Add agentic workflow code-simplifier

[veverkap]

Add agentic workflow code-simplifier

Greptile Summary

This PR upgrades the code-simplifier agentic workflow from a generic multi-language setup to a Go-specific configuration, migrating the source reference from githubnext/agentics to github/gh-aw and extracting shared PR-creation logic into a new daily-pr-base.md template.

• Permissions & network hardened: permissions: read-all replaced with explicit contents/issues/pull-requests: read; network allowlist narrowed from ~100 multi-language domains to Go-only registries (proxy.golang.org, sum.golang.org, go.dev, etc.).
• Safe-outputs refactored: PR-creation safe-outputs moved into shared/daily-pr-base.md with a copilot reviewer added; however the new shared template omits max: 1, protected_files_policy: fallback-to-issue, and related file-protection guards that the old inline config provided.
• Strict mode & cli-proxy enabled: strict: true and tools.cli-proxy: true added; skip-if-match migrated to the shared/skip-if-issue-open.md import.

Confidence Score: 4/5

Safe to merge with awareness of two gaps in the new shared template that could affect future workflows importing it.

The workflow itself is correctly compiled and the Go-only network restriction, explicit permissions, and strict mode are all improvements. The two concerns — the missing max cap and the dropped protected_files_policy in daily-pr-base.md — do not break the current code-simplifier run but make the shared template incomplete for future callers.

shared/daily-pr-base.md warrants a second look for the missing PR-creation guards before it is reused by other workflows.

Important Files Changed

Filename	Overview
.github/workflows/code-simplifier.lock.yml	Auto-generated compiled workflow updated: source reference migrated from githubnext/agentics to github/gh-aw, network allowlist narrowed to Go-only domains, permissions tightened to explicit read grants, copilot reviewer added to PR creation config, and protected_files_policy: fallback-to-issue removed from safe-outputs.
.github/workflows/code-simplifier.md	Source workflow definition updated: replaced broad read-all permissions with explicit minimal ones, narrowed network to go-only, migrated PR safe-outputs to shared daily-pr-base.md, added strict mode, cli-proxy, and copilot reviewer; prompt still contains multi-language instructions inconsistent with the Go-only network restriction.
.github/workflows/shared/daily-pr-base.md	New shared template bundling activation-app + reporting + create-pull-request safe-outputs; missing max: 1 PR limit and protected-files-policy: fallback-to-issue that the old inline config provided, making it incomplete as a general-purpose shared component.

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
.github/workflows/shared/daily-pr-base.md:36-42
**Missing `max` PR limit in shared template**

The `safe-outputs.create-pull-request` block omits a `max: 1` constraint. The compiled lock file currently carries `"max":1` (apparently injected by the compiler as a default), but this shared template itself gives no guarantee. Any future workflow that imports `daily-pr-base.md` and is compiled with a different tool version — or one that changes the default — could produce unlimited automated PRs. Explicitly setting `max: 1` here would make the limit authoritative and visible to maintainers without requiring them to inspect the compiled lock.

### Issue 2 of 3
.github/workflows/shared/daily-pr-base.md:36-42
**`protected_files_policy` guard dropped**

The old `create-pull-request` safe-outputs config included `"protected_files_policy":"fallback-to-issue"`. That key is absent from the new compiled lock (confirmed in the diff) and from this shared template. Without it, if the agent accidentally touches a protected file (e.g., `go.mod`, `go.sum`, `CODEOWNERS`) the framework will no longer fall back to opening an issue to surface the attempt — the default behavior may silently abort or error instead. Consider adding a `protected-files-policy: fallback-to-issue` entry here so all callers of this shared template inherit the safe fallback.

### Issue 3 of 3
.github/workflows/code-simplifier.md:28-30
**Prompt still describes multi-language workflows, but network is Go-only**

The `network.allowed` list is now `[go]`, restricting outbound access to Go-specific domains (e.g., `proxy.golang.org`, `sum.golang.org`). However, the agent prompt still contains detailed per-language instructions for JavaScript/TypeScript (`npm test`, `npm run lint`), Python (`pytest`, `flake8`), and .NET (`dotnet test`, `dotnet build`). On this Go repository the mismatch is harmless, but the prompt content will mislead the agent if it encounters non-Go files and attempts language-specific validation commands that require unreachable registries. Trimming the prompt to Go-only instructions would keep it consistent with the network restriction.

