Conversation
…ecurity, Agent Factory patterns Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/a0187349-71d9-4ca1-88f2-dc8c55e1a08d Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
… update gh-aw skills Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/a0187349-71d9-4ca1-88f2-dc8c55e1a08d Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR refreshes the repo’s GitHub Agentic Workflows (gh-aw) integration skills and significantly compacts the custom agent instruction files to remove duplicated boilerplate while keeping the core guidance.
Changes:
- Updated gh-aw integration skills to reflect newer gh-aw features/patterns (security architecture, safe-outputs, orchestration, CLI usage).
- Simplified/compacted all custom agent markdown files to reduce duplication and keep agent guidance focused.
- Minor metadata/version-history updates (e.g., descriptions, “Agent Factory” references).
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/skills/integration/github-agentic-workflows/SKILL.md | Major refresh of gh-aw overview, security model, examples, and references |
| .github/skills/integration/agentic-workflow-security/SKILL.md | Updates security guidance to “official” 5-layer framing + updated links |
| .github/skills/integration/agentic-workflow-orchestration/SKILL.md | Adds Agent Factory references and /plan-style orchestration positioning |
| .github/skills/integration/agentic-workflow-development/SKILL.md | Updates CLI/development guidance and related docs links |
| .github/skills/integration/continuous-ai-patterns/SKILL.md | Description/version-history update to reference Agent Factory categories |
| .github/agents/task-agent.md | Large compaction; keeps workflow/issue-creation guidance with less boilerplate |
| .github/agents/ui-enhancement-specialist.md | Compaction; focuses on rules, responsibilities, and key files |
| .github/agents/marketing-specialist.md | Compaction; keeps SEO/brand/metrics guidance in a shorter form |
| .github/agents/business-development-specialist.md | Compaction; keeps consultative selling + positioning guidance concise |
| .github/agents/political-analyst.md | Compaction; keeps ethical OSINT rules and CIA context |
| .github/agents/george-dorn.md | Compaction; keeps implementation philosophy/patterns/examples |
| .github/agents/hagbard-celine.md | Compaction; keeps product-vision framework and rules |
| .github/agents/simon-moon.md | Compaction; keeps architecture framing, checklists, and diagram patterns |
| max: 1 | ||
| add-labels: | ||
| allowed: [bug, feature, enhancement, documentation, question, help-wanted, good-first-issue] | ||
| add-comment: {} |
There was a problem hiding this comment.
In Example 1 the safe output uses add-comment, but elsewhere in this skill (and the Safe Outputs Reference table) the operation is create-comment. This inconsistency is likely to confuse users and can lead to non-working configs; please standardize on a single safe-output name and update the examples/best-practice bullet accordingly.
| add-comment: {} | |
| create-comment: {} |
| permissions: read-all | ||
| timeout-minutes: 5 | ||
| on: | ||
| issue: |
There was a problem hiding this comment.
Trigger naming is inconsistent: Example 1 uses on: issue: while Example 5 uses on: issues. Please pick one canonical form (or explicitly document when each is valid) and make all examples match to avoid copy/paste errors.
| issue: | |
| issues: |
| safe-outputs: | ||
| create-comment: | ||
| max: 5 | ||
| create-issue: |
There was a problem hiding this comment.
The rules state that all write operations should use safe-outputs: with max: limits, but several examples omit max: (e.g., create-issue in Example 2 and add-comment in Example 1). Either add explicit max: limits in the examples or relax/clarify the rule so guidance and examples don't contradict.
| create-issue: | |
| create-issue: | |
| max: 1 |
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
.github/agents/task-agent.md
Outdated
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
.github/agents/political-analyst.md
Outdated
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
.github/agents/hagbard-celine.md
Outdated
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
.github/agents/george-dorn.md
Outdated
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
| --- | ||
|
|
||
| ## 📋 Required Configuration Files | ||
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
There was a problem hiding this comment.
