docs: improve gh-aw skills, compact agents, and align workflow docs#8510
docs: improve gh-aw skills, compact agents, and align workflow docs#8510
Conversation
…kills with latest features Agent-Logs-Url: https://github.com/Hack23/cia/sessions/6e645176-7e5b-4347-8732-14081bf4da5c Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
…E descriptions Agent-Logs-Url: https://github.com/Hack23/cia/sessions/6e645176-7e5b-4347-8732-14081bf4da5c Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
This PR streamlines and updates the repository’s Copilot/agent documentation, focusing on the skills library (notably GitHub Agentic Workflows and GitHub Actions) and compacting agent profiles and Copilot instructions to reduce duplication while reflecting the current toolchain.
Changes:
- Rewrote the GitHub Agentic Workflows skill with updated gh-aw concepts (security layers, safe outputs, engines, gallery).
- Updated the GitHub Actions Workflows skill to reflect the current CIA build environment and add security hardening guidance (pinning, permissions, SLSA patterns).
- Compacted Copilot instructions and agent profiles/README to reduce duplication and improve scanability.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/skills/README.md | Updates CI/CD skill descriptions to mention current environment and gh-aw capabilities. |
| .github/skills/github-agentic-workflows/SKILL.md | Major rewrite: gh-aw architecture/security layers, safe outputs, engines, examples, references. |
| .github/skills/github-actions-workflows/SKILL.md | Updates CI/CD templates and security guidance to match the current stack and practices. |
| .github/copilot-instructions.md | Compacts global Copilot guidance and updates environment/quality thresholds. |
| .github/agents/ui-enhancement-specialist.md | Compacts UI agent profile and adds updated best-practice snippets/checklists. |
| .github/agents/task-agent.md | Compacts task agent profile; focuses on issue creation, quality analysis, delegation. |
| .github/agents/stack-specialist.md | Compacts stack specialist profile; summarizes stack, patterns, and example snippets. |
| .github/agents/README.md | Replaces long-form content with a compact agent table + usage/resources. |
| .github/agents/marketing-specialist.md | Compacts marketing agent profile; emphasizes neutrality and measurable growth. |
| .github/agents/intelligence-operative.md | Compacts intelligence agent profile; focuses on frameworks, sources, and rigor. |
| .github/agents/business-development-specialist.md | Compacts business agent profile; focuses on models, segments, and metrics. |
.github/copilot-instructions.md
Outdated
| mvn site | ||
| mvn clean install # Full build with tests | ||
| mvn clean install -DskipTests # Build without tests | ||
| mvn test # Tests only (excludes *ITest*, Xml*TypeAdapterTest) |
There was a problem hiding this comment.
mvn test does not exclude integration tests or the Xml*TypeAdapterTest classes by default. The actual CI commands pass an explicit -Dtest='!**ITest*,!**/XmlDateTypeAdapterTest,!**/XmlTimeTypeAdapterTest,!**/XmlDateTimeTypeAdapterTest' (see .github/workflows/copilot-setup-steps.yml / codeql-analysis.yml). Update this line to either (a) show the full recommended command with -Dtest=... or (b) remove the exclusion claim to avoid misleading local runs.
| mvn test # Tests only (excludes *ITest*, Xml*TypeAdapterTest) | |
| mvn test -Dtest='!**ITest*,!**/XmlDateTypeAdapterTest,!**/XmlTimeTypeAdapterTest,!**/XmlDateTimeTypeAdapterTest' # Tests only (excludes integration and Xml*TypeAdapterTest) |
| - name: Run Tests | ||
| run: mvn test | ||
| run: mvn test -Dtest='!*ITest*,!Xml*TypeAdapterTest' |
There was a problem hiding this comment.
