feat: Add schema-feature-coverage agentic workflow for 100% schema field coverage

[Copilot]

Adds a Codex-powered weekly workflow that audits schema field coverage across all agentic workflows and opens PRs for any gaps.

What it does

• Deterministic field extraction: jq -r '.properties | keys[]' pkg/parser/schemas/main_workflow_schema.json | sort produces a canonical sorted list of all top-level schema properties
• Coverage check: grep -rl "^${field}:" scans every .github/workflows/**/*.md (including shared/) to count usage per field
• Gap remediation: For each uncovered field, creates a new minimal demo workflow at .github/workflows/schema-demo-<field>.md and opens a focused PR — up to 10 per run (alphabetical order; subsequent weekly runs handle the rest)
• Clean exit: If all fields are covered, calls noop immediately

Configuration

• Engine: Codex, strict: true
• Schedule: Weekly Mondays ~07:00 UTC + workflow_dispatch
• Safe outputs: create-pull-request (max: 10)
• Tools: bash (jq/grep), edit (write demo files), github (remote, default toolsets)

Demo workflow template

Each generated PR adds a file like:

---
description: Demonstrates the `<FIELD>` schema field
on:
  workflow_dispatch:
permissions:
  contents: read
engine: codex
<FIELD>: <VALID_VALUE>
timeout-minutes: 5
---

Field descriptions are pulled directly from the schema via jq '.properties["<FIELD>"].description' so PR bodies stay accurate without hardcoding.

Original prompt

Create an agentic workflow that ensures every feature in the main JSON schema is used in at least one workflow under .github/workflows.

This workflow should:

• Use deterministic tooling to list all allowed fields in the schema.
• Cross-check these fields against all existing agentic workflows.
• For any schema field that is not used in any agentic workflow, create a pull-request that adds a workflow (or updates an existing one) to include that field.
• Target 100% coverage of schema features across the existing agentic workflows running in the GitHub repository.

If there is nothing to do (all fields are already covered), it should do nothing further and exit cleanly. Use Codex.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

Hey @Copilot 👋 — great direction on this one! Ensuring 100% coverage of the main JSON schema fields across .github/workflows is exactly the kind of dogfooding this project is built around.

A few things to address before this is ready for review:

• No changes committed yet — the PR currently has 0 files changed and 0 lines of diff. The implementation still needs to land: the schema field enumeration script, the cross-check logic, and any new or updated workflow files.
• Add tests — the CONTRIBUTING.md expects agents to create tests for new functionality. A test that validates the schema coverage check itself (e.g., asserting that the tool correctly identifies uncovered fields, and that a workflow using each field passes the check) would follow the project's patterns in the test/ directory.
• PR description needs updating — the body currently holds only the original prompt. Once implementation is underway, please update the description to summarize: what tooling was used to enumerate schema fields, which fields were missing, and which workflows were added or updated to provide coverage.

If you'd like a hand picking this back up, here's a ready-to-use agentic prompt:

Implement the JSON schema coverage workflow described in PR #21856 for the github/gh-aw repository.

Your goal is to ensure every field in the main JSON schema (likely at `schemas/` or `pkg/parser/schemas/frontmatter.json`) is exercised by at least one workflow under `.github/workflows`.

Steps:
1. Enumerate all top-level and nested fields in the main agentic workflow JSON schema using deterministic tooling (e.g., a Go or Node.js script).
2. Scan all YAML files under `.github/workflows` and extract the fields they use.
3. Compute the diff: which schema fields are not referenced by any workflow?
4. For each uncovered field, either:
   a. Update an existing workflow that logically fits, OR
   b. Create a minimal new workflow under `.github/workflows/` that exercises the field.
5. Add or update tests in the appropriate test directory to validate the coverage-check logic itself.
6. Update the PR description to document: the tool used, the fields found, which were already covered, and what was added.
7. Run `make agent-finish` to verify the build, tests, lint, and formatting all pass before pushing.

