feat: add AGT governance artifacts (policy, allowlist, CI workflow)#1478
Open
imran-siddique wants to merge 1 commit intogithub:mainfrom
Open
feat: add AGT governance artifacts (policy, allowlist, CI workflow)#1478imran-siddique wants to merge 1 commit intogithub:mainfrom
imran-siddique wants to merge 1 commit intogithub:mainfrom
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
main, but PRs should target staged.
The main branch is auto-published from staged and should not receive direct PRs.
Please close this PR and re-open it against the staged branch.
You can change the base branch using the Edit button at the top of this PR,
or run: gh pr edit 1478 --base staged
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
imran-siddique
force-pushed
the
governance/add-agt-artifacts
branch
from
d24e0d6 to
51cf00b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Agent Governance Toolkit (AGT) governance artifacts and CI validation, alongside broad plugin content/manifest updates to align plugin references with the repository’s governance and agent/skill structure.
Changes:
- Added governance policy + MCP allowlist files, plus a PR workflow to validate them.
- Added a separate security scanning workflow (dependency review + secret regex scan).
- Added/updated many plugin agents/skills and standardized plugin manifests (notably switching many
agentsentries to./agentsand removing trailing slashes fromskillspaths).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| plugins/flowstudio-power-automate/skills/flowstudio-power-automate-build/references/flow-schema.md | Adds FlowStudio schema reference documentation. |
| plugins/flowstudio-power-automate/skills/flowstudio-power-automate-build/references/build-patterns.md | Adds copy/paste build templates for flows. |
| plugins/flowstudio-power-automate/.github/plugin/plugin.json | Normalizes skill path entries (removes trailing /). |
| plugins/fastah-ip-geo-tools/skills/geofeed-tuner/references/snippets-python3.md | Adds Python 3 parsing/validation snippets. |
| plugins/fastah-ip-geo-tools/skills/geofeed-tuner/assets/small-territories.json | Adds supporting reference data (territory list). |
| plugins/fastah-ip-geo-tools/skills/geofeed-tuner/assets/example/01-user-input-rfc8805-feed.csv | Adds example RFC8805 input CSV. |
| plugins/fastah-ip-geo-tools/.github/plugin/plugin.json | Normalizes skill path entries (removes trailing /). |
| plugins/edge-ai-tasks/.github/plugin/plugin.json | Switches agents list from explicit files to ./agents. |
| plugins/doublecheck/skills/doublecheck/assets/verification-report-template.md | Adds a structured verification report template. |
| plugins/doublecheck/agents/doublecheck.md | Adds Doublecheck agent definition/instructions. |
| plugins/doublecheck/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skill path. |
| plugins/devops-oncall/skills/multi-stage-dockerfile/SKILL.md | Adds a new skill for multi-stage Dockerfile guidance. |
| plugins/devops-oncall/agents/azure-principal-architect.md | Adds an Azure principal architect agent. |
| plugins/devops-oncall/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/dataverse-sdk-for-python/skills/dataverse-python-usecase-builder/SKILL.md | Adds a new Dataverse use-case builder skill. |
| plugins/dataverse-sdk-for-python/skills/dataverse-python-quickstart/SKILL.md | Adds a Dataverse quickstart skill. |
| plugins/dataverse-sdk-for-python/skills/dataverse-python-production-code/SKILL.md | Adds production guidance skill for Dataverse SDK. |
| plugins/dataverse-sdk-for-python/skills/dataverse-python-advanced-patterns/SKILL.md | Adds advanced patterns skill for Dataverse SDK. |
| plugins/dataverse-sdk-for-python/.github/plugin/plugin.json | Normalizes skills paths (removes trailing /). |
| plugins/database-data-management/skills/postgresql-code-review/SKILL.md | Adds PostgreSQL-focused review skill content. |
| plugins/database-data-management/agents/postgresql-dba.md | Adds PostgreSQL DBA agent. |
| plugins/database-data-management/agents/ms-sql-dba.md | Adds MS SQL DBA agent. |
| plugins/database-data-management/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/csharp-mcp-development/skills/csharp-mcp-server-generator/SKILL.md | Adds MCP server generator skill for C#. |
