feat: add gh aw validate command

[Copilot]

Running gh aw compile --validate --no-emit --zizmor --actionlint --poutine to validate a workflow without generating lock files is verbose and hard to discover. gh aw validate provides a single ergonomic entry point for full workflow validation.

Changes

• pkg/cli/validate_command.go: New NewValidateCommand() that delegates to CompileWorkflows with Validate, NoEmit, Zizmor, Actionlint, and Poutine all set to true, and exposes all relevant compile flags
• cmd/gh-aw/main.go: Registers validate in the development command group
• docs/: Adds gh aw validate to the compilation commands reference table

Usage

gh aw validate                          # Validate all workflows
gh aw validate ci-doctor                # Validate specific workflow
gh aw validate --dir custom/workflows   # Custom directory
gh aw validate --json                   # Output results in JSON format
gh aw validate --strict                 # Enforce strict mode validation
gh aw validate --fail-fast              # Stop at the first error
gh aw validate --engine copilot         # Override AI engine

Equivalent to:

gh aw compile --validate --no-emit --zizmor --actionlint --poutine

All existing compile flags are supported, including --engine/-e, --dir/-d, --strict, --json/-j, --fail-fast, --stats, and --no-check-update. The linters (zizmor, actionlint, poutine), --validate, and --no-emit are always-on defaults.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>feature: gh aw verify command</issue_title>
<issue_description>To simply verify if an agentic workflow is producing valid action workflow, users are required to run the following command:

$ gh aw compile --validate --no-emit daily-issues-report.md

It would be easier to have a verify command that is a short hand for the --validate and --no-emit operations:

$ gh aw verify daily-issues-report.md

Note: the command may as well be called validate, but IMO that would be the same as compile --validate where to me, verify is also about --no-emit. And having both validate/verify as additional commands, would be confusing to most users who can't fully understand the semantics of the word validate versus verify.</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan Add a new `validate` command that runs the compiler in no-emit mode with the `validate` flag, and with Zizmor, `actionlint`, and poutine modes enabled. This command ensures that the action is compliant with all supported linters.

• Fixes feature: gh aw verify command #18182

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot, rename the command to validate and ensure that all existing compile flags, including support for .json, continue to work.

[Copilot]

@copilot, rename the command to validate and ensure that all existing compile flags, including support for .json, continue to work.

Done in e8bbe5b. The command is now validate with all compile flags available: --engine/-e, --dir/-d, --strict, --json/-j, --fail-fast, --stats, and --no-check-update. The linters (zizmor, actionlint, poutine), --validate, and --no-emit remain always-on defaults.

[Copilot]

Pull request overview

Adds a new gh aw validate CLI command intended to provide an ergonomic shortcut for validating workflows (compile + validation + linters) without emitting lock files.

Changes:

• Introduces pkg/cli/NewValidateCommand() that delegates to CompileWorkflows with validation-oriented defaults.
• Registers the new validate command under the development command group in the CLI entrypoint.
• Documents gh aw validate in the compilation process reference.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/cli/validate_command.go	New validate command wiring and compile configuration defaults
pkg/cli/validate_command_test.go	Unit test asserting command/flag shape
cmd/gh-aw/main.go	Registers validate command and assigns it to the development group
docs/src/content/docs/reference/compilation-process.md	Adds gh aw validate rows to the command reference table
pkg/cli/verify_command.go	Adds an empty “superseded” stub file for verify
pkg/cli/verify_command_test.go	Adds an empty “superseded” stub test file for verify

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Docs say gh aw validate runs “compile + all linters” with no file output, but the current implementation forces NoEmit: true, and the compile pipeline only runs zizmor/actionlint/poutine when !NoEmit. Either adjust the implementation so linters run in validate mode, or update this documentation to match actual behavior.

Suggested change

	| `gh aw validate` | Validate all workflows (compile + all linters, no file output) |
	| `gh aw validate my-workflow` | Validate a specific workflow |
	| `gh aw validate --json` | Validate and output results in JSON format |
	| `gh aw validate --strict` | Validate with strict mode enforced |
	| `gh aw validate` | Validate all workflows (configuration only; no file output or security linters) |
	| `gh aw validate my-workflow` | Validate configuration for a specific workflow (no file output or security linters) |
	| `gh aw validate --json` | Validate configuration and output results in JSON format (no security linters) |
	| `gh aw validate --strict` | Validate with strict mode enforced (configuration only; run linters via \`gh aw compile\` for security scanning) |

[Copilot]

NoEmit: true will prevent actionlint/zizmor/poutine from running at all. The compile pipeline only runs these tools when !config.NoEmit (e.g., pkg/cli/compile_orchestration.go:132-158 and similar), because it collects generated .lock.yml paths. As written, gh aw validate will effectively skip the external linters despite setting Zizmor/Actionlint/Poutine to true. Consider either (a) emitting lock files to a temp location and cleaning them up after linting, (b) allowing linters to run against in-memory output/temporary files even in no-emit mode, or (c) not forcing NoEmit when linters are requested.

[Copilot]

CompileWorkflows is called with context.Background(), so cancellation/timeouts from Cobra (Ctrl-C, parent context) won’t propagate. This is inconsistent with the compile command which passes cmd.Context() (see cmd/gh-aw/main.go:322). Use cmd.Context() here instead.

[Copilot]

This new // Package cli ... comment is a package doc comment and may override/compete with the real package documentation in pkg/cli/doc.go when generating docs. Since the file is otherwise empty, consider deleting it, or at least move the comment below package cli (or change it to a non-package comment) to avoid impacting package docs.

Suggested change

	// Package cli - verify_command.go is superseded by validate_command.go.
	// verify_command.go is superseded by validate_command.go.