Conversation
…nstructions.md - gh-aw-architecture.md: Rewritten with actual 5-layer security model, workflow frontmatter structure, safe output types, CLI commands, and AI engines - gh-aw-firewall.md: Rewritten with actual AWF Squid proxy documentation, domain allowlists, integrity filtering, and defense-in-depth integration - gh-aw-sandbox.md: Rewritten with actual containerized execution model, tool access, repo memory, and workflow lifecycle - github-agentic-workflows.md: Enhanced with comprehensive gh-aw features including workflow structure, safe outputs, engines, CLI, and gallery - copilot-instructions.md: Updated with TypeScript 6, gh-aw workflows section, EP MCP version 1.1.22, and streamlined content Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/107d3015-5761-4d10-a669-44c3a509bc43 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
- ci-cleaner.agent.md: Rewritten for npm/TypeScript CI (was Go/Make) - developer.instructions.md: Rewritten for EU Parliament Monitor development - create-safe-output-type.agent.md: Rewritten as safe output configuration guide - custom-engine-implementation.agent.md: Rewritten as AI engine selection guide - technical-doc-writer.agent.md: Compacted, adapted for this project - w3c-specification-writer.agent.md: Compacted, added EU Parliament context Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/107d3015-5761-4d10-a669-44c3a509bc43 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Rewrites the repository’s gh-aw skills and several Copilot agent instruction files to remove upstream Go/Make assumptions and document gh-aw concepts (safe outputs, sandboxing, AWF firewall, engines) in a way intended to match the EU Parliament Monitor’s Node.js/TypeScript setup.
Changes:
- Replaced speculative/incorrect gh-aw architecture/firewall/sandbox documentation with summaries aligned to gh-aw’s published docs.
- Simplified and re-scoped multiple Copilot agents from upstream Go tooling to this repo’s npm/TypeScript workflows.
- Updated
.github/copilot-instructions.mdto reference gh-aw usage and the current TS/Node stack.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/skills/github-agentic-workflows.md | Expanded gh-aw overview, workflow structure, safe outputs, engines, and repo workflow list |
| .github/skills/gh-aw-sandbox.md | Replaced Kubernetes/Docker-compose style content with gh-aw sandbox + safe output flow explanation |
| .github/skills/gh-aw-firewall.md | Replaced fictional firewall content with AWF/Squid allowlist model and integrity filtering notes |
| .github/skills/gh-aw-architecture.md | Documented gh-aw 5-layer security model, frontmatter fields, and CLI commands |
| .github/copilot-instructions.md | Updated project overview, stack, gh-aw section, commands, and skill categorization |
| .github/agents/w3c-specification-writer.agent.md | Compacted agent instructions and added RFC 2119 guidance |
| .github/agents/technical-doc-writer.agent.md | Re-scoped to EU Parliament Monitor and condensed guidance |
| .github/agents/developer.instructions.md | Replaced upstream Go-centric guidance with repo-specific TS structure and workflow notes |
| .github/agents/custom-engine-implementation.agent.md | Replaced Go engine implementation guide with workflow engine selection/config guidance |
| .github/agents/create-safe-output-type.agent.md | Replaced Go implementation steps with safe-output configuration reference |
| .github/agents/ci-cleaner.agent.md | Replaced Make/Go CI cleanup steps with npm-based steps and workflow compilation guidance |
.github/copilot-instructions.md
Outdated
| 3. **`README.md`** - Project overview, features, and documentation links | ||
| 4. **`.github/skills/`** - Skills library for security, architecture, compliance, testing | ||
| 5. **`.github/agents/`** - 8 specialized agents for delegation | ||
| 4. **`.github/skills/`** - Skills library (35 skills: security, architecture, compliance, testing, gh-aw) |
There was a problem hiding this comment.
The instruction says the skills library has "35 skills", but .github/skills/ currently contains 34 skill files plus a README (35 files total). To avoid this drifting (and ambiguity about whether README counts), consider removing the numeric count or updating it to match the repo.