This agent’s “required reading” omits .github/workflows/copilot-setup-steps.yml, but .github/copilot-instructions.md explicitly requires reading it at session start. To avoid conflicting instructions, include that workflow file in the required-reading line here as well.
| **Read `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | |
| **Read `.github/copilot-instructions.md`, `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-mcp.json`, and `README.md` at session start.** |
|
@copilot apply changes based on the comments in this thread |
…dd copilot-setup-steps.yml to agent required reading Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/bca394d4-63ea-4c06-b4c8-5b2ddb6c78b0 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Applied all review comments in
|
| - Choose appropriate trigger(s) for workflow purpose: | ||
| - `issues:` for issue-related automation | ||
| - Choose appropriate trigger(s): | ||
| - `issue:` with `types: [opened, reopened]` for issue automation |
There was a problem hiding this comment.
In the trigger list, issue: isn’t a valid GitHub Actions event (the event is issues:). This looks like a typo and is confusing since the examples below correctly use on: issues:.
| - `issue:` with `types: [opened, reopened]` for issue automation | |
| - `issues:` with `types: [opened, reopened]` for issue automation |
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| tools: | ||
| github: | ||
| web-search: | ||
| toolsets: [pull-requests, code-scanning] | ||
| network: {} |
There was a problem hiding this comment.
Example 4 enables the code-scanning toolset but the shown permissions: block doesn’t include security-events: read, which is required for Code Scanning API access. As written, this workflow example is likely to fail when attempting to read code scanning alerts.
| - Define `on:` trigger(s) with appropriate event types and activity filters | ||
| - Set `permissions:` with specific resource scopes (e.g., `issues: read`, `contents: read`) | ||
| - Configure `tools:` with specific toolsets (e.g., `github:` with `toolsets: [issues, labels]`) | ||
| - Include `safe-outputs:` for all write operations with `max:` limits |
There was a problem hiding this comment.
The rule says all write operations must have safe-outputs: with max: limits, but add-labels is documented/used with an allowed: allowlist and no max:. Consider rewording this rule to require a hard limit where the specific output type supports it (e.g., max, max-size) to avoid contradicting the examples/reference table.
| - Include `safe-outputs:` for all write operations with `max:` limits | |
| - Include `safe-outputs:` for all write operations, using a hard limit where the output type supports it (for example `max` or `max-size`) or an allowlist where it does not (for example `allowed`) |
| # Issue Triage Agent | ||
|
|
||
| Analyze new issues and provide helpful triage information: | ||
| List open issues in ${{ github.repository }} that have no labels. | ||
| For each unlabeled issue, analyze the title and body, then add one of the | ||
| allowed labels: `bug`, `feature`, `enhancement`, `documentation`, `question`, | ||
| `help-wanted`, or `good-first-issue`. |
There was a problem hiding this comment.
Example 1 triggers on issues: [opened, reopened] but the instructions tell the agent to “List open issues … that have no labels” and potentially label multiple issues per run. That’s a surprising side effect for an event-scoped trigger and can lead to repeated full-repo scans; consider scoping the instructions to the triggering issue, or switching this example to a scheduled trigger.
.github/agents/task-agent.md
Outdated
| **Your Core Mission: Comprehensive Product Analysis & Task Management** | ||
|
|
||
| Reference: [Hack23 ISMS-PUBLIC](https://github.com/Hack23/ISMS-PUBLIC) | ||
| You are the orchestrator of product improvement, analyzing the Hack23 homepage and ecosystem from multiple dimensions, then generating well-structured GitHub issues that drive meaningful enhancements. You leverage AWS knowledge, Playwright for visual analysis, and GitHub MCP extensively to create a complete picture of product health. |
There was a problem hiding this comment.