The test exclusion pattern in this template (-Dtest='!*ITest*,!Xml*TypeAdapterTest') doesn’t match what the repo actually uses in CI (!**ITest* plus specific XmlDate/XmlTime/XmlDateTimeTypeAdapterTest excludes). Align this command with .github/workflows/copilot-setup-steps.yml / codeql-analysis.yml so copy/pasting the template behaves consistently across modules.
| run: mvn test -Dtest='!*ITest*,!Xml*TypeAdapterTest' | |
| run: mvn test -Dtest='!**ITest*,!XmlDateTypeAdapterTest,!XmlTimeTypeAdapterTest,!XmlDateTimeTypeAdapterTest' |
| ### Secrets Management | ||
| ```yaml | ||
| # ✅ Use GitHub secrets | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
|
|
||
| # ✅ Use OIDC for cloud access (no long-lived keys) | ||
| - uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | ||
|
|
||
| # ❌ Never hardcode credentials |
There was a problem hiding this comment.
This section recommends pinning actions to full commit SHAs, but the OIDC example uses aws-actions/configure-aws-credentials@v4 (a mutable tag). To keep the guidance internally consistent, pin this example to a SHA as well (similar to the deploy example earlier) or explicitly call out why a tag is acceptable here.
| # SLSA 3 build provenance | ||
| - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven.yml@v2 |
There was a problem hiding this comment.
This “Supply Chain Security” example uses ...builder_maven.yml@v2 (tag) immediately after stating “Always pin actions to full SHA commit hashes”. Either pin this reusable workflow invocation to a specific commit SHA, or soften the earlier guidance to allow version tags for trusted publishers.
| # SLSA 3 build provenance | |
| - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven.yml@v2 | |
| # SLSA 3 build provenance (pin to a specific commit SHA) | |
| - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven.yml@3c58c41cab36161dc53f223132d1f59f1df67cf9 |
| layout.setWidthFull(); | ||
| layout.setFlexGrow(1, mainContent); | ||
| layout.addClassName("responsive-layout"); | ||
|
|
||
| // ✅ Push for real-time updates | ||
| @Push | ||
| public class CIAApplication extends SpringVaadinServlet { } |
There was a problem hiding this comment.
The Vaadin code examples mix Vaadin Flow APIs (setWidthFull(), setFlexGrow(), addClassName()) and place @Push on a servlet. The CIA app appears to use Vaadin 8 (e.g., CitizenIntelligenceAgencyUI is annotated with @Push), so these snippets won’t compile and may mislead contributors. Update examples to Vaadin 8 equivalents (e.g., setWidth("100%") / addStyleName(...)) and show @Push on the UI class as in the codebase.
| layout.setWidthFull(); | |
| layout.setFlexGrow(1, mainContent); | |
| layout.addClassName("responsive-layout"); | |
| // ✅ Push for real-time updates | |
| @Push | |
| public class CIAApplication extends SpringVaadinServlet { } | |
| layout.setWidth("100%"); | |
| layout.setExpandRatio(mainContent, 1f); | |
| layout.addStyleName("responsive-layout"); | |
| // ✅ Push for real-time updates (Vaadin 8 style) | |
| @Push | |
| public class CitizenIntelligenceAgencyUI extends UI { | |
| // UI initialization and view navigation | |
| } |
| ```java | ||
| // SAFE: Vaadin automatically encodes text | ||
| Label nameLabel = new Label(politician.getName()); // Encoded by Vaadin | ||
| // ✅ Always sanitize user input before rendering | ||
| Span safeContent = new Span(Jsoup.clean(userInput, Safelist.none())); | ||
|
|
||
| // SAFE: Use setContent() for HTML, but sanitize first | ||
| Label htmlLabel = new Label(); | ||
| htmlLabel.setContentMode(ContentMode.HTML); | ||
| htmlLabel.setValue(sanitizeHtml(userInput)); // MUST sanitize! | ||
| // ✅ Use Text component (auto-escapes) | ||
| layout.add(new Text(userProvidedString)); | ||
|
|
||
| // UNSAFE: Never use raw HTML from user input | ||
| // label.setValue(ContentMode.HTML, userInput); // XSS VULNERABILITY! | ||
| // ❌ Never use Html component with unsanitized input | ||
| // layout.add(new Html("<div>" + userInput + "</div>")); // DANGEROUS |
There was a problem hiding this comment.
