Add sentrux shared component and daily codebase quality report workflow#28970
Add sentrux shared component and daily codebase quality report workflow#28970
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3599dad7-09e9-4d53-a3c2-8f9649d52372 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Sentrux integration to the gh-aw daily audit suite by introducing a reusable install/prompt component and a new scheduled workflow that collects and reports architecture quality metrics over time.
Changes:
- Added a shared MCP component to install a pinned
sentruxbinary and document CLI usage. - Added a daily scheduled “Daily Sentrux Report” workflow prompt that runs Sentrux scans, stores history in repo-memory, and publishes a GitHub Discussion.
- Added the compiled lock workflow file for the new workflow.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/mcp/sentrux.md | Introduces shared installation + usage instructions for sentrux. |
| .github/workflows/daily-sentrux-report.md | Defines the daily audit workflow prompt (scan, parse, persist history, publish report). |
| .github/workflows/daily-sentrux-report.lock.yml | Generated compiled workflow output to run the new daily report in gh-aw. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 5
| Load the quality history from repo memory at `/tmp/gh-aw/repo-memory/daily/history.jsonl`. If the file does not exist, start a fresh history. | ||
|
|
||
| ### 3. Append today's entry | ||
|
|
||
| Append a new JSON line to `/tmp/gh-aw/repo-memory/daily/history.jsonl`: |
There was a problem hiding this comment.
The repo-memory path in the prompt (/tmp/gh-aw/repo-memory/daily/...) doesn’t match the compiled workflow’s configured memory directory (the lock file shows /tmp/gh-aw/repo-memory/default/ with branch daily/daily-sentrux-report). This will cause history writes to go to a non-persisted location and trends will never accumulate. Use the configured repo-memory directory (or the workflow-provided env like GH_AW_MEMORY_DIR) consistently for reads/writes.
| Load the quality history from repo memory at `/tmp/gh-aw/repo-memory/daily/history.jsonl`. If the file does not exist, start a fresh history. | |
| ### 3. Append today's entry | |
| Append a new JSON line to `/tmp/gh-aw/repo-memory/daily/history.jsonl`: | |
| Load the quality history from repo memory at `${GH_AW_MEMORY_DIR}/history.jsonl`. If the file does not exist, start a fresh history. | |
| ### 3. Append today's entry | |
| Append a new JSON line to `${GH_AW_MEMORY_DIR}/history.jsonl`: |
| Load the quality history from repo memory at `/tmp/gh-aw/repo-memory/daily/history.jsonl`. If the file does not exist, start a fresh history. | ||
|
|
||
| ### 3. Append today's entry | ||
|
|
||
| Append a new JSON line to `/tmp/gh-aw/repo-memory/daily/history.jsonl`: |
There was a problem hiding this comment.
The repo-memory path in the prompt (/tmp/gh-aw/repo-memory/daily/...) doesn’t match the compiled workflow’s configured memory directory (the lock file shows /tmp/gh-aw/repo-memory/default/ with branch daily/daily-sentrux-report). This will cause history writes to go to a non-persisted location and trends will never accumulate. Use the configured repo-memory directory (or the workflow-provided env like GH_AW_MEMORY_DIR) consistently for reads/writes.
| Load the quality history from repo memory at `/tmp/gh-aw/repo-memory/daily/history.jsonl`. If the file does not exist, start a fresh history. | |
| ### 3. Append today's entry | |
| Append a new JSON line to `/tmp/gh-aw/repo-memory/daily/history.jsonl`: | |
| Load the quality history from repo memory at `${GH_AW_MEMORY_DIR}/history.jsonl`. If the file does not exist, start a fresh history. | |
| ### 3. Append today's entry | |
| Append a new JSON line to `${GH_AW_MEMORY_DIR}/history.jsonl`: |
| SENTRUX_VERSION="0.9.2" | ||
| curl -fsSL -o /tmp/sentrux "https://github.com/sentrux/sentrux/releases/download/v${SENTRUX_VERSION}/sentrux-linux-x86_64" | ||
| chmod +x /tmp/sentrux | ||
| sudo mv /tmp/sentrux /usr/local/bin/sentrux |
There was a problem hiding this comment.
