Restore fragments with inlined-imports: true

Use the gh-aw inlined-imports frontmatter flag (v0.67.3) to embed
all imported content at compile time. This produces self-contained
lock files with zero runtime-import directives, fixing the cross-repo
workflow_call failure while keeping fragments for reuse.

- Add inlined-imports: true to both workflow .md sources
- Restore gh-aw-fragments/ with formatting, rigor, mcp-pagination,
  messages-footer, and safe-output-add-comment
- Move shared content back into fragments, out of workflow prompts
- Update DEVELOPING.md to document inlined-imports convention
- Update create-agentic-workflow skill to use imports + inlined-imports

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: theletterf

.claude/skills/create-agentic-workflow/SKILL.md

@@ -65,13 +65,20 @@ Read an existing workflow for reference:
 - `.github/workflows/gh-aw-docs-check.md` — on-demand check pattern
 - `.github/workflows/gh-aw-issue-triage.md` — triage pattern with pre-steps
 
-Generate `.github/workflows/gh-aw-<name>.md` with all content inlined. **Do NOT use `imports:`** — the gh-aw runtime import mechanism does not work for cross-repo `workflow_call`, which is how consumer repos invoke these workflows. All prompt content, safe-output constraints, and MCP server docs must be directly in the `.md` file.
+Generate `.github/workflows/gh-aw-<name>.md`. Read the available fragments in `.github/workflows/gh-aw-fragments/` and import those relevant to the workflow. **Always include `inlined-imports: true`** — this embeds all imported content at compile time, which is required for cross-repo `workflow_call` invocation.
 
 ```yaml
 ---
 description: |
   <one-line description>
 
+inlined-imports: true
+imports:
+  - gh-aw-fragments/formatting.md
+  - gh-aw-fragments/rigor.md
+  - gh-aw-fragments/mcp-pagination.md
+  - gh-aw-fragments/messages-footer.md
+  - gh-aw-fragments/safe-output-<type>.md
 engine:
   id: copilot
 on:
@@ -116,8 +123,6 @@ network:
     - "www.elastic.co"
 strict: false
 safe-outputs:
-  messages:
-    footer: "${{ inputs.messages-footer || '---\n[Docs automation](https://github.com/elastic/docs-actions) | [From workflow: {workflow_name}]({run_url})\n\nReact with 👍 if helpful, 👎 if not.' }}"
   noop:
   <output-type>:
 timeout-minutes: 30
@@ -130,22 +135,17 @@ steps:
 ---
 ```
 
-Follow the frontmatter with the agent prompt in markdown. Structure it as:
+Follow the frontmatter with the agent prompt in markdown. The imported fragments provide formatting guidelines, rigor standards, MCP pagination tips, safe-output limitations, and the message footer note — so you don't need to repeat those. Structure the workflow-specific prompt as:
 1. **Role statement** — who the agent is and what it does
-2. **Formatting guidelines** — lead with key info, be concise, use `<details>` tags
-3. **Rigor** — evidence standards, noop-over-noise philosophy (for audit/check workflows)
-4. **MCP pagination** — token limit guidance if the workflow uses MCP tools
-5. **Data gathering** — what to read, search, or fetch
-6. **Analysis** — what to look for, how to evaluate findings
-7. **What to skip** — explicit exclusions to reduce noise
-8. **Quality gate** — when to noop vs. when to report (noop is the expected outcome)
-9. **Safe output limitations** — max body size, mention limits, allowed HTML for the output type
-10. **Message footer note** — "A footer is automatically appended to all comments and reviews. Do not add your own footer or sign-off — the runtime handles this."
-11. **Output format** — exact format for the issue body, PR body, or comment
+2. **Data gathering** — what to read, search, or fetch
+3. **Analysis** — what to look for, how to evaluate findings
+4. **What to skip** — explicit exclusions to reduce noise
+5. **Quality gate** — when to noop vs. when to report (noop is the expected outcome)
+6. **Output format** — exact format for the issue body, PR body, or comment
 
 End with `${{ inputs.additional-instructions }}` so callers can inject repo-specific guidance.
 
-Not every section is needed for every workflow — include what's relevant. Read the existing workflows for examples of what to include.
+Read the existing workflows for examples.
 
 ### Step 4: Generate the trigger template
 

.github/aw/actions-lock.json

@@ -5,10 +5,10 @@
       "version": "v8",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "github/gh-aw-actions/setup@v0.67.2": {
+    "github/gh-aw-actions/setup@v0.67.3": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.67.2",
-      "sha": "03e31e064a68e8d5ad890c92f303cfb5a3536006"
+      "version": "v0.67.3",
+      "sha": "eef369c24101e76a5bf51579c26798b28f666813"
     }
   }
 }

.github/workflows/gh-aw-docs-check.lock.yml

@@ -4,6 +4,13 @@ description: |
   Analyzes code changes against the Elastic docs corpus and reports
   which pages need updates, additions, or review.
 