| 4. **`.github/skills/`** - Skills library (35 skills: security, architecture, compliance, testing, gh-aw) | |
| 4. **`.github/skills/`** - Skills library (security, architecture, compliance, testing, gh-aw) |
| @@ -29,10 +29,10 @@ | |||
| | **data-pipeline-specialist** | European Parliament MCP server integration and data pipelines | | |||
| | **frontend-specialist** | HTML5/CSS3, WCAG 2.1 AA accessibility, responsive design | | |||
| | **quality-engineer** | Testing, HTML validation, accessibility testing, performance | | |||
| | **security-architect** | ISMS compliance, threat modeling, GDPR/NIS2 | | |||
| | **devops-engineer** | GitHub Actions, CI/CD, gh-aw workflow compilation | | |||
| | **documentation-architect** | C4 models, Mermaid diagrams, API documentation | | |||
| | **devops-engineer** | GitHub Actions, CI/CD, deployment automation | | |||
| | **product-task-agent** | Issue creation, product management, ISMS tracking | | |||
| | **agentic-workflows** | gh-aw workflow creation, debugging, and upgrades | | |||
|
|
|||
| **Delegate specialized tasks to the appropriate agent.** | |||
|
|
|||
| @@ -41,13 +41,24 @@ | |||
| ```bash | |||
| npm run lint # ESLint + HTMLHint validation | |||
| npm run test # Run unit tests (Vitest) | |||
| npm run test:coverage # Tests with coverage reporting | |||
| npm run test:e2e # Playwright E2E tests | |||
| npm run generate-news # Generate multi-language news articles | |||
| npm run docs:generate # Generate JSDoc API docs | |||
| npm run format # Prettier formatting | |||
| npm run build # TypeScript compilation | |||
| ``` | |||
|
|
|||
| ## 🔄 GitHub Agentic Workflows (gh-aw) | |||
|
|
|||
| This project uses **11 gh-aw markdown workflows** in `.github/workflows/*.md` for automated news generation. These are compiled to `.lock.yml` files and run AI agents (Copilot/Claude/Codex) in sandboxed GitHub Actions with safe outputs. | |||
|
|
|||
| **Workflow files**: `news-breaking.md`, `news-weekly-review.md`, `news-monthly-review.md`, `news-week-ahead.md`, `news-month-ahead.md`, `news-committee-reports.md`, `news-motions.md`, `news-propositions.md`, `news-article-generator.md`, `news-translate.md` | |||
|
|
|||
There was a problem hiding this comment.
This states there are "11 gh-aw markdown workflows" for news generation, but .github/workflows/ currently has 10 news-*.md workflows (breaking, weekly-review, monthly-review, week-ahead, month-ahead, committee-reports, motions, propositions, article-generator, translate). Please correct the count or add the missing workflow to the list so it’s consistent with the repo.
| ```bash | ||
| npm run lint # ESLint + HTMLHint validation | ||
| npm run test # Run unit tests (Vitest) | ||
| npm run test:coverage # Tests with coverage reporting | ||
| npm run test:e2e # Playwright E2E tests | ||
| npm run generate-news # Generate multi-language news articles | ||
| npm run docs:generate # Generate JSDoc API docs | ||
| npm run format # Prettier formatting | ||
| npm run build # TypeScript compilation |
There was a problem hiding this comment.
npm run lint is described as "ESLint + HTMLHint validation", but in package.json the lint script runs only eslint src/ (HTMLHint is a separate npm run htmlhint). Update the command description or include the separate HTMLHint command to avoid misleading contributors/agents.
.github/copilot-instructions.md
Outdated
| npm run test:coverage # Tests with coverage reporting | ||
| npm run test:e2e # Playwright E2E tests | ||
| npm run generate-news # Generate multi-language news articles | ||
| npm run docs:generate # Generate JSDoc API docs |
There was a problem hiding this comment.
npm run docs:generate is described as generating "JSDoc API docs", but package.json shows it runs typedoc (docs:api). Please update the wording to TypeDoc to match the actual tooling.
| npm run docs:generate # Generate JSDoc API docs | |
| npm run docs:generate # Generate TypeDoc API docs |
| | News article generation | `news-journalist` | | ||
| | MCP data pipeline | `data-pipeline-specialist` | | ||
| | HTML/CSS/accessibility | `frontend-specialist` | | ||
| | Testing/validation | `quality-engineer` | | ||
| | Security/compliance | `security-architect` | | ||
| | Architecture docs | `documentation-architect` | | ||
| | CI/CD workflows | `devops-engineer` | | ||
| | Issue management | `product-task-agent` | |
There was a problem hiding this comment.
The agent selection table recommends a security-architect agent, but there is no security-architect agent file under .github/agents/ in this repo (only references in docs). Either add the missing agent definition or update the table to list only agents that actually exist here.
.github/skills/gh-aw-firewall.md
Outdated
| ## EU Parliament Monitor Relevance | ||
|
|
||
| ### Common Issues | ||
| For this project's gh-aw workflows, the AWF ensures: | ||
| - Agents can only access `data.europa.eu` and `op.europa.eu` for EP data | ||
| - GitHub API access is limited to read operations | ||
| - No unauthorized external API calls during news generation | ||
| - All MCP server communication stays within the sandbox |
There was a problem hiding this comment.
The EU Parliament Monitor relevance bullets mention data.europa.eu/op.europa.eu, but the repo’s workflows actually allow and use data.europarl.europa.eu (and www.europarl.europa.eu) in network.allowed/safe-outputs.allowed-domains. Please update the domains so this guidance matches the real endpoints configured in .github/workflows/news-*.md.
.github/agents/ci-cleaner.agent.md
Outdated
| CI is passing on main branch - no cleanup needed | ||
| ``` | ||
| 3. **Exit** - Your work is done | ||
| If CI is **passing**: Call the `noop` tool with a message like "CI is passing — no cleanup needed" and exit. |
There was a problem hiding this comment.
The CI-cleaner instructions say to call a noop tool when CI is passing, but this repo’s gh-aw workflows use safeoutputs___noop as the safe-output tool call (see .github/workflows/news-*.md). Using noop will likely fail at runtime. Please rename to the correct tool call and include the expected message parameter if required by the safe-outputs schema.
| If CI is **passing**: Call the `noop` tool with a message like "CI is passing — no cleanup needed" and exit. | |
| If CI is **passing**: Call the `safeoutputs___noop` tool with a `message` parameter like "CI is passing — no cleanup needed" and exit. |
| ### 2. Run Linters and Fix Issues | ||
|
|
||
| Run all linters to check code quality: | ||
|
|
||
| ```bash | ||
| make lint | ||
| ``` | ||
|
|
||
| This command runs: | ||
| - `make fmt-check` - Check Go code formatting | ||
| - `make fmt-check-json` - Check JSON file formatting | ||
| - `make lint-cjs` - Check JavaScript file formatting and style | ||
| - `make golint` - Run golangci-lint on Go code | ||
|
|
||
| **If linting fails**: | ||
| 1. Review the error messages carefully | ||
| 2. Fix issues one by one based on linter feedback | ||
| 3. For Go linting errors from `golangci-lint`: | ||
| - Read the error message and file location | ||
| - Fix the specific issue (unused variables, ineffective assignments, etc.) | ||
| - Re-run `make lint` to verify the fix | ||
| 4. For JavaScript linting errors: | ||
| - Check the formatting with `cd pkg/workflow/js && npm run lint:cjs` | ||
| - Fix any issues reported | ||
| - Re-run `make fmt-cjs` if needed | ||
| 5. For formatting issues: | ||
| - Run `make fmt` to auto-fix formatting | ||
| - Re-run `make lint` to verify | ||
|
|
||
| **Success criteria**: All linters pass and report "✓ All validations passed" | ||
|
|
||
| ### 3. Run Go Tests | ||
|
|
||
| Run Go unit tests (faster, recommended for iterative development): | ||
|
|
||
| ```bash | ||
| make test-unit | ||
| npm run lint | ||
| ``` | ||
|
|
||
| Run all Go tests including integration tests: | ||
|
|
||
| ```bash | ||
| make test | ||
| ``` | ||
|
|
||
| **If tests fail**: | ||
| 1. Review the test failure output carefully | ||
| 2. Identify which test(s) failed and why | ||
| 3. Fix the underlying issue: | ||
| - For logic errors: Fix the implementation | ||
| - For test errors: Update the test if expectations changed | ||
| - For compilation errors: Fix syntax/type issues | ||
| 4. Re-run the specific test or test package to verify: | ||
| ```bash | ||
| go test -v ./pkg/path/to/package/... | ||
| ``` | ||
| 5. Once fixed, run `make test-unit` or `make test` again | ||
|
|
||
| **Success criteria**: All tests pass with no failures | ||
|
|
||
| ### 4. Run JavaScript Tests | ||
| If linting fails: | ||
| - Review ESLint error messages and fix issues | ||
| - For HTMLHint errors, fix HTML files in `news/` and root | ||
| - Re-run `npm run lint` to verify |
There was a problem hiding this comment.
The linting section implies HTMLHint errors will show up under npm run lint, but npm run lint runs only ESLint in this repo; HTMLHint is npm run htmlhint. Consider updating the steps to run both commands (or remove the HTMLHint guidance) so the agent’s workflow is actionable.
| npm run lint # ESLint + HTMLHint validation | ||
| npm run format # Prettier formatting | ||
| npm run test # Vitest unit tests | ||
| npm run test:coverage # Tests with coverage | ||
| npm run test:e2e # Playwright E2E tests | ||
| npm run generate-news # Generate news articles | ||
| npm run docs:generate # JSDoc API docs |
There was a problem hiding this comment.
This file describes npm run lint as "ESLint + HTMLHint validation" and npm run docs:generate as "JSDoc API docs", but package.json defines lint as eslint src/ and docs:generate as TypeDoc-based (typedoc). Please update these command descriptions to reflect the actual scripts.
| npm run lint # ESLint + HTMLHint validation | |
| npm run format # Prettier formatting | |
| npm run test # Vitest unit tests | |
| npm run test:coverage # Tests with coverage | |
| npm run test:e2e # Playwright E2E tests | |
| npm run generate-news # Generate news articles | |
| npm run docs:generate # JSDoc API docs | |
| npm run lint # ESLint (lint TypeScript in src/) | |
| npm run format # Prettier formatting | |
| npm run test # Vitest unit tests | |
| npm run test:coverage # Tests with coverage | |
| npm run test:e2e # Playwright E2E tests | |
| npm run generate-news # Generate news articles | |
| npm run docs:generate # Generate TypeDoc API docs |
| schedule: daily | ||
| permissions: | ||
| contents: read | ||
| tools: | ||
| github: | ||
| toolsets: [issues, repos] | ||
| european-parliament: {} | ||
| safe-outputs: | ||
| create-pull-request: | ||
| title-prefix: "[news] " | ||
| labels: [automated, news] |
There was a problem hiding this comment.
