Skip to content

[Agentic State Machine] Update state-machine docs with security scan workflow #19856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
T-Gro merged 1 commit into from
May 29, 2026
Merged

[Agentic State Machine] Update state-machine docs with security scan workflow #19856

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 67 additions & 11 deletions .github/docs/state-machine.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ Auto-generated documentation of all agentic workflows in this repository.
| **labelops-pr-maintenance** | ⏰ every 3h | PRs with AI-Auto-Resolve-* labels, CI status | comment, push, labels, dispatch | `AI-Auto-Resolve-CI`, `AI-Auto-Resolve-Conflicts`, `AI-needs-CI-fix-input` |
| **regression-pr-shepherd** | ⏰ every 4h | PRs with `AI-Issue-Regression-PR` | comment, push, remove-labels | `AI-Issue-Regression-PR`, `AI-thinks-issue-fixed` |
| **labelops-flake-fix** | 🤖 dispatched by labelops-pr-maintenance | Test results, PR diffs | PR, comment, issue | `Flaky`, `automation` |
| **aw-auto-update** | ⏰ every 24h | `.github/workflows/*` files | PR, push | `automation` |
| **labelops-pr-security-scan** | ⏰ every 1h | PR diffs, file lists | labels, comment | `AI-Tooling-Check-Scanned-Clean`, `AI-Tooling-Check-Bypassed`, `⚠️ Affects-*`, `⚠️ Suspicious-Prompting`, `⚠️ Scope-Review-Needed` |
| **aw-auto-update** | ⏰ every 24h | `.github/workflows/*` files | agent-session | `automation` |

## Issue Lifecycle

Expand Down Expand Up @@ -124,6 +125,46 @@ stateDiagram-v2
Merged --> [*]
```

## PR Security Scan Lifecycle

```mermaid
stateDiagram-v2
direction LR

[*] --> ScanQueue: ⏰ labelops-pr-security-scan (1h)

state "Per-PR Classification" as ScanLoop {
ScanQueue --> CheckMemory: 🤖 security-scan reads state.json

state memcheck <<choice>>
CheckMemory --> memcheck
memcheck --> AlreadyScanned: sha unchanged
memcheck --> ClassifyOrigin: new or updated PR

AlreadyScanned --> [*]: skip

state origin <<choice>>
ClassifyOrigin --> origin
origin --> NonFork: headRepository == this repo
origin --> ForkPR: headRepository != this repo

NonFork --> Bypassed: 🤖 adds AI-Tooling-Check-Bypassed
ForkPR --> ReadDiff: 🤖 reads file list + diff

state classify <<choice>>
ReadDiff --> classify
classify --> Clean: no categories match
classify --> Flagged: ≥1 category matches

Clean --> ScannedClean: 🤖 adds AI-Tooling-Check-Scanned-Clean
Flagged --> Labelled: 🤖 adds ⚠️ labels + comment (if changed)
}

Bypassed --> [*]
ScannedClean --> [*]
Labelled --> [*]: 👤 maintainer reviews flagged areas
```

## Infrastructure Lifecycle

```mermaid
Expand All @@ -139,16 +180,17 @@ stateDiagram-v2

UpToDate --> [*]: 🤖 aw-auto-update noops

ChangesDetected --> PRExists: 🤖 checks for existing PR
ChangesDetected --> DedupeCheck: 🤖 checks for existing PR/session

state prcheck <<choice>>
PRExists --> prcheck
prcheck --> UpdateExisting: open PR found
prcheck --> CreateNew: no open PR
state dedup <<choice>>
DedupeCheck --> dedup
dedup --> AlreadyOpen: open PR or session exists
dedup --> Delegate: no existing PR/session

UpdateExisting --> WaitReview: 🤖 aw-auto-update pushes to branch
CreateNew --> WaitReview: 🤖 aw-auto-update creates PR
AlreadyOpen --> [*]: 🤖 aw-auto-update noops
Delegate --> AgentSession: 🤖 aw-auto-update creates agent-session

