feat(workflows): add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection#1219
Merged
WilliamBerryiii merged 38 commits intomicrosoft:mainfrom Apr 1, 2026
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1219 +/- ##
==========================================
- Coverage 87.72% 87.66% -0.07%
==========================================
Files 61 61
Lines 9318 9305 -13
==========================================
- Hits 8174 8157 -17
- Misses 1144 1148 +4
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
…hecker agents - implement automated issue triage for classification and labeling - create dependency reviewer for evaluating dependency changes - add doc update checker to verify documentation accuracy post-code changes - update collections to include new agents Signed-off-by: Marcel Bindseil <[email protected]>
🔧 - Generated by Copilot Signed-off-by: Marcel Bindseil <[email protected]>
- add project scope and classification criteria to issue triage agent - refine dependency reviewer findings placement and constraints - update documentation check workflows for improved tool management - adjust PR review workflow to include reaction handling and timeout settings Signed-off-by: Marcel Bindseil <[email protected]>
- include recent repository activity tracking - add progress tracking and goal reminders - provide project status and actionable next steps 📅 - Generated by Copilot Signed-off-by: Marcel Bindseil <[email protected]>
Signed-off-by: Marcel Bindseil <[email protected]>
Remove task-implementor.agent.md import from issue-implement workflow (designed for interactive Copilot Chat, not CI sandbox). Add .copilotignore to exclude heavy directories (agents, skills, instructions, docs, plugins) from Copilot CLI context discovery. Combined, these reduce prompt tokens from ~187K to within the 168K limit.
…verflow Sparse-checkout limits the workspace to essential directories only, preventing Copilot CLI from discovering the massive .github/agents/, .github/instructions/, and .github/skills/ directories (~1.8MB of markdown) that push the prompt from ~5K to ~184K tokens.
The agent import (15KB) fits within the token limit now that sparse-checkout excludes the heavy .github/ directories from the workspace.
Copilot CLI standalone mode ignores .copilotignore; sparse-checkout in the workflow frontmatter handles token budget control.
Apply sparse-checkout or checkout:false to remaining workflows to stay within the Copilot CLI 168K token limit. - issue-triage: checkout: false (only uses GitHub MCP tools) - dependency-review: sparse-checkout with dependency files + instructions - doc-update-check: sparse-checkout with docs + source dirs + instructions - pr-first-pass-review: sparse-checkout with PR template + instructions
Instruct the doc-update-check workflow to create issues following the bug-report template structure with component: Documentation. Add agent-ready label so implementable doc issues are picked up by issue-implement workflow. Include ISSUE_TEMPLATE/ in sparse-checkout.
Signed-off-by: Marcel Bindseil <[email protected]>
…clarity - add descriptions to doc-update-check, dependency-review, issue-implement, issue-triage, and pr-first-pass-review workflows - improve documentation for better understanding of workflow purposes Signed-off-by: Marcel Bindseil <[email protected]>
…tomation details - add issue triage agent description to GitHub Backlog Management and HVE Core All README - enhance HVE Core README with dependency reviewer and doc update checker details - link agentic workflows in architecture overview Signed-off-by: Marcel Bindseil <[email protected]>
- add GitHub and Jira backlog workflows to overview - include cautionary note on security and compliance agents - introduce new security and planning agents: Security Planner, SSSC Planner, RAI Planner - update skills section with GitLab and Jira integrations Signed-off-by: Marcel Bindseil <[email protected]>
- Add missing author, ms.date, ms.topic fields to agentic-workflows.md - Add Copilot footer to 5 workflow .md files - Add GH_AW_MODEL_AGENT_COPILOT and GH_AW_MODEL_DETECTION_COPILOT to actionlint config variables - Ignore shellcheck SC2086/SC2129 in generated .lock.yml files - Fix brace-expansion moderate vulnerability via npm audit fix - Regenerate plugins after rebase from upstream
🔒 - Generated by Copilot Signed-off-by: Marcel Bindseil <[email protected]>
…endency review workflow - Implement automated review for Dependabot version bump PRs - Establish safety checks and approval criteria for dependency changes - Update documentation to reflect new workflow and its purpose - Enhance existing workflows with clearer descriptions Signed-off-by: Marcel Bindseil <[email protected]>
…opilot attribution Signed-off-by: Marcel Bindseil <[email protected]>
- implement quality review process for pull requests - define advisory mode for maintainer PRs - establish review steps for issue alignment, template compliance, coding standards, and code quality - update documentation to reflect new PR review workflow Signed-off-by: Marcel Bindseil <[email protected]>
…collections 🔧 - Generated by Copilot Signed-off-by: Marcel Bindseil <[email protected]>
# Conflicts: # docs/docusaurus/src/data/collectionCards.ts
katriendg
reviewed
Apr 1, 2026
Contributor
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Thanks for this interesting and exciting work! I'm really keen to see how this will work as an experimental phase 🤖
I have left some comments which I believe make this the right level of internal HVE-core testing while not overloading the published artifacts with internal agents whch contain very repo-specific guidance.