+inlined-imports: true
+imports:
+  - gh-aw-fragments/formatting.md
+  - gh-aw-fragments/rigor.md
+  - gh-aw-fragments/mcp-pagination.md
+  - gh-aw-fragments/messages-footer.md
+  - gh-aw-fragments/safe-output-add-comment.md
 engine:
   id: copilot
 on:
@@ -56,16 +63,12 @@ network:
     - "docs-v3-preview.elastic.dev"
 strict: false
 safe-outputs:
-  messages:
-    footer: "${{ inputs.messages-footer || '---\n[Docs automation](https://github.com/elastic/docs-actions) | [From workflow: {workflow_name}]({run_url})\n\nReact with 👍 if helpful, 👎 if not.' }}"
   allowed-domains:
     - www.elastic.co
     - docs-v3-preview.elastic.dev
     - github.com
   noop:
   add-comment:
-    max: 1
-    discussions: false
 timeout-minutes: 30
 steps:
   - name: Repo-specific setup
@@ -160,21 +163,6 @@ Post a single, well-structured comment using `add_comment` with the following fo
 <For each affected page, a brief explanation of what needs to change and why.>
 ```
 
-## add-comment Limitations
-
-- **Body**: Max 65,536 characters (including any footer added by gh-aw). Keep well under this limit.
-- **Mentions**: Max 10 `@` mentions per comment.
-- **Links**: Max 50 URLs per comment.
-- **HTML**: Only safe tags allowed (`details`, `summary`, `code`, `pre`, `blockquote`, `table`, `b`, `em`, `strong`, `h1`-`h6`, `hr`, `br`, `li`, `ol`, `ul`, `p`, `sub`, `sup`). Other tags are converted to parentheses.
-- **URLs**: Only HTTPS URLs to allowed domains. Non-HTTPS and non-allowed domains are redacted.
-- **Bot triggers**: References like `fixes #123` or `closes #456` are neutralized to prevent unintended issue closures.
-
-If you exceed 10 mentions or 50 links, the comment will be rejected.
-
-## Message Footer
-
-A footer is automatically appended to all comments and reviews. Do not add your own footer or sign-off — the runtime handles this.
-
 ## Edge cases
 
 - If the URL is not a valid GitHub PR or commit URL, report the error and suggest the correct format.

.github/workflows/gh-aw-docs-check.md

@@ -0,0 +1,7 @@
+## Formatting Guidelines
+
+- Lead with the most important information — your first sentence should be the key takeaway
+- Be concise and actionable — no filler or praise
+- Use `<details>` and `<summary>` tags for long sections to keep responses scannable
+- Wrap branch names and @-references in backticks to avoid pinging users
+- Include code snippets with file paths and line numbers when referencing the codebase

.github/workflows/gh-aw-fragments/formatting.md

@@ -0,0 +1,19 @@
+## MCP Pagination
+
+MCP tool responses have a **25,000 token limit**. When responses exceed this limit, the call fails and you must retry with pagination — wasting turns and tokens. Use proactive pagination to stay under the limit.
+
+### Recommended `perPage` Values
+
+- **5-10**: For detailed items (PR diffs, files with patches, issues with comments)
+- **20-30**: For medium-detail lists (commits, review comments, issue lists)
+- **50-100**: For simple list operations (branches, labels, tags)
+
+### Pagination Pattern
+
+When you need all results from a paginated API:
+
+1. Fetch the first page with a conservative `perPage` value
+2. Process the results before fetching the next page
+3. Continue fetching pages until you receive fewer results than `perPage` (indicating the last page)
+
+If you see `MCP tool response exceeds maximum allowed tokens`, retry with a smaller `perPage` value (halve it).

.github/workflows/gh-aw-fragments/mcp-pagination.md

@@ -0,0 +1,9 @@
+---
+safe-outputs:
+  messages:
+    footer: "${{ inputs.messages-footer || '---\n[Docs automation](https://github.com/elastic/docs-actions) | [From workflow: {workflow_name}]({run_url})\n\nReact with 👍 if helpful, 👎 if not.' }}"
+---
+
+## Message Footer
+
+A footer is automatically appended to all comments and reviews. Do not add your own footer or sign-off — the runtime handles this.

.github/workflows/gh-aw-fragments/messages-footer.md

@@ -0,0 +1,10 @@
+## Rigor
+
+**Silence is better than noise. A false positive wastes a human's time and erodes trust in every future report.**
+
+- If you claim something is missing or broken, show the exact evidence in the code — file path, line number, and what you observed.
+- If a conclusion depends on assumptions you haven't confirmed, do not assert it. Verify first; if you cannot verify, do not report.
+- "I don't know" is better than a wrong answer. `noop` is better than a speculative finding.
+- It's worth the time to verify now versus guessing and forcing someone else to verify later.
+- Before filing any issue or opening any PR, re-read your own output as a skeptical reviewer. Ask: "Would a senior engineer on this team find this useful, or would they close it immediately?" If the answer is "close," call `noop` instead.
+- Only report findings you would confidently defend in a code review. If you feel the need to hedge with "might," "could," or "possibly," the finding is not ready to file.

.github/workflows/gh-aw-fragments/rigor.md

@@ -0,0 +1,17 @@
+---
+safe-outputs:
+  add-comment:
+    max: 1
+    discussions: false
+---
+
+## add-comment Limitations
+
+- **Body**: Max 65,536 characters (including any footer added by gh-aw). Keep well under this limit.
+- **Mentions**: Max 10 `@` mentions per comment.
+- **Links**: Max 50 URLs per comment.
+- **HTML**: Only safe tags allowed (`details`, `summary`, `code`, `pre`, `blockquote`, `table`, `b`, `em`, `strong`, `h1`-`h6`, `hr`, `br`, `li`, `ol`, `ul`, `p`, `sub`, `sup`). Other tags are converted to parentheses.
+- **URLs**: Only HTTPS URLs to allowed domains. Non-HTTPS and non-allowed domains are redacted.
+- **Bot triggers**: References like `fixes #123` or `closes #456` are neutralized to prevent unintended issue closures.
+
+If you exceed 10 mentions or 50 links, the comment will be rejected.