docs/contribute-docs/how-to/cumulative-docs/reference`, and `elastic-docs.search_docs` only when you need to discover a published frontmatter guidance page before citing it.
 
+When the finding depends on description quality or metadata completeness rather than simple field presence, explicitly use the installed skill guidance:
+
+- `docs-frontmatter-audit` for required-field and metadata-shape checks.
+- `docs-frontmatter-description` for judging description quality and user-facing scope.
+
 Apply these rules:
 
 - `description` should be present, non-empty, no more than 200 characters, specific to the page, and useful in search results. It must be a complete sentence, not a fragment or label.