_{Reviews (1): Last reviewed commit: "Add agentic workflow code-simplifier" | Re-trigger Greptile}

Greptile also left 3 inline comments on this PR.

[greptile-apps]

Missing max PR limit in shared template

The safe-outputs.create-pull-request block omits a max: 1 constraint. The compiled lock file currently carries "max":1 (apparently injected by the compiler as a default), but this shared template itself gives no guarantee. Any future workflow that imports daily-pr-base.md and is compiled with a different tool version — or one that changes the default — could produce unlimited automated PRs. Explicitly setting max: 1 here would make the limit authoritative and visible to maintainers without requiring them to inspect the compiled lock.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/shared/daily-pr-base.md
Line: 36-42

Comment:
**Missing `max` PR limit in shared template**

The `safe-outputs.create-pull-request` block omits a `max: 1` constraint. The compiled lock file currently carries `"max":1` (apparently injected by the compiler as a default), but this shared template itself gives no guarantee. Any future workflow that imports `daily-pr-base.md` and is compiled with a different tool version — or one that changes the default — could produce unlimited automated PRs. Explicitly setting `max: 1` here would make the limit authoritative and visible to maintainers without requiring them to inspect the compiled lock.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

protected_files_policy guard dropped

The old create-pull-request safe-outputs config included "protected_files_policy":"fallback-to-issue". That key is absent from the new compiled lock (confirmed in the diff) and from this shared template. Without it, if the agent accidentally touches a protected file (e.g., go.mod, go.sum, CODEOWNERS) the framework will no longer fall back to opening an issue to surface the attempt — the default behavior may silently abort or error instead. Consider adding a protected-files-policy: fallback-to-issue entry here so all callers of this shared template inherit the safe fallback.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/shared/daily-pr-base.md
Line: 36-42

Comment:
**`protected_files_policy` guard dropped**

The old `create-pull-request` safe-outputs config included `"protected_files_policy":"fallback-to-issue"`. That key is absent from the new compiled lock (confirmed in the diff) and from this shared template. Without it, if the agent accidentally touches a protected file (e.g., `go.mod`, `go.sum`, `CODEOWNERS`) the framework will no longer fall back to opening an issue to surface the attempt — the default behavior may silently abort or error instead. Consider adding a `protected-files-policy: fallback-to-issue` entry here so all callers of this shared template inherit the safe fallback.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Prompt still describes multi-language workflows, but network is Go-only

The network.allowed list is now [go], restricting outbound access to Go-specific domains (e.g., proxy.golang.org, sum.golang.org). However, the agent prompt still contains detailed per-language instructions for JavaScript/TypeScript (npm test, npm run lint), Python (pytest, flake8), and .NET (dotnet test, dotnet build). On this Go repository the mismatch is harmless, but the prompt content will mislead the agent if it encounters non-Go files and attempts language-specific validation commands that require unreachable registries. Trimming the prompt to Go-only instructions would keep it consistent with the network restriction.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/code-simplifier.md
Line: 28-30

Comment:
**Prompt still describes multi-language workflows, but network is Go-only**

The `network.allowed` list is now `[go]`, restricting outbound access to Go-specific domains (e.g., `proxy.golang.org`, `sum.golang.org`). However, the agent prompt still contains detailed per-language instructions for JavaScript/TypeScript (`npm test`, `npm run lint`), Python (`pytest`, `flake8`), and .NET (`dotnet test`, `dotnet build`). On this Go repository the mismatch is harmless, but the prompt content will mislead the agent if it encounters non-Go files and attempts language-specific validation commands that require unreachable registries. Trimming the prompt to Go-only instructions would keep it consistent with the network restriction.

How can I resolve this? If you propose a fix, please make it concise.