The XSS-prevention examples use Vaadin Flow components (Span, Text, Html) rather than Vaadin 8 APIs used by this repo. Consider rewriting these snippets using Vaadin 8 components (e.g., Label with text mode + sanitizer for any HTML) so the guidance is directly applicable.
| You are the **Task Agent**, a product excellence specialist for the Citizen Intelligence Agency project. Your mission is to improve the product across quality, functionality, UI/UX, security, and ISMS compliance by identifying issues, creating actionable GitHub tasks, and coordinating specialized agents. | ||
|
|
||
| **Always read first**: README.md, .github/workflows/copilot-setup-steps.yml, .github/copilot-mcp-config.json, and relevant skills from .github/skills/. | ||
|
|
There was a problem hiding this comment.
The PR description says each agent now references copilot-instructions.md for shared rules, but this “Always read first” list doesn’t include it. Either add /.github/copilot-instructions.md here (and in the other agent profiles) or update the PR description to match what was actually changed.
|
@copilot apply changes based on the comments in this thread |
…8 APIs, copilot-instructions ref Agent-Logs-Url: https://github.com/Hack23/cia/sessions/81cd5d37-3b2d-44a2-a7fe-f94024e561d6 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Applied all 7 review comments in commit
|
.github/agents/task-agent.md
Outdated
| // Track progress | ||
| get_copilot_job_status({ owner: "Hack23", repo: "cia", job_id: "..." }) |
There was a problem hiding this comment.
get_copilot_job_status(...) isn’t referenced elsewhere in the repo docs, and .github/COPILOT_ISSUE_ASSIGNMENT.md doesn’t describe a job-status API. If this is a real MCP tool, consider linking to where it’s documented; otherwise, replace with a verifiable way to track progress (e.g., checking the PR created by Copilot / Actions runs).
| // Track progress | |
| get_copilot_job_status({ owner: "Hack23", repo: "cia", job_id: "..." }) | |
| // Track progress: monitor PRs and workflow runs linked to the issue | |
| // Example: list recent PRs and filter those referencing ISSUE_NUMBER | |
| const pulls = await octokit.rest.pulls.list({ owner: "Hack23", repo: "cia", state: "open" }); | |
| const related = pulls.data.filter(pr => pr.body?.includes(`#${ISSUE_NUMBER}`)); |
| | Layout choice? | `VerticalLayout` for forms, `HorizontalLayout` for toolbars, `FlexLayout` for complex responsive | | ||
| | Chart library? | Chart.js via Vaadin addon for standard charts | | ||
| | Data table? | Vaadin `Grid` with lazy loading and virtual scroll | | ||
| | Form validation? | Vaadin `Binder` with bean validation annotations | | ||
| | Theming? | Custom CSS via `@CssImport`, Lumo variables | |
There was a problem hiding this comment.
The Decision Framework references FlexLayout and theming via @CssImport/Lumo variables, which are Vaadin Flow concepts. This repo uses Vaadin 8 (e.g., @Theme("cia") and ValoTheme), so please replace these with Vaadin 8 equivalents (e.g., CssLayout/HorizontalLayout/VerticalLayout, Valo theme + SCSS, @StyleSheet if needed).