This mentions leveraging “AWS knowledge” for analysis, but .github/copilot-mcp.json only configures github, filesystem, memory, sequential-thinking, and playwright MCP servers (no AWS-specific MCP). Consider rephrasing to avoid implying an available aws-knowledge tool/server, or document how AWS review should be done with the existing toolset (e.g., reading CloudFront/S3 config files).
| You are the orchestrator of product improvement, analyzing the Hack23 homepage and ecosystem from multiple dimensions, then generating well-structured GitHub issues that drive meaningful enhancements. You leverage AWS knowledge, Playwright for visual analysis, and GitHub MCP extensively to create a complete picture of product health. | |
| You are the orchestrator of product improvement, analyzing the Hack23 homepage and ecosystem from multiple dimensions, then generating well-structured GitHub issues that drive meaningful enhancements. You apply AWS S3/CloudFront deployment knowledge by reviewing relevant configuration and documentation via the GitHub and filesystem MCP servers, use Playwright for visual analysis, and rely on GitHub MCP extensively to create a complete picture of product health. |
|
@copilot apply changes based on the comments in this thread |
…ents permission, reword safe-outputs rule, fix trigger list typo, clarify AWS knowledge Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/ce38985b-e9e2-42cb-bced-332697614cca Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
All 5 review comments addressed in
|
|
|
||
| Analyze new issues and provide helpful triage information: | ||
| Analyze the triggering issue (${{ github.event.issue.number }}) title and body, | ||
| then add one of the allowed labels: `bug`, `feature`, `enhancement`, | ||
| `documentation`, `question`, `help-wanted`, or `good-first-issue`. |
There was a problem hiding this comment.
This example text also references the hyphenated label names (help-wanted, good-first-issue), which don’t match this repo’s actual labels (help wanted, good first issue). For consistency with the repo and to avoid copy/paste errors, update the inline label list to the correct names.
| **Read `.github/workflows/copilot-setup-steps.yml`, `.github/copilot-instructions.md`, `.github/copilot-mcp.json`, and `README.md` at session start.** | ||
|
|
||
| **ALWAYS read these configuration files at the start of every session** to understand the environment and available tools: | ||
| **Relevant skills**: security (secure-development, access-control, data-classification, cryptography), architecture (c4-modeling, security-architecture, documentation-portfolio), quality (html-css-best-practices, accessibility-wcag, seo-optimization), deployment (aws-s3-cloudfront, github-actions-cicd), compliance (iso-27001, gdpr) | ||
|
|
||
| 1. **`.github/workflows/copilot-setup-steps.yml`** - Contains: | ||
| - Environment setup steps and prerequisites | ||
| - Available environment variables | ||
| - Workflow permissions and security context | ||
| - Automation configurations | ||
|
|
||
| 2. **`.github/copilot-mcp.json`** - Contains: | ||
| - MCP server configurations (github, filesystem, git, memory, sequential-thinking, playwright, brave-search) | ||
| - Available tools and their capabilities | ||
| - Integration settings and environment variables | ||
|
|
||
| 3. **`README.md`** (repository root) - Contains: | ||
| - Main project context and overview | ||
| - Company background and values | ||
| - Technology stack and architecture | ||
| - Project classifications and security posture | ||
|
|
||
| Reading these files ensures you understand the complete context, available tools, and environmental constraints before proceeding with any work. | ||
|
|
||
| ## 🎯 Skills Integration | ||
|
|
||
| This agent leverages the Hack23 Skills Library to ensure consistency and compliance. The following skills are particularly relevant: | ||
|
|
||
| ### Core Security Skills | ||
| - **Secure Development** (`.github/skills/security/secure-development/`) - Security-by-design principles, input validation, secure coding practices | ||
| - **Access Control** (`.github/skills/security/access-control/`) - Authentication and authorization patterns | ||
| - **Data Classification** (`.github/skills/security/data-classification/`) - Proper data handling and protection | ||
| - **Cryptography** (`.github/skills/security/cryptography/`) - Encryption standards and key management | ||
|
|
||
| ### Architecture Skills | ||
| - **C4 Modeling** (`.github/skills/architecture/c4-modeling/`) - System visualization with Context, Container, Component, Code diagrams | ||
| - **Security Architecture** (`.github/skills/architecture/security-architecture/`) - Defense-in-depth, threat modeling, security controls | ||
| - **Documentation Portfolio** (`.github/skills/architecture/documentation-portfolio/`) - Complete documentation sets (ARCHITECTURE.md, DATA_MODEL.md, etc.) | ||
|
|
||
| ### Quality Skills | ||
| - **HTML/CSS Best Practices** (`.github/skills/quality/html-css-best-practices/`) - Semantic markup, modern CSS patterns | ||
| - **Accessibility WCAG** (`.github/skills/quality/accessibility-wcag/`) - WCAG 2.1 AA compliance requirements | ||
| - **SEO Optimization** (`.github/skills/quality/seo-optimization/`) - Meta tags, structured data, performance | ||
|
|
||
| ### Deployment Skills | ||
| - **AWS S3/CloudFront** (`.github/skills/deployment/aws-s3-cloudfront/`) - Static website hosting, security headers, CDN configuration | ||
| - **GitHub Actions CI/CD** (`.github/skills/deployment/github-actions-cicd/`) - Automated pipelines, security scanning, deployment automation | ||
|
|
||
| ### Compliance Skills | ||
| - **ISO 27001** (`.github/skills/compliance/iso-27001/`) - Information security management requirements | ||
| - **GDPR** (`.github/skills/compliance/gdpr/`) - Privacy and data protection compliance | ||
|
|
||
| ### How to Use Skills | ||
|
|
||
| When working on tasks: | ||
| 1. **Review relevant skill documentation** before creating issues or analyzing code | ||
| 2. **Follow the explicit MUST/MUST NOT rules** in each skill | ||
| 3. **Use code examples from skills** as patterns to recommend in issues | ||
| 4. **Validate compliance** with skill requirements in your analysis | ||
| 5. **Reference ISMS policies** linked in skills for comprehensive compliance | ||
|
|
||
| Skills work automatically with GitHub Copilot - they guide code generation and ensure compliance across all agents. | ||
|
|
||
| ## 🔐 ISMS Framework Compliance | ||
|
|
||
| ### Required Security Documentation | ||
|
|
||
| ALL work MUST ensure these documents exist and are current: | ||
|
|
||
| 1. **🏛️ SECURITY_ARCHITECTURE.md** - Current implemented security design | ||
| - Security controls and measures | ||
| - Authentication and authorization architecture | ||
| - Data protection mechanisms | ||
| - Network security topology | ||
| - Security testing approach | ||
|
|
||
| 2. **🚀 FUTURE_SECURITY_ARCHITECTURE.md** - Planned security improvements | ||
| - Security roadmap | ||
| - Planned enhancements | ||
| - Risk mitigation strategies | ||
| - Compliance improvements | ||
|
|
||
| ### Required Architecture Documentation Portfolio | ||
|
|
||
| **C4 Architecture Model Implementation** - ALL projects MUST maintain: | ||
|
|
||
| **Current State:** | ||
| - 🏛️ **ARCHITECTURE.md** - Complete C4 models (Context, Container, Component views) | ||
| - 📊 **DATA_MODEL.md** - Data structures, entities, relationships | ||
| - 🔄 **FLOWCHART.md** - Business process and data flows | ||
| - 📈 **STATEDIAGRAM.md** - System state transitions and lifecycles | ||
| - 🧠 **MINDMAP.md** - System conceptual relationships | ||
| - 💼 **SWOT.md** - Strategic analysis and positioning | ||
|
|
||
| **Future State:** | ||
| - 🚀 **FUTURE_ARCHITECTURE.md** - Architectural evolution roadmap | ||
| - 📊 **FUTURE_DATA_MODEL.md** - Enhanced data architecture plans | ||
| - 🔄 **FUTURE_FLOWCHART.md** - Improved process workflows | ||
| - 📈 **FUTURE_STATEDIAGRAM.md** - Advanced state management | ||
| - 🧠 **FUTURE_MINDMAP.md** - Capability expansion plans | ||
| - 💼 **FUTURE_SWOT.md** - Future strategic opportunities | ||
| --- |
There was a problem hiding this comment.
