ci: add markdown link checker workflow

[mvanhorn]

Summary

Adds a GitHub Actions workflow that checks all Markdown files for broken links on every PR targeting main, using lychee.

Changes

• .github/workflows/link-check.yml: New workflow using lycheeverse/lychee-action (SHA-pinned per project convention). Runs on pull_request to main, checks all **/*.md files.
• .lychee.toml: Configuration with timeout/retry settings and an allow-list for known-flaky URLs (npm/PyPI registries, localhost, placeholder domains, auth endpoints).

Testing

The workflow runs automatically on this PR. lychee validates both internal file references and external URLs.

Closes #320

This contribution was developed with AI assistance (Claude Code).

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This PR introduces a GitHub Actions workflow to check for broken links in Markdown files using the lychee tool. The implementation is straightforward and adheres to best practices, including SHA-pinning for dependencies and a well-configured .lychee.toml file. The addition of this workflow improves CI/CD quality by ensuring documentation integrity.

Below is the detailed review:

---

🔴 CRITICAL

No critical issues identified.

---

🟡 WARNING

1. Potential Breaking Change:
   • If the repository contains Markdown files with links to external resources that are temporarily unavailable or rate-limited (e.g., npm, PyPI), this workflow could fail CI builds for unrelated PRs. While the allow-list mitigates this risk, it may still cause disruptions if new flaky URLs are introduced. Consider documenting this behavior in the repository's contribution guidelines to inform contributors.

---

💡 SUGGESTIONS

1. Improve Error Reporting:

   • Lychee's default error output can be verbose and difficult to parse. Consider enabling a more concise output format or adding a post-processing step to summarize broken links in a user-friendly format. This will make debugging easier for contributors.

2. Expand Allow-List Dynamically:

   • While the current allow-list is comprehensive, it may require frequent updates as new flaky URLs are encountered. Consider adding a mechanism to dynamically update the allow-list based on historical failures or community feedback.

3. Document Workflow Behavior:

   • Add documentation for this workflow in the repository's CONTRIBUTING.md or README.md. Include details about how contributors can address link-check failures, such as updating the allow-list or fixing broken links.

4. Test Coverage for Edge Cases:

   • Ensure that the .lychee.toml configuration is tested against edge cases, such as links with query parameters, anchors, or unusual formats. This can help avoid false positives or negatives during link validation.

5. Consider Lowering Concurrency:

   • The max_concurrency setting is currently set to 32, which might overwhelm certain external services (e.g., rate-limited APIs). Consider reducing this value to avoid triggering rate limits.

6. Add a Cache Mechanism:

   • To improve performance and reduce redundant checks, consider enabling caching for lychee results. This can be particularly useful for repositories with a large number of Markdown files.

---

Final Assessment

This PR is well-implemented and adheres to CI/CD best practices. While there are no critical issues, addressing the warnings and suggestions will improve the workflow's reliability and usability.

[github-actions]

🤖 AI Agent: contributor-guide

Welcome! 🎉

Hi there, and welcome to the microsoft/agent-governance-toolkit community! Thank you so much for taking the time to contribute to this project. We’re thrilled to have you here, and your addition of a Markdown link checker workflow is a fantastic idea to improve the quality and reliability of our documentation. 🚀

---

What You Did Well ✅

1. Thoughtful Addition: Adding a link checker workflow is a great way to ensure our documentation remains accurate and free of broken links. This is a proactive and valuable contribution!
2. SHA-Pinning: Excellent job following best practices by SHA-pinning the GitHub Actions versions. This ensures stability and security in our CI/CD pipeline.
3. Configuration File: Including a .lychee.toml file with thoughtful settings like concurrency limits, retries, and an allow-list for known-flaky URLs shows attention to detail and consideration for real-world scenarios.
4. Clear PR Description: Your PR description is well-structured and provides a clear summary of the changes, the reasoning behind them, and how they were tested. This makes it easy for reviewers to understand the context.

---

Suggestions for Improvement ✨

1. Conventional Commit Message:

   • The commit message ci: add markdown link checker workflow is a great start, but it could be slightly more descriptive. For example:

     ci: add workflow to check Markdown links with lychee
     

     This provides a bit more context about the tool being used.

2. Test Placement:

   • While this PR doesn’t directly involve code changes, it’s worth noting that any future tests (e.g., for scripts or tools) should be placed in the packages/{name}/tests/ directory. This keeps our repository organized and consistent.

3. Linting:

   • We use ruff for linting (with rules E, F, and W). While this PR doesn’t include Python code, it’s a good habit to run ruff on any Python files you modify in the future to ensure compliance with our style guide.

4. Security Considerations:

   • Since this workflow interacts with external URLs, it’s great that you’ve included an allow-list for known-flaky URLs. However, we encourage contributors to be cautious about any external dependencies or configurations that could introduce security risks. Your use of SHA-pinning is a great step in this direction!

---

Project Conventions 📚

Here are a few key conventions we follow in this project to ensure consistency and maintainability:

1. Linting: We use ruff for Python linting with E, F, and W rules. You can find more details in our CONTRIBUTING.md.
2. Testing: All tests should be placed in the packages/{name}/tests/ directory. This helps us keep tests organized and easy to find.
3. Commit Messages: We follow the Conventional Commits specification. Prefix your commit messages with feat:, fix:, docs:, ci:, etc., to indicate the type of change.
4. Security: Any code or workflows that interact with external systems or sensitive data should be reviewed with extra care. If you’re unsure, feel free to ask for guidance in your PR.