Follow the file organization patterns in scratchpad/code-organization.md and validation patterns in scratchpad/validation-architecture.md.

Generated by Contribution Check · ◷

[Copilot]

Pull request overview

Adds a new Codex-powered scheduled agentic workflow intended to audit top-level fields in pkg/parser/schemas/main_workflow_schema.json against .github/workflows/**/*.md and open PRs adding minimal “schema demo” workflows for any uncovered fields.

Changes:

• Introduces .github/workflows/schema-feature-coverage.md describing the auditing/remediation procedure and PR creation rules (max 10 PRs per run).
• Adds the compiled GitHub Actions workflow .github/workflows/schema-feature-coverage.lock.yml generated from the markdown workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/schema-feature-coverage.md	Defines the agent instructions for schema field extraction, coverage detection, and PR-based remediation.
.github/workflows/schema-feature-coverage.lock.yml	Generated compiled workflow to run the new schema coverage checker on a weekly schedule and via workflow_dispatch.

Comments suppressed due to low confidence (2)

.github/workflows/schema-feature-coverage.md:143

• The guidance for resources uses an array of objects with url, but in the schema resources is an array of strings (relative paths to workflow/action files to fetch). As written, a generated demo workflow would be schema-invalid (and likely semantically wrong for gh aw add).

| `services` | `{redis: {image: "redis:7"}}` | Docker services |
| `resources` | `[{url: "https://example.com/resource.md"}]` | Additional resource URLs |
| `mcp-servers` | `{my-server: {command: "npx", args: ["-y", "@modelcontextprotocol/server-memory"]}}` | MCP server config object |

.github/workflows/schema-feature-coverage.md:145

• The suggested demo shape for mcp-scripts ({my-script: {steps: [...]}}) doesn’t match the schema. mcp-scripts entries require at least description plus exactly one of script / run / py / go (and optional inputs, env, etc.). If this guidance is used, generated demo workflows will not validate/compile.

| `mcp-servers` | `{my-server: {command: "npx", args: ["-y", "@modelcontextprotocol/server-memory"]}}` | MCP server config object |
| `mcp-scripts` | `{my-script: {steps: [{name: "Run", run: "echo hello"}]}}` | MCP script definitions |

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Step 2’s coverage check uses grep -rl "^${field}:" across the entire workflow markdown file. This can produce false positives when a schema key appears at the start of a line inside fenced code blocks / examples in the body, even if it’s not present in the YAML frontmatter (i.e., not actually “used” by the workflow). Consider extracting only the frontmatter section (between the first two --- lines) for each file and running the key check against that extracted YAML, or otherwise parsing frontmatter keys deterministically before computing coverage.

Suggested change

	count=$(grep -rl "^${field}:" .github/workflows/ --include="*.md" 2>/dev/null | wc -l | tr -d ' ')
	count=0
	while IFS= read -r file; do
	# Extract YAML frontmatter (between the first two '---' lines) and check for the field as a top-level key
	if awk 'BEGIN{in_frontmatter=0} /^---[ \t]*$/{if(in_frontmatter==0){in_frontmatter=1; next} else{exit}} in_frontmatter==1{print}' "$file" | grep -q "^${field}:"; then
	count=$((count + 1))
	fi
	done < <(find .github/workflows -type f -name '*.md')

[Copilot]

The suggested demo value for the secrets field ({MY_SECRET: {required: false}}) does not match the schema: each entry must be either a string expression or an object with required value (and optional description). If the workflow uses this guidance, generated demo workflows will be invalid and fail compilation.

This issue also appears in the following locations of the same file:

• line 141
• line 143

Suggested change

	| `secrets` | `{MY_SECRET: {required: false}}` | Secrets configuration |
	| `secrets` | `{MY_SECRET: {value: "${{ secrets.MY_SECRET }}", description: "Demo secret value"}}` | Secrets configuration |