Another one, nit:
your PR has a GHCP maturity table only listing one workflow file, I believe they should all be listed.
…uration - change workflow name from "PR First-Pass Review" to "PR Review" - update metadata hashes in lock files for consistency - enhance issue triage and PR review configurations Signed-off-by: Marcel Bindseil <[email protected]>
…orkflow Signed-off-by: Marcel Bindseil <[email protected]>
…r agents - implement automated dependency review for licensing and maintenance - create documentation accuracy checker for code changes - update workflow imports to reflect new agent paths - remove legacy agent references from collections and README Signed-off-by: Marcel Bindseil <[email protected]>
katriendg
reviewed
Apr 1, 2026
Signed-off-by: Marcel Bindseil <[email protected]>
…on and labeling - implement agent for classifying, labeling, and assessing GitHub issues - update workflows to reference new agent - remove deprecated references from collections and documentation Signed-off-by: Marcel Bindseil <[email protected]>
katriendg
approved these changes
Apr 1, 2026
Contributor
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Thanks for the changes Marcel.
Please undo your changes to the .md files in the collections folder as well, these refer to non existing files now.
…ions Signed-off-by: Marcel Bindseil <[email protected]>
Signed-off-by: Marcel Bindseil <[email protected]>
nguyena2
approved these changes
Apr 1, 2026
rezatnoMsirhC
approved these changes
Apr 1, 2026
This was referenced Apr 1, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 2, 2026
## Pre-Release 3.3.41 ### ✨ Features - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 24, 2026
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat(agents): add sub-issue decomposition to Issue Triage Agent and agentic workflows documentation
This PR enhances the Issue Triage Agent with automatic sub-issue decomposition for oversized issues and adds comprehensive documentation covering the full agentic workflow pipeline in hve-core.
The triage agent gained the ability to break down broad issues into independently deliverable sub-issues, creating them via the GitHub API and linking them to the parent. A new architecture documentation page maps the end-to-end flow from issue creation through automated triage, implementation, and PR review, with Mermaid process flow diagrams and a catalog of all interactive agents.
Description
Agentic Workflows
Five workflows configured with the
gh awCopilot engine, each triggered by specific GitHub events:needs-triage. Classifies issues, applies labels from an allowlist, detects duplicates, and assesses quality with semantic coherence and scope validation checks. Removesneeds-triageafter processing. Usescheckout: falsesince it operates entirely through GitHub MCP tools.agent-readyby admin/maintainer/write users. Reads the issue, searches the codebase, implements changes, and creates a PR. An Instruction Priority section overrides the imported task-implementor agent's subagent orchestration procedure, directing the AI to follow only the workflow's 6-step linear procedure.documentation,needs-triage, andagent-readylabels — chaining into issue-implement for automated documentation fixes.Agent Enhancements
The Issue Triage Agent (issue-triage.agent.md) received a new step 8 for decomposing oversized issues. When an issue touches multiple components, contains independent acceptance criteria, or implies sequential phases, the agent breaks it into focused sub-issues.
mcp_github_issue_writeand linked to the parent viamcp_github_sub_issue_writeagent-ready, leaving that for a subsequent triage passagent-readywhen sub-issues are createdDocumentation
A new Agentic Workflows page (docs/architecture/agentic-workflows.md) documents the complete automated and interactive agent ecosystem:
needs-triage→ classified →agent-ready→ PR opened →review-passed→ merged).mdsource files to compiled lock files, triggers, and agentsThe architecture README (docs/architecture/README.md) gained a cross-reference to the new page in the Further Reading section.
Other Changes
npm run plugin:generateRelated Issue(s)
None
Type of Change
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py).github/workflows/*.md)Sample Prompts (for AI Artifact Contributions)
User Request:
Triage a newly opened issue that spans agents, scripts, and extension changes with broad acceptance criteria.
Execution Flow:
mcp_github_issue_write, each targeting a single component.mcp_github_sub_issue_write.agent-ready.Output Artifacts:
Success Indicators:
agent-readylabel on the parent or sub-issues (awaiting subsequent triage)Testing
Automated validation:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:psnpm run lint:md-linksManual testing:
Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psSecurity Considerations
GHCP Artifact Maturity
.github/agents/github/issue-triage.agent.mdAdditional Notes
plugins/are generated output fromnpm run plugin:generateand should not be edited directly..vscode/mcp.jsonand.vscode/settings.jsonchanges are local configuration improvements unrelated to the core feature.