For more details, check out our CONTRIBUTING.md and QUICKSTART.md.

---

Next Steps 🚦

1. Address Feedback: If you’d like to tweak the commit message or make any other changes based on the suggestions above, feel free to push additional commits to this branch. The workflow will automatically re-run.
2. Await Review: Once you’ve addressed any feedback, a maintainer will review your PR and provide further guidance or approve it for merging.
3. Celebrate! 🎉: Once your PR is merged, your contribution will be part of the project, and you’ll officially be a contributor to the microsoft/agent-governance-toolkit!

---

Thank you again for your contribution! If you have any questions or need help with anything, don’t hesitate to ask. We’re here to support you. 😊

[github-actions]

🤖 AI Agent: security-scanner

After reviewing the provided pull request, here is the security analysis:

---

Analysis

This pull request introduces a GitHub Actions workflow to check Markdown files for broken links using the lychee tool. While this change primarily affects CI/CD processes and does not directly interact with the core functionality of the microsoft/agent-governance-toolkit, it is still important to evaluate the security implications of the new workflow.

---

Findings

1. Supply Chain Risk in GitHub Actions Dependencies

• Issue: The workflow uses two third-party GitHub Actions:
  • actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (SHA-pinned)
  • lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 (SHA-pinned)
• While SHA-pinning mitigates the risk of malicious updates to these actions, there is still a residual risk if the referenced commits themselves are compromised or if the repositories are taken over by malicious actors.
• Risk: 🟡 MEDIUM
  • The lycheeverse/lychee-action repository is not under the control of the microsoft organization, which introduces a potential supply chain risk.
• Recommendation:
  • Regularly audit the referenced SHA commits for both actions to ensure they are from trusted sources.
  • Consider mirroring or vendoring the lycheeverse/lychee-action code into the microsoft/agent-governance-toolkit repository to eliminate external dependency risks.

2. Potential Credential Exposure in Logs

• Issue: The lychee tool checks external URLs, which may include URLs requiring authentication (e.g., login.microsoftonline.com, portal.azure.com). If these URLs are not properly excluded or if the tool logs sensitive information (e.g., query parameters or tokens), there is a risk of exposing credentials in CI logs.
• Risk: 🟠 HIGH
  • While the .lychee.toml file excludes some known authentication-related URLs, there is no guarantee that all sensitive URLs are accounted for. Additionally, the --no-progress flag suppresses progress output but does not guarantee that sensitive information won't be logged in case of errors.
• Recommendation:
  • Audit the lychee tool's logging behavior to ensure it does not log sensitive information.
  • Expand the exclude list in .lychee.toml to include any additional sensitive URLs used in the repository.
  • Consider running the link checker in a sandboxed environment to mitigate potential risks from malicious or unexpected URL responses.

3. Trust Chain Weakness in External URL Validation

• Issue: The lychee tool validates external URLs, which could potentially expose the CI environment to malicious or compromised URLs. If the tool does not properly validate SSL/TLS certificates or if it follows redirects to malicious domains, it could lead to unintended consequences.
• Risk: 🟡 MEDIUM
  • The .lychee.toml file does not specify any settings related to SSL/TLS validation. If lychee does not enforce strict certificate validation by default, this could be exploited by an attacker hosting a malicious URL.
• Recommendation:
  • Verify that lychee enforces strict SSL/TLS certificate validation by default. If not, configure it to do so.
  • Consider limiting the scope of external URL checks to trusted domains or known safe URLs.

4. Race Conditions or Denial of Service in CI/CD

• Issue: The lychee tool is configured with a high concurrency level (max_concurrency = 32). This could lead to resource exhaustion in the CI environment or trigger rate-limiting on external services, potentially causing the workflow to fail.
• Risk: 🔵 LOW
  • While this is not a direct security issue, it could impact the reliability of the CI/CD pipeline.
• Recommendation:
  • Reduce the max_concurrency value to a more conservative level (e.g., 10–16) to avoid overwhelming the CI environment or external services.

---

Summary of Findings

Finding	Risk	Recommendation
Supply chain risk in GitHub Actions dependencies	🟡 MEDIUM	Audit SHA commits regularly; consider mirroring or vendoring third-party actions.
Potential credential exposure in logs	🟠 HIGH	Audit lychee logging; expand exclude list; sandbox the link checker.
Trust chain weakness in external URL validation	🟡 MEDIUM	Verify/enforce strict SSL/TLS validation; limit scope of external URL checks.
Race conditions or denial of service in CI/CD	🔵 LOW	Reduce max_concurrency to a safer level.

---

Final Assessment

While this PR does not directly impact the core functionality of the microsoft/agent-governance-toolkit, it introduces a CI/CD workflow that interacts with external URLs. The primary concerns are related to supply chain risks, potential credential exposure, and trust chain weaknesses. Addressing these issues will ensure the security and reliability of the CI/CD pipeline.

Recommendation: Address the identified issues before merging this PR.

[imran-siddique]

Good addition — SHA-pinned actions, sensible exclusions. Suggestion: consider \ail: false\ initially to avoid flaky external URLs blocking unrelated PRs. Merging now.