Pinning only the version tag reduces risk, but downloading an executable without validating a checksum/signature still leaves room for supply-chain compromise (e.g., release asset tampering). Add integrity verification (e.g., fetch a published SHA256SUMS file for the release and verify with sha256sum -c, or verify a signature if the project provides one) before installing the binary.
| curl -fsSL -o /tmp/sentrux "https://github.com/sentrux/sentrux/releases/download/v${SENTRUX_VERSION}/sentrux-linux-x86_64" | ||
| chmod +x /tmp/sentrux | ||
| sudo mv /tmp/sentrux /usr/local/bin/sentrux |
There was a problem hiding this comment.
The install step assumes (1) the runner is Linux x86_64 and (2) sudo is available/allowed to write into /usr/local/bin. In more locked-down runners/containers or on ARM64, this will fail. Prefer installing into a user-writable directory (e.g., $RUNNER_TEMP/bin or $HOME/.local/bin) and add it to PATH, and select the correct asset based on uname -s/uname -m.
| curl -fsSL -o /tmp/sentrux "https://github.com/sentrux/sentrux/releases/download/v${SENTRUX_VERSION}/sentrux-linux-x86_64" | |
| chmod +x /tmp/sentrux | |
| sudo mv /tmp/sentrux /usr/local/bin/sentrux | |
| OS="$(uname -s)" | |
| ARCH="$(uname -m)" | |
| case "$OS" in | |
| Linux) SENTRYX_OS="linux" ;; | |
| Darwin) SENTRYX_OS="darwin" ;; | |
| *) | |
| echo "Unsupported operating system: $OS" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| case "$ARCH" in | |
| x86_64|amd64) SENTRYX_ARCH="x86_64" ;; | |
| aarch64|arm64) SENTRYX_ARCH="arm64" ;; | |
| *) | |
| echo "Unsupported architecture: $ARCH" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| INSTALL_DIR="${RUNNER_TEMP:-$HOME/.local}/bin" | |
| mkdir -p "$INSTALL_DIR" | |
| curl -fsSL -o "$INSTALL_DIR/sentrux" "https://github.com/sentrux/sentrux/releases/download/v${SENTRUX_VERSION}/sentrux-${SENTRYX_OS}-${SENTRYX_ARCH}" | |
| chmod +x "$INSTALL_DIR/sentrux" | |
| echo "$INSTALL_DIR" >> "$GITHUB_PATH" | |
| export PATH="$INSTALL_DIR:$PATH" |
| # Check rules and capture output (continues even if rules fail) | ||
| sentrux check . 2>&1 | tee /tmp/sentrux-check.txt || true | ||
|
|
||
| # Save a gate baseline for comparison in future runs |
There was a problem hiding this comment.
The prompt says the baseline is saved “for comparison in future runs,” but there’s no instruction to persist the baseline artifact anywhere (repo-memory, committed file, or cache), so it will be lost after the job finishes. Either adjust the wording to reflect that it’s only producing metrics for this run, or add steps/instructions to persist the gate baseline if future comparisons are intended.
| # Save a gate baseline for comparison in future runs | |
| # Generate gate baseline/output for this run's analysis |
Summary
Adds two new workflow files that integrate sentrux — an architecture quality sensor that computes a continuous quality signal (0–10000) across 52 languages — into the gh-aw daily audit suite.
Changes
shared/mcp/sentrux.mdA reusable shared component that:
curl | shsupply chain riskImport in any workflow with:
daily-sentrux-report.mdA daily scheduled workflow that:
sentrux check .andsentrux gate --save .on the workspace[daily-sentrux]title prefix, expiring after 3 daysSecurity Review
github.com/sentrux/sentrux/releases(HTTPS, pinned version)