| | Layout choice? | `VerticalLayout` for forms, `HorizontalLayout` for toolbars, `FlexLayout` for complex responsive | | |
| | Chart library? | Chart.js via Vaadin addon for standard charts | | |
| | Data table? | Vaadin `Grid` with lazy loading and virtual scroll | | |
| | Form validation? | Vaadin `Binder` with bean validation annotations | | |
| | Theming? | Custom CSS via `@CssImport`, Lumo variables | | |
| | Layout choice? | `VerticalLayout` for forms, `HorizontalLayout` for toolbars, `CssLayout` + Valo theme for complex responsive layouts | | |
| | Chart library? | Chart.js via Vaadin addon for standard charts | | |
| | Data table? | Vaadin `Grid` with lazy loading and virtual scroll | | |
| | Form validation? | Vaadin `Binder` with bean validation annotations | | |
| | Theming? | Valo theme + custom SCSS via `@Theme("cia")`, optional `@StyleSheet` for extra CSS | |
| @@ -25,66 +38,179 @@ on: | |||
| pull_request: | |||
| branches: [main] | |||
There was a problem hiding this comment.
The pipeline template triggers on main/develop, but this repo appears to use master as the default branch (e.g., root pom.xml SCM URL points to /tree/master/ and multiple workflows trigger on master). Align the example branch names with the repo so it’s copy/pasteable.
| runs-on: ubuntu-latest | ||
| needs: [build, security] | ||
| if: github.ref == 'refs/heads/main' | ||
| steps: | ||
| - name: Deploy to AWS | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: eu-west-1 | ||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | ||
| aws-region: eu-north-1 |
There was a problem hiding this comment.
The deploy guard checks refs/heads/main, but the repo’s default branch appears to be master. Please update the branch check to match the repository branch naming so the example behaves as intended.
| | `verify-and-release.yml` | Main CI/CD: build, test, release | Push/PR to main | | ||
| | `codeql-analysis.yml` | Security vulnerability scanning | Push/PR + scheduled | | ||
| | `dependency-review.yml` | Dependency security checks | PR only | | ||
| | `scorecards.yml` | OpenSSF Scorecard assessment | Scheduled | | ||
| | `release.yml` | Build artifacts + SLSA attestations | Tag push | |
There was a problem hiding this comment.
The “Existing Workflows” inventory doesn’t match .github/workflows/: there’s no verify-and-release.yml file, and the current release.yml workflow is workflow_dispatch (not tag-triggered). Please update filenames/triggers to reflect the repo’s actual workflows.
| | `verify-and-release.yml` | Main CI/CD: build, test, release | Push/PR to main | | |
| | `codeql-analysis.yml` | Security vulnerability scanning | Push/PR + scheduled | | |
| | `dependency-review.yml` | Dependency security checks | PR only | | |
| | `scorecards.yml` | OpenSSF Scorecard assessment | Scheduled | | |
| | `release.yml` | Build artifacts + SLSA attestations | Tag push | | |
| | `codeql-analysis.yml` | Security vulnerability scanning | Push/PR + scheduled | | |
| | `dependency-review.yml` | Dependency security checks | PR only | | |
| | `scorecards.yml` | OpenSSF Scorecard assessment | Scheduled | | |
| | `release.yml` | Build artifacts + SLSA attestations | Manual (`workflow_dispatch`) | |
| ```yaml | ||
| # Multi-level caching for resilience | ||
| - name: Cache Maven repository | ||
| uses: actions/cache@v4 |
There was a problem hiding this comment.
This section uses actions/cache@v4, which conflicts with the earlier guidance in this doc to pin actions to full SHAs. Please change this example to a SHA-pinned actions/cache reference for internal consistency and supply-chain hygiene.
| uses: actions/cache@v4 | |
| uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.0.2 |
.github/agents/task-agent.md
Outdated
| // Assign Copilot to work on an issue | ||
| assign_copilot_to_issue({ | ||
| owner: "Hack23", repo: "cia", | ||
| issue_number: ISSUE_NUMBER, | ||
| base_ref: "main", | ||
| custom_instructions: "Follow existing patterns. Include unit tests with 80%+ coverage." |
There was a problem hiding this comment.
