feat: add Fro Bot agent workflow

[marcusrbrown]

• Introduced a new GitHub Actions workflow for the Fro Bot.
• Configured triggers for issue comments, pull requests, and scheduled audits.
• Included prompts for manual and scheduled runs to guide the bot's actions.

[fro-bot]

Code Review: Fro Bot Agent Workflow

Summary

The PR adds a new GitHub Actions workflow to run the Fro Bot agent for automated repository maintenance.

---

✅ Positives

• Security: Well-crafted self-run prevention - excludes self-mentions and requires valid association
• PROMPT Fix Applied: The critical operator precedence bug was fixed in commit c67d151
• Clear structure: Workflow is well-organized
• Sensible triggers: Covers the right events

---

⚠️ Issues to Address

1. Missing Permissions (Medium)

Location: Lines 23-24

The bot needs more permissions:

• issues: write - to comment on issues
• pull-requests: write - to review PRs
• discussions: write - for discussions
• checks: write - for status checks

2. Missing Concurrency Control (Medium)

Unlike main.yaml, no concurrency settings. Multiple bot runs could conflict.

3. Redundant gh Authentication (Low)

Lines 45-48 authenticate gh CLI, but the action receives the token directly via github-token. This is unnecessary.

4. Empty auth-json (Low)

Line 76 has auth-json: '{}'. Either provide valid JSON or remove if optional.

5. Missing Timeout (Low)

No timeout-minutes. Consider adding timeout-minutes: 30.

---

Verdict

Approve with suggestions. The critical bug was fixed. Remaining issues are improvements rather than blockers.

[fro-bot]

Code Review Update: Fro Bot Agent Workflow

Follow-up Review (Commit: fc53d2c)

The prior review has been verified against the latest commits:

---

✅ Fixes Confirmed

1. PROMPT Variable Bug - ✅ FIXED in commit c67d151

   • The operator precedence is now correct with proper parentheses

2. Missing Timeout - ✅ FIXED in commit `70dd60c"

   • Added timeout-minutes: 15 to the job

---

⚠️ Remaining Suggestions

These were identified in the prior review and remain unaddressed:

1. Missing Permissions (Medium) - Lines 25-26

   • Only has contents: read. Consider adding: issues: write, pull-requests: write, discussions: write, checks: write

2. Missing Concurrency Control (Medium)

   • No concurrency settings unlike main.yaml. Consider adding:

   concurrency:
     group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
     cancel-in-progress: true

3. Redundant gh Authentication (Low) - Lines 48-51

   • Unnecessary since the action receives token via github-token

4. Empty auth-json (Low) - Line 79

   • auth-json: '{}' - either provide valid JSON or remove

---

Verdict

Approved - Critical bugs have been fixed. Remaining items are suggestions/improvements.

---

This is an automated follow-up review.

[fro-bot]

Code Review: Fro Bot Agent Workflow (Final)

Summary

The PR adds a new GitHub Actions workflow to run the Fro Bot agent for automated repository maintenance. All critical bugs from prior reviews have been addressed.

---

✅ Fixes Confirmed

1. PROMPT Variable Bug - ✅ FIXED in commit c67d151

   • Operator precedence is now correct with proper parentheses

2. Timeout - ✅ FIXED in commit 70dd60c

   • Added timeout-minutes: 15

3. Concurrency Control - ✅ FIXED in commit 70dd60c

   • Proper concurrency group with cancel-in-progress

---

⚠️ Minor Suggestions (Non-Blocking)

Issue	Severity	Location
auth-json: '{}'	Low	Line 83 - Empty object, remove or provide config
Limited permissions	Low	Lines 16-17 - Consider adding issues: write, pull-requests: write

---

Verdict

Approved - Critical bugs fixed. Well-structured workflow with proper self-run prevention, timeout, and concurrency control. Minor suggestions are optional improvements.

[fro-bot]

Approved - All critical bugs fixed. The workflow is well-structured with proper security controls (self-run prevention), timeout, and concurrency. Minor suggestions are optional.