Git-Ape: Drift
Workflow file: .github/workflows/git-ape-drift.md
:::info Agentic Workflow This is a GitHub Agentic Workflow — an AI-driven workflow authored in Markdown rather than traditional YAML. The AI agent reasons about drift, classifies changes, and creates PRs for human review. :::
Triggers​
schedule— Daily around 06:00 UTCworkflow_dispatch— Manual trigger
Permissions​
contents: readissues: readpull-requests: read
What It Does​
The drift workflow implements continuous drift remediation as described in the Platform Engineering for the Agentic AI Era manifesto.
1. Discovery​
Scans .azure/deployments/ for all active deployments (state.json with "status": "succeeded", excluding destroyed deployments).
2. Detection​
For each active deployment, the agent:
- Reads the stored ARM template (
template.json) as the desired state - Queries Azure for current resource configuration via
az resource show - Compares properties and identifies differences
3. Classification​
Each drifted property is classified by severity:
| Severity | Examples | Action |
|---|---|---|
| 🔴 Critical | HTTPS disabled, firewall removed, auth changes, TLS downgrade | Issue + two PRs |
| 🟡 Warning | SKU changes, tag modifications, runtime version changes | Two PRs |
| 🔵 Info | Description changes, Azure Policy-added tags | Logged only |
4. Anti-Flapping​
To prevent alert fatigue and churn:
- Debounce — No duplicate alerts for the same drift within 24 hours
- Cooldown — Skip resources with recently merged remediation PRs
- Persistence threshold — Only alert on drift persisting for 2+ consecutive checks
5. Remediation PRs​
For each drifted deployment, the agent creates two draft PRs:
| PR | Purpose | Changes |
|---|---|---|
| Revert | Restore Azure to match IaC | Contains az commands to revert Azure state |
| Adopt | Update IaC to match Azure | Updates template.json to reflect current Azure config |
The human reviewer chooses which PR to merge (or closes both if neither is appropriate).
For Critical drift, a GitHub issue is also created with priority:critical and security labels.
Safe Outputs​
| Output | Configuration |
|---|---|
create-issue | Prefix: [drift], labels: drift, security, max: 5, auto-close older |
create-pull-request | Prefix: [drift-remediation], labels: drift, automated-remediation, draft: true, max: 10 |
Tools​
| Tool | Purpose |
|---|---|
bash | Azure CLI queries, JSON processing with jq |
edit | Read/modify deployment files |
cache-memory | Anti-flapping state and drift history |
Configuration​
Enabling the Workflow​
-
Install the
gh-awCLI extension:gh extension install github/gh-aw -
Compile the workflow:
gh aw compile -
Commit and push both
.github/workflows/git-ape-drift.mdand the generated.github/workflows/git-ape-drift.lock.yml -
Configure required secrets for your chosen AI engine (see Authentication)
Customizing the Schedule​
Edit the on.schedule field in the frontmatter:
on:
schedule: daily around 06:00 # Default
# schedule: "0 */6 * * *" # Every 6 hours
# schedule: weekly on monday # Weekly
Azure Authentication​
The workflow needs Azure CLI access to query resource state. Configure OIDC credentials as described in the onboarding guide.