Skip to content

Enable strict mode for all agentic workflows#1317

Merged
pelikhan merged 6 commits intomainfrom
copilot/fix-agentic-workflows-strictness
Oct 7, 2025
Merged

Enable strict mode for all agentic workflows#1317
pelikhan merged 6 commits intomainfrom
copilot/fix-agentic-workflows-strictness

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 7, 2025
edited
Loading

Overview

This PR enables strict mode validation for all 15 agentic workflows in .github/workflows/, ensuring enhanced security and reliability constraints are enforced for production workflows.

What is Strict Mode?

Strict mode is a validation feature that enforces additional security and operational requirements on agentic workflows:

  1. Timeout Required - Prevents runaway executions through mandatory timeout_minutes
  2. Write Permissions Blocked - Refuses direct write permissions (use safe-outputs instead)
  3. Network Configuration Required - Must explicitly configure network access
  4. No Network Wildcards - Cannot use wildcard * in allowed domains
  5. MCP Network Configuration - Custom MCP servers with containers must have network config

Changes Made

Added strict: true to All Workflows

All 15 workflows now have strict: true in their frontmatter:

  • artifacts-summary.md
  • brave.md (already had it)
  • changeset-generator.md
  • ci-doctor.md
  • cli-version-checker.md
  • dev.md
  • duplicate-code-detector.md
  • go-pattern-detector.md
  • issue-classifier.md
  • notion-issue-summary.md
  • pdf-summary.md
  • poem-bot.md
  • scout.md
  • technical-doc-writer.md
  • tidy.md

Fixed Strict Mode Violations

1. dev.md

# Added missing timeout
timeout_minutes: 10
strict: true

2. notion-issue-summary.md

# Added missing timeout
timeout_minutes: 10
strict: true

3. duplicate-code-detector.md

# Added network configuration for serena MCP server
mcp-servers:
  serena:
    container: "ghcr.io/oraios/serena"
    network:
      allowed:
        - "github.com"

Verification

  • ✅ All 15 workflows compile successfully with --strict flag
  • ✅ Zero compilation errors
  • ✅ All unit and integration tests pass
  • ✅ No regressions introduced

Benefits

  • Cost Control: Mandatory timeouts prevent unbounded execution costs
  • Security: Minimizes attack surface by blocking write permissions and requiring explicit network access
  • Compliance: Ensures workflows meet organizational security standards
  • Auditability: Clear security requirements make workflows easier to review

All workflows continue to function as before while now enforcing stricter validation rules for enhanced security and reliability.

Original prompt

make all agentic workflows under .github/workflows "strict: true". Fix issues in agentic workflows or in the compiler.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 5 commits October 7, 2025 17:42
@pelikhan
Initial exploration of strict mode requirements for agentic workflows
056d1c6 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Merge branch 'main' into copilot/fix-agentic-workflows-strictness
578881a
@pelikhan
Add strict: true to all agentic workflows and fix strict mode violations
9abb040 
- Added strict: true to all 15 workflow files in .github/workflows/
- Fixed dev.md: added timeout_minutes: 10
- Fixed notion-issue-summary.md: added timeout_minutes: 10
- Fixed duplicate-code-detector.md: added network configuration to serena MCP server
- All workflows now compile successfully with --strict flag
- All unit tests pass

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Final verification: All agentic workflows now have strict: true
8b79ca0 
All 15 workflows compile successfully with strict mode enabled:
- 15/15 workflows have strict: true
- 0 compilation errors
- All tests passing

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Enable strict mode for all agentic workflows
43e2d2a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix agentic workflows to enforce strict mode Enable strict mode for all agentic workflows Oct 7, 2025
Copilot AI requested a review from pelikhan October 7, 2025 17:55
@pelikhan pelikhan marked this pull request as ready for review October 7, 2025 18:08
@pelikhan pelikhan merged commit 9ebe6f8 into main Oct 7, 2025
6 checks passed
@pelikhan pelikhan deleted the copilot/fix-agentic-workflows-strictness branch October 7, 2025 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan