Add centralized slash-command trigger strategy with compiler-generated agentic_commands router workflow

[Copilot]

New Feature

What does this feature do?

Adds centralized slash-command routing so workflows can opt into on.slash_command.strategy: centralized, with a single compiler-generated router workflow that unions supported events and dispatches only matching command+event routes.

Why is this feature needed?

It reduces duplicated slash trigger listeners across workflows, keeps permissions scoped in one router path, and makes slash dispatch behavior more predictable at scale.

Implementation details

• Generates a shared router workflow at .github/workflows/agentic_commands.yml (renamed from agentic_slash_commands.yml).
• Keeps top-level router permissions empty and uses job-level scoped permissions for dispatch.
• Preserves correct event filtering and dispatch matching for command name + event identifier.
• Ensures centralized workflows with label_command still allow workflow_dispatch runs.
• Moves membership/fork trust enforcement out of the centralized router and into compiled workflow pre-activation checks, so workflow_dispatch is not treated as a trusted event.
• For centralized dispatches, validates the originating actor from aw_context.actor and blocks fork-based PR dispatches during compiled workflow membership validation.
• Marks on.slash_command.strategy: centralized as experimental via compiler warning output and updates reference docs accordingly.
• Updates compiler warning/docs references to the new router filename and cleans up the legacy generated filename.

Testing

• Targeted workflow compiler tests in pkg/workflow passed.
• Centralized recommendation warning test in pkg/cli passed.
• Added/updated centralized router generation tests for trigger unioning, permissions layout, and command+event dispatch matching.
• Added/updated membership validation tests for centralized workflow_dispatch actor validation and fork-based PR blocking.
• Added integration coverage for centralized strategy experimental warning emission.
• Build passed.

[pelikhan]

@copilot make /cloclo and /archie centralized

[github-actions]

Hey @Copilot 👋 — great work on the centralized slash-command trigger strategy! The changes across the compiler pipeline, check_command_position.cjs, and the new central_slash_command_workflow.go look well-scoped and the test coverage additions (4 test files!) are a strong signal.

One thing to address before this is ready for review:

• Add a human-readable description — the PR body currently contains only the agent's internal task checklist. Reviewers need a plain-language summary explaining what changed and why (e.g. "This PR introduces a single centralized GitHub Actions workflow that acts as a router for all slash commands, replacing per-command trigger definitions. It updates the compiler to emit this workflow and migrates /cloclo and /archie to the new strategy."). Even a short paragraph goes a long way.

If you'd like help, you can assign this prompt to your coding agent:

Update the PR body for PR #31605 in github/gh-aw.
Replace the current agent task checklist with a concise human-readable description that covers:
1. What problem this PR solves (why per-command trigger definitions were replaced).
2. What was changed at a high level (new central_slash_command_workflow.go, compiler pipeline updates, check_command_position.cjs changes, schema/docs updates).
3. Which slash commands were migrated (/cloclo, /archie) as concrete examples.
Keep it to 3-5 sentences or a short bullet list.

Generated by Contribution Check · ● 11.9M · ◷

[Copilot]

@copilot make /cloclo and /archie centralized

Done in 03ea49e — both /cloclo and /archie are now configured with on.slash_command.strategy: centralized, and their lock workflows were recompiled.

[pelikhan]

@copilot the compiler must also generate the github actions that declares the events and does the workflow_dispatch. Call it "agentic_slash_commands.yml"

[pelikhan]

@copilot remove legacy trigger file

[Copilot]

@copilot the compiler must also generate the github actions that declares the events and does the workflow_dispatch. Call it "agentic_slash_commands.yml"

Implemented in 6f97404. The compiler now targets agentic_slash_commands.yml for centralized slash routing, and the generated workflow declares merged events and dispatches matching .lock.yml workflows via workflow_dispatch.

[Copilot]

@copilot remove legacy trigger file

Done in 2f2666b — removed legacy trigger-file handling and tests tied to agentics-slash-command-trigger.yml.

[pelikhan]

@copilot empty permission at the top level and specific permissions in each job

[Copilot]

Done in 0776395 — set top-level permissions: {} and moved explicit permissions to the route job.

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Reviewed and addressed the actionable review threads in commits e471720 and dd5fb5b:

• centralized slash_command + label_command now preserves workflow_dispatch eligibility in the generated if: condition,
• command-event marshal fallback now returns a clear error instead of emitting invalid on: output,
• added regression coverage for the centralized + label_command combination.

[pelikhan]

@copilot do a complete code review of the changes, and the compiled code.

focus on permissions, event filtering, proper dispatch on the correct slash command

[Copilot]

@copilot do a complete code review of the changes, and the compiled code.

focus on permissions, event filtering, proper dispatch on the correct slash command...

Completed a full pass on the PR + compiled outputs with focus on permissions, event filtering, and slash-command dispatch routing.

I found one compiled mismatch and fixed it in e762f4a:

• regenerated .github/workflows/cloclo.lock.yml so centralized /cloclo router dispatches (workflow_dispatch) are not blocked when label_command is also configured.

Review results:

• agentic_slash_commands.yml permissions are scoped as requested (permissions: {} top-level, actions: write + contents: read at job level).
• Router dispatch remains correctly filtered by both command and event identifier.
• Compiled /archie and /cloclo routing map/event subscriptions are consistent with centralized trigger expectations.

[pelikhan]

@copilot

• rename agentic_slash_commands.yml to agentic_commands.yml

[pelikhan]

@copilot mark feature as experimental

[pelikhan]

@copilot ensure that the workflow_dispatch generated has the fork and membership protections

[Copilot]

@copilot

• rename agentic_slash_commands.yml to agentic_commands.yml...

Done in 0fbf69e (with follow-up cleanup in db13f81). The centralized generated router workflow has been renamed to .github/workflows/agentic_commands.yml, and compiler/docs/warning references were updated accordingly.

[Copilot]

@copilot ensure that the workflow_dispatch generated has the fork and membership protections

Addressed in 427b3c7 — the generated agentic_commands.yml router now enforces trusted membership associations and skips dispatch for fork-based pull_request routes before calling workflow_dispatch.

@copilot mark feature as experimental

Addressed in 427b3c7 — centralized on.slash_command.strategy: centralized is now marked experimental (compiler warning + reference docs update).

[pelikhan]

@copilot

• remove the checks in agentic_commands.yml
• enforce checks in the compiled workflows to make sure workflow_dispatch is not treated as a trusted event

[Copilot]

@copilot

• remove the checks in agentic_commands.yml...

Implemented in 5cc5e03 and c9609be.

• Removed membership/fork trust checks from generated .github/workflows/agentic_commands.yml (router now only matches command+event and dispatches).
• Enforced the protections in compiled workflow pre-activation membership validation (check_membership.cjs): workflow_dispatch is always validated, centralized dispatches validate the original aw_context.actor, and fork-based PR dispatches are blocked with explicit denial paths.
• Updated tests for router generation and workflow_dispatch membership behavior.