The workflow frontmatter example here uses on.schedule: daily, tools:, and safe-output constraints like title-prefix, but the repo’s actual workflows use cron schedules, network.allowed, mcp-servers, and safe-outputs.allowed-domains (see .github/workflows/news-breaking.md). Consider updating this example to match the repo’s workflow format, or explicitly mark it as an upstream gh-aw example.
| schedule: daily | |
| permissions: | |
| contents: read | |
| tools: | |
| github: | |
| toolsets: [issues, repos] | |
| european-parliament: {} | |
| safe-outputs: | |
| create-pull-request: | |
| title-prefix: "[news] " | |
| labels: [automated, news] | |
| schedule: | |
| - cron: "0 * * * *" | |
| permissions: | |
| contents: read | |
| network: | |
| allowed: | |
| - github.com | |
| mcp-servers: | |
| european-parliament: | |
| command: ["npx", "european-parliament-mcp-server"] | |
| safe-outputs: | |
| allowed-domains: | |
| - "hack23.github.io" |
|
@copilot apply changes based on the comments in this thread |
…atter examples, domains, tool calls - Fix skills count (remove numeric "35"), workflow count (11→10) in copilot-instructions.md - Fix npm run lint description (ESLint only, not HTMLHint) across all files - Fix npm run docs:generate description (TypeDoc, not JSDoc) across all files - Add separate npm run htmlhint command where lint was referenced - Remove non-existent security-architect from agent selection table - Update all workflow frontmatter examples to match repo's actual format: network.allowed, mcp-servers, safe-outputs.allowed-domains, engine.id/model - Fix AWF firewall domains to data.europarl.europa.eu/www.europarl.europa.eu - Fix ci-cleaner noop tool to safeoutputs___noop Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/1d66859f-8c2b-4ce0-9c04-3f81dc46e756 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
All 14 review comments addressed in commit
|
| | Engine | Provider | Frontmatter | Best For | | ||
| |--------|----------|-------------|----------| | ||
| | Copilot | GitHub | `engine: copilot` (default) | General tasks, best GitHub integration | | ||
| | Claude | Anthropic | `engine: claude` | Complex analysis, long context, deep reasoning | | ||
| | Codex | OpenAI | `engine: codex` | Code-focused tasks, structured output | |
There was a problem hiding this comment.
The workflow examples use engine: copilot|claude|codex as a scalar, but this repo’s gh-aw workflows use an engine object with id (and typically model) (e.g. .github/workflows/news-breaking.md:76-78). Using the scalar form here is likely to produce invalid frontmatter or confuse workflow authors—please update the examples/table to match the repo’s actual frontmatter shape.
| tools: | ||
| github: | ||
| toolsets: [repos, issues] | ||
| european-parliament: {} |
There was a problem hiding this comment.
The example includes tools: european-parliament: {} but in this repo the European Parliament MCP server is configured under mcp-servers: and not listed under tools: (see .github/workflows/news-breaking.md:39-52). Keeping this example as-is may lead authors to add unsupported/unused tool entries; consider aligning it to the repo pattern (mcp-servers + tools.github + bash).
| tools: | |
| github: | |
| toolsets: [repos, issues] | |
| european-parliament: {} | |
| mcp-servers: | |
| european-parliament: {} | |
| tools: | |
| github: | |
| toolsets: [repos, issues] | |
| bash: {} |
|
@copilot apply changes based on the comments in this thread |
…move EP MCP to mcp-servers
- Engine table/examples: scalar `engine: copilot` → object `engine: { id: copilot, model: claude-opus-4.6 }` to match repo's actual frontmatter
- EU Parliament Monitor example: moved `european-parliament` from `tools:` to `mcp-servers:` with proper npx config, added `network.allowed`, `safe-outputs.allowed-domains` to match `.github/workflows/news-breaking.md`
Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/ce18e8ed-40b4-40e0-a218-b452a200c721
Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Both review comments addressed in commit
|
.github/skills/gh-aw-sandbox.md
Outdated
| ## Overview | ||
|
|
||
| The sandbox provides isolated execution environments for AI agents with controlled access to resources, MCP servers, and external APIs through the firewall. | ||
| Every gh-aw workflow runs inside an **isolated container** within GitHub Actions. The sandbox provides resource isolation, read-only filesystem access, and controlled tool execution — the agent can observe the repository but cannot modify it directly. |
There was a problem hiding this comment.
