github-actions: support flaky test fixer

[v1v]

Proposed commit message

Part of #49855, but the fixer part but only enabled for the BK Test Failures.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[botelastic]

This pull request doesn't have a Team:<team> label.

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @v1v? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b92c194d-c1ce-48d3-a39a-17e9e0877afd

📥 Commits

Reviewing files that changed from the base of the PR and between 8197c88 and 68d6628.

📒 Files selected for processing (1)

• .github/workflows/trigger-issue-fixer.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/trigger-issue-fixer.yml

---

📝 Walkthrough

Walkthrough

Adds .github/workflows/trigger-issue-fixer.yml, a workflow triggered on issue opened events. It defines explicit repository permissions (read for actions/contents; write for issues, discussions, pull requests) and a single job, flaky-test-fixer, that runs only when the opened issue has the flaky-test label. The job calls the reusable workflow elastic/ai-github-actions/.github/workflows/gh-aw-issue-fixer.lock.yml@v0, passes an allowed-bot-users allowlist, supplies COPILOT_GITHUB_TOKEN from repository secrets, and forwards instructions to apply skip-changelog and backport-active-all labels on PR creation.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/trigger-issue-fixer.yml:
- Line 16: The workflow reference uses a mutable tag
"elastic/ai-github-actions/.github/workflows/gh-aw-issue-fixer.lock.yml@v0";
replace this mutable ref with the repository's immutable commit SHA for that
workflow file (fetch the exact full commit SHA that corresponds to the v0
release in the elastic/ai-github-actions repo and update the uses entry to use
@<full-commit-sha>) so the reusable workflow is pinned to an immutable commit;
ensure you update the string in the uses declaration exactly where
"gh-aw-issue-fixer.lock.yml@v0" appears.
- Around line 6-11: The workflow grants elevated write scopes to the default
GITHUB_TOKEN (permissions keys actions/contents/discussions/issues/pull-requests
set to write); change these to read-only (set each to read) so the default token
is least-privilege, and rely on the existing COPILOT_GITHUB_TOKEN for any
downstream write operations—update the permissions block by replacing write with
read for actions, contents, discussions, issues, and pull-requests and confirm
COPILOT_GITHUB_TOKEN is used where write is required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 064fe54c-8118-47c6-abe5-8d96a48051a6

📥 Commits

Reviewing files that changed from the base of the PR and between 75c6482 and 8197c88.

📒 Files selected for processing (1)

• .github/workflows/trigger-issue-fixer.yml

[fr4nc1sc0-r4m0n]

LGTM