feat(campaign): add orchestrator workflow generation

- Implemented BuildOrchestrator function to create a minimal agentic workflow representation for CampaignSpec.
- Added orchestrator markdown path generation to avoid collisions with existing workflows.
- Included basic metadata such as name, description, and associated workflows in the generated workflow.
- Created unit tests for BuildOrchestrator to ensure correct behavior and output.

fix(cli): handle campaign spec files in compile command

- Updated CompileWorkflows to validate campaign spec files and optionally synthesize orchestrator workflows.
- Ensured that campaign spec files are skipped during watch mode to prevent unexpected behavior.

chore(cli): add cobra import for command line functionality

Author: mnkiefer

.github/workflows/code-health-file-diet-campaign.lock.yml

@@ -0,0 +1,63 @@
+package campaign
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/githubnext/gh-aw/pkg/workflow"
+)
+
+// BuildOrchestrator constructs a minimal agentic workflow representation for a
+// given CampaignSpec. The resulting WorkflowData is compiled via the standard
+// CompileWorkflowDataWithValidation pipeline, and the orchestratorPath
+// determines the emitted .lock.yml name.
+func BuildOrchestrator(spec *CampaignSpec, campaignFilePath string) (*workflow.WorkflowData, string) {
+	// Derive orchestrator markdown path alongside the campaign spec, using a
+	// distinct suffix to avoid colliding with existing workflows.
+	base := strings.TrimSuffix(campaignFilePath, ".campaign.md")
+	orchestratorPath := base + "-campaign.md"
+
+	name := spec.Name
+	if strings.TrimSpace(name) == "" {
+		name = fmt.Sprintf("Campaign: %s", spec.ID)
+	}
+
+	description := spec.Description
+	if strings.TrimSpace(description) == "" {
+		description = fmt.Sprintf("Orchestrator workflow for campaign '%s' (tracker: %s)", spec.ID, spec.TrackerLabel)
+	}
+
+	// Minimal on: section - workflow_dispatch trigger with no inputs.
+	onSection := "on:\n  workflow_dispatch:\n"
+
+	// Simple markdown body giving the agent context about the campaign.
+	markdownBuilder := &strings.Builder{}
+	markdownBuilder.WriteString("# Campaign Orchestrator\n\n")
+	markdownBuilder.WriteString(fmt.Sprintf("This workflow orchestrates the '%s' campaign.\n\n", name))
+	if spec.TrackerLabel != "" {
+		markdownBuilder.WriteString(fmt.Sprintf("- Tracker label: `%s`\n", spec.TrackerLabel))
+	}
+	if len(spec.Workflows) > 0 {
+		markdownBuilder.WriteString("- Associated workflows: ")
+		markdownBuilder.WriteString(strings.Join(spec.Workflows, ", "))
+		markdownBuilder.WriteString("\n")
+	}
+	if len(spec.MemoryPaths) > 0 {
+		markdownBuilder.WriteString("- Memory paths: ")
+		markdownBuilder.WriteString(strings.Join(spec.MemoryPaths, ", "))
+		markdownBuilder.WriteString("\n")
+	}
+	if spec.MetricsGlob != "" {
+		markdownBuilder.WriteString(fmt.Sprintf("- Metrics glob: `%s`\n", spec.MetricsGlob))
+	}
+	markdownBuilder.WriteString("\nUse these details to coordinate workers, update metrics, and track progress for this campaign.\n")
+
+	data := &workflow.WorkflowData{
+		Name:            name,
+		Description:     description,
+		MarkdownContent: markdownBuilder.String(),
+		On:              onSection,
+	}
+
+	return data, orchestratorPath
+}

.github/workflows/incident-response-campaign.lock.yml

@@ -0,0 +1,45 @@
+package campaign
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestBuildOrchestrator_BasicShape(t *testing.T) {
+	spec := &CampaignSpec{
+		ID:           "security-q1-2025",
+		Name:         "Security Q1 2025",
+		Description:  "Security compliance campaign",
+		Workflows:    []string{"security-compliance"},
+		MemoryPaths:  []string{"memory/campaigns/security-q1-2025/**"},
+		MetricsGlob:  "memory/campaigns/security-q1-2025/*.json",
+		TrackerLabel: "campaign:security-q1-2025",
+	}
+
+	mdPath := ".github/workflows/security-compliance.campaign.md"
+	data, orchestratorPath := BuildOrchestrator(spec, mdPath)
+
+	if orchestratorPath != ".github/workflows/security-compliance-campaign.md" {
+		t.Fatalf("unexpected orchestrator path: got %q", orchestratorPath)
+	}
+
+	if data == nil {
+		t.Fatalf("expected non-nil WorkflowData")
+	}
+
+	if data.Name != spec.Name {
+		t.Fatalf("unexpected workflow name: got %q, want %q", data.Name, spec.Name)
+	}
+
+	if strings.TrimSpace(data.On) == "" || !strings.Contains(data.On, "workflow_dispatch") {
+		t.Fatalf("expected On section with workflow_dispatch trigger, got %q", data.On)
+	}
+
+	if !strings.Contains(data.MarkdownContent, "Security Q1 2025") {
+		t.Fatalf("expected markdown content to mention campaign name, got: %q", data.MarkdownContent)
+	}
+
+	if !strings.Contains(data.MarkdownContent, spec.TrackerLabel) {
+		t.Fatalf("expected markdown content to mention tracker label %q, got: %q", spec.TrackerLabel, data.MarkdownContent)
+	}
+}