The delegation snippet uses assign_copilot_to_issue(...), but the repo’s documented MCP pattern uses GitHub MCP tools like github-update_issue for Copilot assignment (see .github/COPILOT_ISSUE_ASSIGNMENT.md). Please update this example to the actual tool name so it’s consistent and copy/pasteable.
|
@copilot apply changes based on the comments in this thread |
… inventory, SHA pinning, Vaadin 8, MCP tools Agent-Logs-Url: https://github.com/Hack23/cia/sessions/e9858d2a-bbcc-4ee4-970b-a62c4993956b Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Applied all 7 review comments in commit
|
| uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | ||
| with: | ||
| languages: java | ||
|
|
There was a problem hiding this comment.
In the pipeline template, the CodeQL job runs init and then analyze without an autobuild/build step in between. For Java, CodeQL needs a build (or github/codeql-action/autobuild) to create the database; as written this snippet is likely to fail or confuse readers. Consider adding an autobuild step or a Maven build step between init and analyze (similar to .github/workflows/codeql-analysis.yml).
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 |
| | **Virtual scrolling** | Enable on grids with 1000+ rows | | ||
| | **Component reuse** | Cache frequently-used view components | | ||
| | **Image optimization** | WebP format, lazy loading, responsive `srcset` | | ||
| | **Bundle size** | Tree-shake unused Vaadin components | |
There was a problem hiding this comment.
Tree-shake unused Vaadin components is misleading in the Vaadin 8 (server-side / GWT) context—there isn’t a typical JS bundler tree-shaking step developers can apply. Suggest replacing this with Vaadin-8-relevant guidance (e.g., avoid unused add-ons/client resources, keep widgetset minimal, reduce component tree depth, use lazy data providers, and tune server push/round-trips).
| | **Bundle size** | Tree-shake unused Vaadin components | | |
| | **Bundle size** | Keep widgetset minimal; avoid unused add-ons/client resources | |
| ### Issue & PR Management | ||
| - **Issue Triage Agent** — Auto-label and comment on new issues | ||
| - **PR Triage Agent** — Categorize and assign PRs | ||
| - **Plan Command** (`/plan`) — Decompose issues into sub-tasks (67% merge rate, 514+ merged PRs) |
There was a problem hiding this comment.
This line includes specific success metrics (“67% merge rate, 514+ merged PRs”) without a source. These numbers are likely to become stale and hard to validate; consider linking to a source/measurement method or removing the hard-coded rates.
| - **Plan Command** (`/plan`) — Decompose issues into sub-tasks (67% merge rate, 514+ merged PRs) | |
| - **Plan Command** (`/plan`) — Decompose issues into sub-tasks |
| - **Daily Issues Report** — Team status summaries | ||
| - **Documentation Healer** — Fix stale docs and broken links | ||
| - **Architecture Diagram Generator** — Auto-generate C4/Mermaid diagrams | ||
| - **Discussion Task Miner** — Extract actionable tasks from discussions (57% merge rate) |
There was a problem hiding this comment.
This line includes a specific “57% merge rate” without a source. To keep the doc maintainable and trustworthy, consider adding a citation/measurement method or dropping the hard-coded rate.
| - **Discussion Task Miner** — Extract actionable tasks from discussions (57% merge rate) | |
| - **Discussion Task Miner** — Extract actionable tasks from discussions |
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| actions: read | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
The deploy example uses aws-actions/configure-aws-credentials with role-to-assume, which relies on GitHub OIDC and requires permissions: id-token: write (at workflow or job scope). Without that permission the snippet won’t work as written; consider adding it to the deploy job (and removing it from jobs that don’t need it).