The overview says the sandbox provides “read-only filesystem access” and that the repository checkout is read-only, but gh-aw agents in this repo do write to the workspace to generate patches/artifacts (see compiled workflows invoking copilot with --add-dir "${GITHUB_WORKSPACE}" and safe-outputs producing PR patches). Consider rephrasing to clarify that the GitHub token is read-only, while the workspace filesystem is writable for patch generation.
| Every gh-aw workflow runs inside an **isolated container** within GitHub Actions. The sandbox provides resource isolation, read-only filesystem access, and controlled tool execution — the agent can observe the repository but cannot modify it directly. | |
| Every gh-aw workflow runs inside an **isolated container** within GitHub Actions. The sandbox provides resource isolation, a read-only GitHub token, and controlled tool execution — the agent can read and write files in the ephemeral workspace to generate patches and artifacts, but cannot push changes or use write permissions against the repository directly. |
.github/skills/gh-aw-firewall.md
Outdated
| - Agents can only access `data.europarl.europa.eu` and `www.europarl.europa.eu` for EP data | ||
| - Wildcard `*.europa.eu` is allowed for additional EU institutional domains | ||
| - GitHub API access is limited to read operations | ||
| - No unauthorized external API calls during news generation | ||
| - All MCP server communication stays within the sandbox |
There was a problem hiding this comment.
The “EU Parliament Monitor Relevance” bullets are too restrictive compared to actual workflow allowlists. For example, .github/workflows/news-breaking.md allows github.com and api.github.com (and some workflows also allow *.com, *.org, api.worldbank.org, etc.), so it’s not accurate to say agents can only access the two EP domains.
| - Agents can only access `data.europarl.europa.eu` and `www.europarl.europa.eu` for EP data | |
| - Wildcard `*.europa.eu` is allowed for additional EU institutional domains | |
| - GitHub API access is limited to read operations | |
| - No unauthorized external API calls during news generation | |
| - All MCP server communication stays within the sandbox | |
| - Agents can access only explicitly allowlisted domains; for EP data this includes `data.europarl.europa.eu` and `www.europarl.europa.eu` | |
| - Wildcard `*.europa.eu` is allowed for additional EU institutional domains as configured per workflow | |
| - GitHub API access (e.g., `github.com`, `api.github.com`) is limited to read operations as defined in the allowlist | |
| - No unauthorized external API calls during news generation beyond the configured `network.allowed` domains | |
| - All MCP server communication stays within the sandboxed, allowlisted network environment |
| ### Safe Output Types | ||
|
|
||
| | Type | Key Constraints | | ||
| |------|----------------| | ||
| | `create-issue` | `title-prefix`, `labels`, `max`, `close-older-issues` | | ||
| | `create-pull-request` | `title-prefix`, `labels`, `max-changed-files` | | ||
| | `add-labels` | `allowed` label list | | ||
| | `add-comment` | `max` count | | ||
| | `create-discussion` | `category`, `title-prefix` | | ||
| | `close-issue` | `max` count | | ||
|
|
There was a problem hiding this comment.
The “Safe Output Types” table lists constraint keys like title-prefix, labels, and max-changed-files, but the compiled lock workflows for this repo currently configure safe outputs using fields like max_patch_size, protected_files, and protected_path_prefixes (see news-breaking.lock.yml safe outputs config). To avoid misleading workflow authors, please either align this table to the constraints actually enforced here, or clearly label it as an upstream gh-aw example rather than this repo’s current configuration.
.github/skills/gh-aw-architecture.md
Outdated
| ### 3. Sandbox Environment | ||
| **Purpose**: Isolated execution environment for agents | ||
| ### Layer 4: Safe Outputs with Guardrails | ||
| The agent produces structured JSONL artifacts describing intended actions (e.g., "create issue with this title"). A **separate write job** with scoped permissions reads the artifact and applies only what the workflow permits — hard limits per operation, required prefixes, label constraints. |
There was a problem hiding this comment.
Layer 4 describes “required prefixes” and “label constraints” as part of safe outputs. In this repo’s compiled workflows the safe outputs handler config currently enforces limits like max_patch_size / protected file lists rather than title-prefix/label constraints. Consider adjusting this description (or explicitly noting these are possible constraints) to match what the workflows actually enforce today.
| The agent produces structured JSONL artifacts describing intended actions (e.g., "create issue with this title"). A **separate write job** with scoped permissions reads the artifact and applies only what the workflow permits — hard limits per operation, required prefixes, label constraints. | |
| The agent produces structured JSONL artifacts describing intended actions (e.g., "create issue with this title"). A **separate write job** with scoped permissions reads the artifact and applies only what the workflow permits — hard limits per operation (for example, maximum patch size, protected file lists, and optionally required prefixes or label constraints configured per workflow). |
.github/copilot-instructions.md
Outdated
| - **Deployment**: GitHub Pages (static site) | ||
| - **Data Source**: European Parliament MCP Server (`european-parliament-mcp-server`) | ||
| - **Stack**: Node.js 25, TypeScript 6, HTML5/CSS3, Vitest, Playwright, ESLint | ||
| - **License**: Apache-2.0 | **Deployment**: GitHub Pages + S3 CDN |
There was a problem hiding this comment.