PR description says copilot-instructions.md was reduced to ~75 lines, but in this PR branch .github/copilot-instructions.md is still ~360 lines (per repo file listing). Either include the intended copilot-instructions.md update in this PR, or adjust the PR description to match what actually changed.
|
@copilot apply changes based on the comments in this thread |
…3 lines) Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/c497cec8-3399-4f7d-8be1-bdb05199aac8 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Both issues addressed in
|
| github: | ||
| web-search: | ||
| toolsets: [pull-requests, code-scanning] | ||
| network: {} |
There was a problem hiding this comment.
In this example, network: {} is combined with the github toolset. Per the Network Security guidance earlier in this doc (network: defaults for GitHub-only access), {} may block GitHub API access and make the example non-functional. Consider switching this example to network: defaults (or explicitly allowlisting GitHub domains) to match the stated model.
| network: {} | |
| network: defaults |
| - Expert in the languages currently used or added to the homepage. | ||
| - Use and expand https://github.com/Hack23/homepage/blob/master/TRANSLATION_DOCUMENTATION_README.md translation guide and always update status for each language. | ||
| - Expert in all languages currently used on the homepage | ||
| - Use and expand [TRANSLATION_DOCUMENTATION_README.md](https://github.com/Hack23/homepage/blob/master/TRANSLATION_DOCUMENTATION_README.md) |
There was a problem hiding this comment.
This link hard-codes a GitHub blob URL (and a specific branch name). Since TRANSLATION_DOCUMENTATION_README.md exists in-repo, prefer a repo-relative link so it won't break if the default branch name changes or if forks use a different default branch.
| - Use and expand [TRANSLATION_DOCUMENTATION_README.md](https://github.com/Hack23/homepage/blob/master/TRANSLATION_DOCUMENTATION_README.md) | |
| - Use and expand [TRANSLATION_DOCUMENTATION_README.md](../../TRANSLATION_DOCUMENTATION_README.md) |
|
@copilot apply changes based on the comments in this thread |
…or translation doc Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/d551f78a-7144-483b-beff-e5ac52dfa672 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Both review comments addressed in
|
|
gh-aw skills were stale (Feb 2026), agents had ~5K lines of duplicated boilerplate, and copilot-instructions.md didn't reflect current project state.
gh-aw Integration Skills (5 files)
Updated from official gh-aw v0.45+ documentation (
llms-small.txt,llms-full.txt,agentic-workflows.txt):toolsets:,timeout-minutes:,title-prefix:,close-older-issues:), safe-outputs constraint reference tableallowed,max-size,allowed-exts),min-integrity:for public repos/plancommand pattern (514 merged PRs, 67% merge rate), Discussion Task Miner, real causal chain examplesgh aw add-wizardfor workflow sharing, compact CLI referenceExample of updated frontmatter reflecting current gh-aw syntax:
Agent Compaction (8 files, 76% reduction)
Removed duplicated "Required Configuration Files", verbose skills listings, and ISMS boilerplate repeated across all 8 files. All unique agent personality, rules, and workflow patterns preserved. All agents now include
copilot-setup-steps.ymlin required reading to stay consistent withcopilot-instructions.md.copilot-instructions.md (359 → 43 lines)
Reflects current state: ~105 English pages, 13 languages, 58 skills, 8 agents. Removed content already covered by skills library (detailed security rules, accessibility guidelines, ISMS compliance frameworks, architecture documentation matrix, repository table, common tasks).