feat: add agent-shield.yml workflow for compliance#83
Conversation
Closes #40 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
📝 WalkthroughWalkthroughAdded a new GitHub Actions workflow file Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Self-review: The change adds |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/agent-shield.yml:
- Around line 73-103: The workflow step named "Validate SKILL.md frontmatter"
relies on bash process substitution and should be explicit about the shell;
update that GitHub Actions step to include a "shell: bash" property so the run
block executes under bash (ensuring the use of process substitution and
bash-specific features in the frontmatter extraction and validation logic).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 26e326a5-3f46-4c81-9e04-2fefa8faa592
📒 Files selected for processing (1)
.github/workflows/agent-shield.yml
| - name: Validate SKILL.md frontmatter | ||
| run: | | ||
| status=0 | ||
|
|
||
| while IFS= read -r file; do | ||
| frontmatter=$(awk \ | ||
| '/^---$/{n++; next} n==1{print} n>=2{exit}' \ | ||
| "$file") | ||
|
|
||
| if [ -z "$frontmatter" ]; then | ||
| echo "::error file=$file::Missing YAML frontmatter" | ||
| status=1 | ||
| continue | ||
| fi | ||
|
|
||
| if ! echo "$frontmatter" | grep -q '^name:'; then | ||
| echo "::error file=$file::Missing 'name' field" | ||
| status=1 | ||
| fi | ||
| if ! echo "$frontmatter" | grep -q '^description:'; then | ||
| echo "::error file=$file::Missing 'description' field" | ||
| status=1 | ||
| fi | ||
| done < <(find . -name 'SKILL.md' \ | ||
| -not -path '*/node_modules/*' \ | ||
| -not -path '*/.git/*') | ||
|
|
||
| if [ "$status" -eq 0 ]; then | ||
| echo "All SKILL.md frontmatter validated." | ||
| fi | ||
| exit $status |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
LGTM with minor suggestion.
The awk-based frontmatter extraction and field validation logic is correct. The process substitution < <(find ...) works because GitHub Actions defaults to bash on ubuntu-latest.
For explicit clarity and cross-platform safety, consider adding shell: bash to this step, though it's not strictly required:
- name: Validate SKILL.md frontmatter
shell: bash
run: |🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/agent-shield.yml around lines 73 - 103, The workflow step
named "Validate SKILL.md frontmatter" relies on bash process substitution and
should be explicit about the shell; update that GitHub Actions step to include a
"shell: bash" property so the run block executes under bash (ensuring the use of
process substitution and bash-specific features in the frontmatter extraction
and validation logic).
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds an agent-shield.yml GitHub Actions workflow to run AgentShield scans and enforce org-required agent repo structure on pushes/PRs to main.
Changes:
- Introduces a new
AgentShieldworkflow triggered onpush/pull_requesttomain - Runs
ecc-agentshieldscan with--min-severity high - Adds shell-based checks for required files, cross-references, and
SKILL.mdYAML frontmatter
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| frontmatter=$(awk \ | ||
| '/^---$/{n++; next} n==1{print} n>=2{exit}' \ | ||
| "$file") |
There was a problem hiding this comment.
The frontmatter/key detection is overly strict: it only recognizes --- with no surrounding whitespace and keys that start at column 1. If any SKILL.md uses common variations (e.g., --- with trailing spaces, or indented name:/description:), this will incorrectly fail validation. Consider relaxing the patterns (e.g., allow leading/trailing whitespace around --- and optional indentation before keys) to avoid false negatives.
| continue | ||
| fi | ||
|
|
||
| if ! echo "$frontmatter" | grep -q '^name:'; then |
There was a problem hiding this comment.
The frontmatter/key detection is overly strict: it only recognizes --- with no surrounding whitespace and keys that start at column 1. If any SKILL.md uses common variations (e.g., --- with trailing spaces, or indented name:/description:), this will incorrectly fail validation. Consider relaxing the patterns (e.g., allow leading/trailing whitespace around --- and optional indentation before keys) to avoid false negatives.
| echo "::error file=$file::Missing 'name' field" | ||
| status=1 | ||
| fi | ||
| if ! echo "$frontmatter" | grep -q '^description:'; then |
There was a problem hiding this comment.
The frontmatter/key detection is overly strict: it only recognizes --- with no surrounding whitespace and keys that start at column 1. If any SKILL.md uses common variations (e.g., --- with trailing spaces, or indented name:/description:), this will incorrectly fail validation. Consider relaxing the patterns (e.g., allow leading/trailing whitespace around --- and optional indentation before keys) to avoid false negatives.
Summary
agent-shield.ymlworkflow copied fromstandards/workflows/agent-shield.ymlmainCloses #40
Generated with Claude Code
Summary by CodeRabbit