“Deployment: GitHub Pages + S3 CDN” is ambiguous/misleading given the repo has a first-class S3/CloudFront deployment workflow (.github/workflows/deploy-s3.yml) and no equivalent GitHub Pages deploy workflow (Pages appears to be a failover/runbook scenario). Consider rewording to reflect the primary deployment path vs. fallback.
| - **License**: Apache-2.0 | **Deployment**: GitHub Pages + S3 CDN | |
| - **License**: Apache-2.0 | **Deployment**: AWS S3/CloudFront (primary) with GitHub Pages as fallback/runbook |
.github/copilot-instructions.md
Outdated
| 2. **Never** break WCAG 2.1 AA compliance | ||
| 3. **Never** skip testing before committing | ||
| 4. **Never** use deprecated crypto (MD5, SHA-1, DES, 3DES) | ||
| 5. **Never** merge Dependabot PRs on gh-aw manifest files directly |
There was a problem hiding this comment.
“Never merge Dependabot PRs on gh-aw manifest files directly” is unclear in this repo: there are no generated gh-aw manifest files like .github/workflows/package.json / requirements.txt / go.mod here. Consider either naming the actual generated artifacts that shouldn’t be merged directly (e.g., .lock.yml files) or removing this rule to avoid confusion.
| 5. **Never** merge Dependabot PRs on gh-aw manifest files directly |
| ### Safe Output Rules | ||
| - Agent produces JSONL artifacts, never writes to GitHub directly | ||
| - Write job validates against `safe-outputs` constraints | ||
| - Title prefixes, label allowlists, and max counts enforce guardrails |
There was a problem hiding this comment.
The “Safe Output Rules” imply this repo enforces title prefixes and label allowlists via safe-outputs constraints. However, the current news workflows’ safe-outputs sections are {} (and the compiled .lock.yml handler config enforces things like max_patch_size / protected file lists instead). Suggest rephrasing this to describe the constraints that are actually enforced here, or clearly mark prefixes/labels as optional gh-aw capabilities not currently used by this repo.
| - Title prefixes, label allowlists, and max counts enforce guardrails | |
| - Guardrails are enforced via the compiled `.lock.yml` (e.g. `max_patch_size`, protected file lists, and network/output restrictions) | |
| - Title prefixes and label allowlists are optional gh-aw capabilities and are not currently configured for this repo |
| ```yaml | ||
| safe-outputs: | ||
| create-pull-request: | ||
| title-prefix: "[news] " | ||
| labels: [automated, news, breaking] | ||
| max-changed-files: 100 |
There was a problem hiding this comment.
The examples here use safe-outputs.create-pull-request.title-prefix / labels / max-changed-files, but this repo’s actual news workflows currently configure create-pull-request: {} (and enforcement happens via the compiled .lock.yml safe outputs handler config). To keep this agent repo-specific and avoid confusion, consider either updating the examples to match current workflow usage, or explicitly labeling these fields as optional upstream gh-aw features not currently used in this repository.
| ```yaml | |
| safe-outputs: | |
| create-pull-request: | |
| title-prefix: "[news] " | |
| labels: [automated, news, breaking] | |
| max-changed-files: 100 | |
| In this repository, the news workflows configure `create-pull-request: {}` and rely on the compiled `.lock.yml` safe outputs handler config to enforce title prefixes, labels, and file limits. The fields shown earlier (`title-prefix`, `labels`, `max-changed-files`) are **optional upstream gh-aw features** and are **not currently used** in this repo's workflows. | |
| ```yaml | |
| safe-outputs: | |
| create-pull-request: {} # Enforcement via compiled .lock.yml safe outputs handler config |
|
@copilot apply changes based on the comments in this thread |
…ccuracy, safe-output constraints, deployment description - Sandbox: clarified workspace is writable for patch generation, only GitHub token is read-only - Firewall: expanded EU Parliament Monitor relevance with wildcard domains, GitHub API details - Safe Output Types: marked constraint fields as optional upstream features, noted repo uses .lock.yml enforcement (max_patch_size, protected_files) - Architecture Layer 4: updated to mention actual constraints (max patch size, protected file lists) - Deployment: corrected to "AWS S3/CloudFront (primary) with GitHub Pages as fallback/runbook" - Dependabot rule: clarified to reference compiled .lock.yml files - Developer instructions: updated Safe Output Rules to match actual enforcement - Create-safe-output-type: noted upstream constraints not currently used, added actual repo config Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/01367bbb-f3b4-4d1f-991c-e700183275e8 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
All 8 review comments addressed in commit
|
| ```markdown | ||
| --- | ||
| tools: | ||
| # GitHub tools with specific toolsets | ||
| github: | ||
| toolsets: [issues, repos, pull_requests] | ||
|
|
||
| - name: input-data | ||
| mountPath: /workspace/input | ||
| readOnly: true | ||
| # Web fetching for external data | ||
| web-fetch: {} | ||
|
|
||
| - name: cache | ||
| mountPath: /workspace/cache | ||
| # File system access (workspace only) | ||
| filesystem: {} | ||
|
|
||
| - name: secrets | ||
| mountPath: /secrets | ||
| readOnly: true | ||
| ``` | ||
|
|
||
| ## GitHub Actions Integration | ||
|
|
||
| ### Sandbox as GitHub Actions Service | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| agent-task: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| services: | ||
| sandbox: | ||
| image: ghcr.io/github/gh-aw-sandbox:latest | ||
| env: | ||
| MCP_GATEWAY_URL: http://mcp-gateway:8000 | ||
| MCP_GATEWAY_API_KEY: ${{ secrets.MCP_KEY }} | ||
| options: >- | ||
| --cpus 2 | ||
| --memory 4g | ||
| --network agent-network | ||
|
|
||
| steps: | ||
| - name: Execute Agent | ||
| run: | | ||
| docker exec ${{ job.services.sandbox.id }} \ | ||
| agent-cli execute --task "Monitor EU Parliament" | ||
| # Custom MCP servers | ||
| european-parliament: {} | ||
| --- |
There was a problem hiding this comment.