|
@copilot apply changes based on the comments in this thread |
…permissions, Vaadin 8 bundle guidance, remove stale metrics Agent-Logs-Url: https://github.com/Hack23/cia/sessions/554fd806-b4db-49be-9739-fb3150649b16 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Applied all 5 review comments in commit
|
| ### Existing Workflows | ||
| | Workflow | Purpose | Trigger | | ||
| |----------|---------|---------| | ||
| | `codeql-analysis.yml` | Security vulnerability scanning | Push/PR to master + scheduled | | ||
| | `dependency-review.yml` | Dependency security checks | PR only | | ||
| | `scorecards.yml` | OpenSSF Scorecard assessment | Scheduled | | ||
| | `release.yml` | Build artifacts + SLSA attestations | Manual (`workflow_dispatch`) | | ||
| | `copilot-setup-steps.yml` | Copilot agent build environment | Copilot sessions | | ||
| | `javadoc-generation.yml` | JavaDoc generation | Push/scheduled | | ||
| | `site-generation.yml` | Maven site generation | Push/scheduled | | ||
| | `zap-scan.yml` | OWASP ZAP security scan | Scheduled | |
There was a problem hiding this comment.
The “Existing Workflows” table is incomplete compared to the current .github/workflows/ directory (e.g., generate-intelligence-changelog.yml, labeler.yml, validate-field-completeness.yml, validate-json-schemas.yml, validate-view-documentation.yml also exist). Either add the missing workflows or clarify that this table is a curated subset (not an inventory).
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | ||
| with: | ||
| languages: java | ||
|
|
||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | ||
|
|
||
| - name: CodeQL Analysis | ||
| uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | ||
|
|
There was a problem hiding this comment.
The CI/CD template includes a CodeQL autobuild step, but the repo’s actual codeql-analysis.yml currently has Autobuild commented out and does a custom build before codeql-action/analyze. Consider updating the template (or adding a note) so readers don’t assume Autobuild is used/enabled in this repository.
.github/copilot-instructions.md
Outdated
| **ALWAYS read at the start of EVERY task:** | ||
| 1. **[README.md](../README.md)** — Project overview, features, docs | ||
| 2. **[copilot-setup-steps.yml](workflows/copilot-setup-steps.yml)** — Build environment (Java 26, Maven 3.9.14, PostgreSQL 18) | ||
| 3. **[copilot-mcp-config.json](copilot-mcp-config.json)** — MCP servers (GitHub, filesystem, memory, playwright) |
There was a problem hiding this comment.
The MCP server list here omits sequential-thinking, which is configured in .github/copilot-mcp-config.json alongside github/filesystem/memory/playwright. Update the parenthetical list so it matches the actual config.
| 3. **[copilot-mcp-config.json](copilot-mcp-config.json)** — MCP servers (GitHub, filesystem, memory, playwright) | |
| 3. **[copilot-mcp-config.json](copilot-mcp-config.json)** — MCP servers (GitHub, filesystem, memory, playwright, sequential-thinking) |
| **Accessibility First, Security Always**: Every UI component must meet WCAG 2.1 AA standards and prevent XSS vulnerabilities. Never compromise on accessibility or security for visual appeal. Test with keyboard navigation and screen readers. Sanitize all user-generated content. Follow Vaadin security patterns. When in doubt, encode outputs, validate inputs, and test with assistive technologies. | ||
| - ♿ **Accessibility is mandatory** — WCAG 2.1 AA compliance for all components | ||
| - 📊 **Data-driven design** — every visualization must tell a clear story | ||
| - 🔒 **XSS prevention** — sanitize all user input, use Text component for user data |
There was a problem hiding this comment.
Vaadin 8 doesn’t have a Text component (that’s a Vaadin Flow concept). To avoid confusion, replace “Text component” with the Vaadin 8 pattern used elsewhere here (e.g., Label with ContentMode.TEXT / default text mode) for rendering user-provided strings safely.