.github/workflows/org-modernization-campaign.lock.yml

@@ -392,7 +392,7 @@ func CompileWorkflows(config CompileConfig) ([]*workflow.WorkflowData, error) {
 			// Handle campaign spec files separately from regular workflows
 			if strings.HasSuffix(resolvedFile, ".campaign.md") {
 				// Validate the campaign spec file and referenced workflows instead of
-				// compiling it as a regular workflow YAML.
+				// compiling it directly as a regular workflow YAML.
 				spec, problems, vErr := campaign.ValidateSpecFromFile(resolvedFile)
 				if vErr != nil {
 					errMsg := fmt.Sprintf("failed to validate campaign spec %s: %v", resolvedFile, vErr)
@@ -433,7 +433,40 @@ func CompileWorkflows(config CompileConfig) ([]*workflow.WorkflowData, error) {
 					errorCount++
 					stats.Errors++
 					stats.FailedWorkflows = append(stats.FailedWorkflows, filepath.Base(resolvedFile))
-				} else if verbose && !jsonOutput {
+					validationResults = append(validationResults, result)
+					continue
+				}
+
+				// Campaign spec is valid and referenced workflows exist.
+				// Optionally synthesize an orchestrator workflow for this campaign
+				// and compile it via the standard workflow pipeline.
+				if !noEmit {
+					orchestratorData, orchestratorPath := campaign.BuildOrchestrator(spec, resolvedFile)
+					lockFile := strings.TrimSuffix(orchestratorPath, ".md") + ".lock.yml"
+					result.CompiledFile = lockFile
+
+					if err := CompileWorkflowDataWithValidation(compiler, orchestratorData, orchestratorPath, verbose && !jsonOutput, zizmor && !noEmit, poutine && !noEmit, actionlint && !noEmit, strict, validate && !noEmit); err != nil {
+						if !jsonOutput {
+							fmt.Fprintln(os.Stderr, err.Error())
+						}
+						errorMessages = append(errorMessages, err.Error())
+						errorCount++
+						stats.Errors++
+						stats.FailedWorkflows = append(stats.FailedWorkflows, filepath.Base(orchestratorPath))
+
+						result.Valid = false
+						result.Errors = append(result.Errors, ValidationError{
+							Type:    "compilation_error",
+							Message: err.Error(),
+						})
+						validationResults = append(validationResults, result)
+						continue
+					}
+
+					compiledCount++
+				}
+
+				if verbose && !jsonOutput {
 					fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(fmt.Sprintf("Validated campaign spec %s", filepath.Base(resolvedFile))))
 				}
 
@@ -669,7 +702,7 @@ func CompileWorkflows(config CompileConfig) ([]*workflow.WorkflowData, error) {
 		// Handle campaign spec files separately from regular workflows
 		if strings.HasSuffix(file, ".campaign.md") {
 			// Validate the campaign spec file and referenced workflows instead of
-			// compiling it as a regular workflow YAML.
+			// compiling it directly as a regular workflow YAML.
 			spec, problems, vErr := campaign.ValidateSpecFromFile(file)
 			if vErr != nil {
 				if !jsonOutput {
@@ -707,7 +740,39 @@ func CompileWorkflows(config CompileConfig) ([]*workflow.WorkflowData, error) {
 				errorCount++
 				stats.Errors++
 				stats.FailedWorkflows = append(stats.FailedWorkflows, filepath.Base(file))
-			} else if verbose && !jsonOutput {
+				validationResults = append(validationResults, result)
+				continue
+			}
+
+			// Campaign spec is valid and referenced workflows exist.
+			// Optionally synthesize an orchestrator workflow for this campaign
+			// and compile it via the standard workflow pipeline.
+			if !noEmit {
+				orchestratorData, orchestratorPath := campaign.BuildOrchestrator(spec, file)
+				lockFile := strings.TrimSuffix(orchestratorPath, ".md") + ".lock.yml"
+				result.CompiledFile = lockFile
+
+				if err := CompileWorkflowDataWithValidation(compiler, orchestratorData, orchestratorPath, verbose && !jsonOutput, zizmor && !noEmit, poutine && !noEmit, actionlint && !noEmit, strict, validate && !noEmit); err != nil {
+					if !jsonOutput {
+						fmt.Fprintln(os.Stderr, err.Error())
+					}
+					errorCount++
+					stats.Errors++
+					stats.FailedWorkflows = append(stats.FailedWorkflows, filepath.Base(orchestratorPath))
+
+					result.Valid = false
+					result.Errors = append(result.Errors, ValidationError{
+						Type:    "compilation_error",
+						Message: err.Error(),
+					})
+					validationResults = append(validationResults, result)
+					continue
+				}
+
+				successCount++
+			}
+
+			if verbose && !jsonOutput {
 				fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(fmt.Sprintf("Validated campaign spec %s", filepath.Base(file))))
 			}
 
@@ -1125,6 +1190,18 @@ func compileSingleFile(compiler *workflow.Compiler, file string, stats *Compilat
 		}
 	}
 
+	// Skip campaign spec files here; they are validated via the campaign
+	// pipeline and are not compiled into GitHub Actions workflows in watch
+	// mode. Orchestrators for campaigns are generated only in non-watch
+	// compile paths to avoid surprising behavior while editing.
+	if strings.HasSuffix(file, ".campaign.md") {
+		compileLog.Printf("Skipping campaign spec file (not a workflow): %s", file)
+		if verbose {
+			fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Skipping campaign spec (not a workflow): %s", filepath.Base(file))))
+		}
+		return true
+	}
+
 	stats.Total++
 
 	compileLog.Printf("Compiling: %s", file)

.github/workflows/security-compliance-campaign.lock.yml

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/githubnext/gh-aw/pkg/console"
+	"github.com/spf13/cobra"
 )
 
 // tokenSpec describes a recommended token secret for gh-aw