AgentSession --> WaitReview: 🤖 Copilot Coding Agent opens PR
WaitReview --> Merged: 👤 maintainer reviews + merges
Merged --> [*]
```
Expand All @@ -164,6 +206,17 @@ stateDiagram-v2
| `AI-needs-CI-fix-input` | 🤖 labelops-pr-maintenance | 🤖 labelops-pr-maintenance, 👤 maintainer | CI failure requires human intervention |
| `AI-Issue-Regression-PR` | 🤖 repo-assist | 🤖 regression-pr-shepherd, 🤖 labelops-pr-maintenance (exclude) | PR is a regression test created by repo-assist |
| `Flaky` | 🤖 labelops-flake-fix | 👤 maintainer | Test identified as non-deterministic |
| `AI-Tooling-Check-Scanned-Clean` | 🤖 labelops-pr-security-scan | 👤 maintainer | Fork PR scanned, no safety concerns found |
| `AI-Tooling-Check-Bypassed` | 🤖 labelops-pr-security-scan | 👤 maintainer | Non-fork PR, scan bypassed (trusted origin) |
| `⚠️ Affects-Build-Infra` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies build infrastructure |
| `⚠️ Affects-Compiler-Output` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects compiler output |
| `⚠️ Affects-Bootstrap` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects bootstrap process |
| `⚠️ Affects-Restore` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies restore/package resolution |
| `⚠️ Affects-Design-Time` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects design-time behavior |
| `⚠️ Affects-Test-Tooling` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies test tooling |
| `⚠️ Affects-Agent-Config` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies AI agent configuration |
| `⚠️ Suspicious-Prompting` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR contains prompt injection patterns |
| `⚠️ Scope-Review-Needed` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR diff exceeds stated scope |
| `automation` | 🤖 aw-auto-update, 🤖 labelops-flake-fix | 👤 maintainer | PR was created by automation |
| `NO_RELEASE_NOTES` | 🤖 repo-assist, 🤖 labelops-flake-fix | ⚙️ CI | PR does not need release notes entry |
| `repo-assist` | 🤖 repo-assist | 🤖 repo-assist | Issue is managed by repo-assist (monthly summary) |
Expand All @@ -182,14 +235,17 @@ stateDiagram-v2
| ⏰ scheduler | 🤖 repo-assist | Every 12h | Cron schedule |
| ⏰ scheduler | 🤖 labelops-pr-maintenance | Every 3h | Cron schedule |
| ⏰ scheduler | 🤖 regression-pr-shepherd | Every 4h | Cron schedule |
| ⏰ scheduler | 🤖 labelops-pr-security-scan | Every 1h | Cron schedule |
| ⏰ scheduler | 🤖 aw-auto-update | Every 24h | Cron schedule |
| 🤖 aw-auto-update | 🤖 Copilot Coding Agent | Changes detected | `create-agent-session` safe output |
| 🤖 repo-assist | 🤖 repo-assist | Own PR has CI failure or conflicts | `push-to-pull-request-branch` (self-heal) |
| 🤖 labelops-flake-fix | 🤖 labelops-pr-maintenance | Fix PR created | Originating PR comment posted |

<!-- source-hashes:
aw-auto-update.md: c6643ba35ba34b092b3d8f8bcf09f5310145a4ab64df29b18b47aa4c562fae2a
aw-auto-update.md: da8c5e340a43d73616e3a0203c7e56de9ca4b82ee78b1902afe466a49a08bc17
labelops-flake-fix.md: 7dca5b8faa60f947204f8925c6238fbecf42aa8cbf3144a166120501b0eef1e4
labelops-pr-maintenance.md: 0bc03e9762ba51dc4226e0fc9aeb8fd9ef8fb17b287ae48fd67e2d33beb92473
labelops-pr-maintenance.md: 59ba52fc625e0b9112c31864e92154cdf09acf0bc0f2b167aa30a0d76baa898f
labelops-pr-security-scan.md: 4e0ee1ccd6212be30f8ccd334ecbc47123655e2507b5968c1bf2c1678a1ed306
regression-pr-shepherd.md: 18a65fe1cdf8aa219158f1d610db14078e5ff2f1ac912df2566bf796792395b5
repo-assist.md: ee557b9645115a600035c441e476e030e5a67aa1bca93dfd94985bf6f12e1d74
repo-assist.md: 3775b51d142d22c98e87e48e8ac9d46cdf69e9c8306d5787758a35578dcb1119
-->