| - 🔒 **XSS prevention** — sanitize all user input, use Text component for user data | |
| - 🔒 **XSS prevention** — sanitize all user input, use `Label` in text mode (e.g. `ContentMode.TEXT`) for user data |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/f589c6c7-bbe0-4ca9-ba84-c92b73696360 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Applied the latest review-thread changes in commit Updated workflow docs to clarify curated subset scope and include missing workflows, added a note that this repo’s CodeQL uses custom Maven build with Autobuild disabled, updated MCP server list to include
Implemented the requested thread updates in commit This includes workflow table scope/coverage fixes, CodeQL autobuild clarification note, MCP server list alignment (
Done in commit Addressed all comments from that review thread: curated-subset clarification plus missing workflow entries, CodeQL template note vs repo custom build, MCP list update to include |
|
…8 Text→Label, add missing workflows, note autobuild Agent-Logs-Url: https://github.com/Hack23/cia/sessions/805fa5df-3bf6-4d23-8838-fd23ca176e27 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
… workflows table, autobuild note (#8512) * docs: rewrite github-agentic-workflows and github-actions-workflows skills with latest features Agent-Logs-Url: https://github.com/Hack23/cia/sessions/6e645176-7e5b-4347-8732-14081bf4da5c Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> * docs: compact all 6 agents, update agents README, update skills README descriptions Agent-Logs-Url: https://github.com/Hack23/cia/sessions/6e645176-7e5b-4347-8732-14081bf4da5c Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> * fix: address PR review comments - test patterns, SHA pinning, Vaadin 8 APIs, copilot-instructions ref Agent-Logs-Url: https://github.com/Hack23/cia/sessions/81cd5d37-3b2d-44a2-a7fe-f94024e561d6 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> * fix: address second round of review comments - branch names, workflow inventory, SHA pinning, Vaadin 8, MCP tools Agent-Logs-Url: https://github.com/Hack23/cia/sessions/e9858d2a-bbcc-4ee4-970b-a62c4993956b Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> * fix: address third round of review comments - CodeQL autobuild, OIDC permissions, Vaadin 8 bundle guidance, remove stale metrics Agent-Logs-Url: https://github.com/Hack23/cia/sessions/554fd806-b4db-49be-9739-fb3150649b16 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> * docs: address PR #8510 review comments — fix MCP server list, Vaadin 8 Text→Label, add missing workflows, note autobuild Agent-Logs-Url: https://github.com/Hack23/cia/sessions/805fa5df-3bf6-4d23-8838-fd23ca176e27 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --------- Signed-off-by: James Pether Sörling <pethers@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> Co-authored-by: James Pether Sörling <pethers@users.noreply.github.com>
Description
Major documentation quality improvements across skills, agents, and Copilot instructions, with additional review-driven fixes for workflow inventory accuracy, CodeQL guidance clarity, MCP server list completeness, and Vaadin 8 wording consistency.
Key updates included in this PR
.github/copilot-instructions.mdand all 6 agent profiles to remove duplication while preserving required guidance.generate-intelligence-changelog.yml,labeler.yml,validate-field-completeness.yml,validate-json-schemas.yml,validate-view-documentation.yml).codeql-analysis.ymluses a custom Maven build with Autobuild disabled.sequential-thinking.Labeltext mode (ContentMode.TEXT) rather than Flow-specific terminology.Type of Change
Primary Changes
Political Analysis
Technical Changes
Impact Analysis
Political Analysis Impact
Technical Impact
Testing
Documentation-only updates; no application/runtime code changed.
Documentation
Updated files include:
.github/skills/github-agentic-workflows/SKILL.md.github/skills/github-actions-workflows/SKILL.md.github/skills/README.md.github/copilot-instructions.md.github/agents/*.md(all 6 agents + README)Screenshots
N/A (documentation-only changes)
Related Issues
N/A
Checklist
Additional Notes
Review feedback has been addressed across four rounds:
master), workflow inventory corrections,actions/cachepinning, MCP tool naming/progress tracking, Vaadin 8 decision framework.id-token: writepermission, Vaadin 8 bundle-size wording, removal of unsourced metrics.sequential-thinking, Vaadin 8Labeltext-mode wording for XSS guidance.Security Considerations
Release Notes
Improved and compacted Copilot/agent documentation with current gh-aw and GitHub Actions guidance, plus review-driven corrections for workflow inventory scope, CodeQL template clarity, MCP server completeness, and Vaadin 8-safe UI wording.