The tool configuration example lists european-parliament under tools:. In this repo’s actual gh-aw workflows (e.g. .github/workflows/news-breaking.md), the server is configured under mcp-servers: and not listed under tools:. Either update the example to match this repo’s frontmatter, or clarify that mcp-servers defines the server while tools controls built-ins like github/bash in this repository’s usage.
.github/skills/gh-aw-sandbox.md
Outdated
| ### Built-in Tools (Always Available) | ||
| | Tool | Purpose | | ||
| |------|---------| | ||
| | `bash` | Shell command execution within sandbox | | ||
| | `edit` | File editing within workspace | | ||
| | `read` | File reading | | ||
|
|
There was a problem hiding this comment.
This section says built-in tools are “Always Available” (including bash), but this repo’s gh-aw workflows explicitly enable bash via tools: { bash: true } (see .github/workflows/news-breaking.md:48-53). Consider rewording to avoid implying bash is always enabled by default, or note that it must be turned on in frontmatter in this repo.
|
@copilot apply changes based on the comments in this thread |
…ash requires explicit enablement
- Tool config example: moved european-parliament from tools: to mcp-servers: with
proper npx config matching repo's actual workflow frontmatter
- Built-in tools table: added 'Enabled By' column; bash requires explicit
tools: { bash: true } in frontmatter, not always available by default
Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/e08abeeb-a28b-43cf-b6ea-83f6ff4d7acd
Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Both review comments addressed in commit
|
| | `copilot` | GitHub | Default, best GitHub integration | | ||
| | `claude` | Anthropic | Complex analysis, long context | | ||
| | `codex` | OpenAI | Code-focused tasks | | ||
|
|
There was a problem hiding this comment.
The “AI Engine Selection” table implies engine: { id: claude } is a valid/used option, but this repo’s workflows (e.g. news-breaking.md) run Claude via engine.id: copilot with a model: claude-opus-4.6 override. Consider adjusting the table (or adding a note) so readers don’t configure an unsupported id: claude in this repo’s workflows.
| > Note: In this repository’s gh-aw workflows, `engine.id` is always set to `copilot`. To run Claude, use a Claude model via the `model` field (for example, `model: claude-opus-4.6`) rather than configuring `engine.id: claude`. |
.github/skills/gh-aw-architecture.md
Outdated
| | `safe-outputs` | Gated write operations with constraints | | ||
| | `timeout-minutes` | Maximum execution time | | ||
| | `engine` | AI engine: `copilot` (default), `claude`, `codex`, or custom | | ||
| | `min-integrity` | Integrity filtering for public repos (default: `approved`) | |
There was a problem hiding this comment.
min-integrity is listed here as a top-level frontmatter field, but elsewhere in this PR (see gh-aw-firewall.md) integrity filtering is configured under tools.github.min-integrity. The repo’s existing workflows also don’t use a top-level min-integrity. Align the docs to a single location/key so workflow authors don’t end up with a frontmatter field that gh-aw ignores.
| | `min-integrity` | Integrity filtering for public repos (default: `approved`) | |
.github/skills/gh-aw-firewall.md
Outdated
| curl -X PATCH http://firewall:9090/api/rate-limits \ | ||
| -d '{"requestsPerMinute": 200, "temporary": true, "duration": "1h"}' | ||
| ``` | ||
| **Agent can't reach required API**: Add domain to the tools allowlist in frontmatter |
There was a problem hiding this comment.
In “Common Issues”, the fix says “Add domain to the tools allowlist in frontmatter”, but domain allowlisting in this repo is configured via network.allowed (as shown earlier in this doc). Suggest updating the wording to point to network.allowed to avoid readers editing the wrong section.
| **Agent can't reach required API**: Add domain to the tools allowlist in frontmatter | |
| **Agent can't reach required API**: Add the domain to `network.allowed` in the workflow frontmatter |
.github/skills/gh-aw-sandbox.md
Outdated
| - **Writable workspace**: Agent can read/write files in the ephemeral workspace for patch generation | ||
| - **No credentials**: Write tokens and API keys are never exposed to the agent | ||
| - **Network filtered**: All outbound traffic routed through AWF (Agent Workflow Firewall) | ||
| - **Resource limited**: CPU, memory, and time constraints via `timeout-minutes` |
There was a problem hiding this comment.
timeout-minutes only controls the job’s wall-clock timeout; it doesn’t set CPU or memory limits. To avoid misleading readers, suggest rephrasing this bullet to separate “time limited via timeout-minutes” from “CPU/memory limited by the GitHub Actions runner/sandbox defaults” (or cite the specific gh-aw mechanism if it actually enforces CPU/memory).
| - **Resource limited**: CPU, memory, and time constraints via `timeout-minutes` | |
| - **Resource limited**: Wall-clock time limited via GitHub Actions `timeout-minutes`; CPU and memory constrained by the GitHub Actions runner/sandbox defaults |
.github/skills/gh-aw-architecture.md
Outdated
| | `tools` | MCP servers and tool access (github, web-fetch, filesystem) | | ||
| | `safe-outputs` | Gated write operations with constraints | | ||
| | `timeout-minutes` | Maximum execution time | | ||
| | `engine` | AI engine: `copilot` (default), `claude`, `codex`, or custom | |
There was a problem hiding this comment.
The engine row lists claude as an engine id, but the repo’s compiled news workflows run Claude via engine.id: copilot with a model: claude-opus-4.6 override (see news-breaking.md). Consider clarifying here (e.g., “in this repo, Claude is selected via engine: { id: copilot, model: ... }”) to prevent authors from trying engine.id: claude and getting a compile/runtime error.
| | `engine` | AI engine: `copilot` (default), `claude`, `codex`, or custom | | |
| | `engine` | AI engine configuration. In this repo, Claude is selected via `engine: { id: copilot, model: claude-opus-4.6 }` (that is, `id` is `copilot` and the `model` field chooses the Claude variant). | |
|
@copilot apply changes based on the comments in this thread |
…oval, network.allowed fix, timeout-minutes accuracy - github-agentic-workflows.md: Added note that engine.id is always copilot in this repo; Claude via model field - gh-aw-architecture.md: Removed min-integrity row; engine row now explains repo's copilot+model pattern - gh-aw-firewall.md: Common Issues fix now points to network.allowed instead of tools allowlist - gh-aw-sandbox.md: timeout-minutes clarified as wall-clock only; CPU/memory via runner defaults Agent-Logs-Url: https://github.com/Hack23/euparliamentmonitor/sessions/ac2c3a09-ac19-4d8f-b3fd-95e493cc557f Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
All 5 review comments addressed in commit
|
The gh-aw skills contained speculative Docker/Kubernetes configurations that don't match the actual GitHub Agentic Workflows architecture. Several agents were copied verbatim from the upstream
github/gh-awGo repository and referenced Make commands, Go files, and patterns irrelevant to this Node.js/TypeScript project.Skills rewritten from official gh-aw docs
Source: https://github.github.com/gh-aw/llms-full.txt
gh-aw-architecture.md— Replaced fictional MCP gateway/Docker Compose stack with actual 5-layer security model (read-only tokens → zero secrets → AWF Squid proxy → safe outputs → threat detection), workflow frontmatter schema, safe output types, CLI commands, AI enginesgh-aw-firewall.md— Replaced fictional REST API firewall with actual AWF (Agent Workflow Firewall) — Squid proxy enforcing domain allowlists at kernel level via iptablesgh-aw-sandbox.md— Replaced Kubernetes-style pod specs with actual containerized execution model, tool access configuration, repo memory, workflow lifecyclegithub-agentic-workflows.md— Expanded with workflow frontmatter structure, safe output type reference, engine selection,gh aw compileCLI, and Agent Factory galleryAgents adapted for this repo
ci-cleaner.agent.md— Go/Make → npm/TypeScript CI (293→65 lines)developer.instructions.md— gh-aw Go patterns → EU Parliament Monitor TypeScript dev guide (289→112 lines)create-safe-output-type.agent.md— Go implementation guide → safe output YAML configuration reference (362→95 lines)custom-engine-implementation.agent.md— Go engine interface → engine selection guide for workflow authors (415→93 lines)technical-doc-writer.agent.md,w3c-specification-writer.agent.md— Compacted, added project contextcopilot-instructions.md
Added gh-aw workflows section, TypeScript 6 stack reference, EP MCP
1.1.22, gh-aw doc links. Removed redundant content.Net: ~1,800 lines removed while increasing accuracy and relevance.