| plugins/csharp-mcp-development/agents/csharp-mcp-expert.md | Adds C# MCP expert agent. |
| plugins/csharp-mcp-development/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/csharp-dotnet-development/skills/dotnet-upgrade/SKILL.md | Adds a .NET upgrade planning skill. |
| plugins/csharp-dotnet-development/skills/dotnet-best-practices/SKILL.md | Adds .NET best practices skill. |
| plugins/csharp-dotnet-development/skills/csharp-xunit/SKILL.md | Adds xUnit testing best practices skill. |
| plugins/csharp-dotnet-development/skills/csharp-tunit/SKILL.md | Adds TUnit testing best practices skill. |
| plugins/csharp-dotnet-development/skills/csharp-nunit/SKILL.md | Adds NUnit testing best practices skill. |
| plugins/csharp-dotnet-development/skills/csharp-async/SKILL.md | Adds async best practices skill for C#. |
| plugins/csharp-dotnet-development/skills/aspnet-minimal-api-openapi/SKILL.md | Adds Minimal API + OpenAPI guidance skill. |
| plugins/csharp-dotnet-development/agents/expert-dotnet-software-engineer.md | Adds “expert .NET software engineer” agent. |
| plugins/csharp-dotnet-development/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/copilot-sdk/.github/plugin/plugin.json | Normalizes skills path (removes trailing /). |
| plugins/context-matic/skills/integrate-context-matic/SKILL.md | Adds a workflow skill for third-party API integration via context-matic. |
| plugins/context-matic/.github/plugin/plugin.json | Normalizes skill paths (removes trailing /). |
| plugins/context-engineering/skills/what-context-needed/SKILL.md | Adds a skill for requesting required context files. |
| plugins/context-engineering/skills/refactor-plan/SKILL.md | Adds a skill for structured refactor planning. |
| plugins/context-engineering/skills/context-map/SKILL.md | Adds a skill for building a context map before changes. |
| plugins/context-engineering/agents/context-architect.md | Adds a context-architect agent. |
| plugins/context-engineering/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/clojure-interactive-programming/skills/remember-interactive-programming/SKILL.md | Adds a micro-skill reminding REPL-first workflow. |
| plugins/clojure-interactive-programming/agents/clojure-interactive-programming.md | Adds a Clojure REPL-first agent. |
| plugins/clojure-interactive-programming/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills path. |
| plugins/cast-imaging/agents/cast-imaging-structural-quality-advisor.md | Adds CAST Imaging structural quality advisor agent (with MCP server config). |
| plugins/cast-imaging/agents/cast-imaging-software-discovery.md | Adds CAST Imaging discovery agent (with MCP server config). |
| plugins/cast-imaging/agents/cast-imaging-impact-analysis.md | Adds CAST Imaging impact analysis agent (with MCP server config). |
| plugins/cast-imaging/.github/plugin/plugin.json | Switches agents list to ./agents. |
| plugins/azure-cloud-development/skills/azure-pricing/references/SERVICE-NAMES.md | Adds Azure Retail Prices API serviceName reference. |
| plugins/azure-cloud-development/skills/azure-pricing/references/REGIONS.md | Adds Azure retail pricing region mapping reference. |
| plugins/azure-cloud-development/skills/azure-pricing/references/COST-ESTIMATOR.md | Adds cost estimation formulas reference. |
| plugins/azure-cloud-development/skills/azure-pricing/references/COPILOT-STUDIO-RATES.md | Adds Copilot Studio credit/rate reference (cached snapshot). |
| plugins/azure-cloud-development/skills/azure-pricing/SKILL.md | Adds an Azure pricing skill with cost estimation workflow. |
| plugins/azure-cloud-development/agents/terraform-azure-planning.md | Adds a Terraform planning agent for Azure. |
| plugins/azure-cloud-development/agents/terraform-azure-implement.md | Adds a Terraform implementation agent for Azure. |
| plugins/azure-cloud-development/agents/azure-verified-modules-terraform.md | Adds Azure AVM Terraform agent instructions. |
| plugins/azure-cloud-development/agents/azure-verified-modules-bicep.md | Adds Azure AVM Bicep agent instructions. |
| plugins/azure-cloud-development/agents/azure-saas-architect.md | Adds Azure SaaS architect agent instructions. |
| plugins/azure-cloud-development/agents/azure-principal-architect.md | Adds Azure principal architect agent instructions. |
| plugins/azure-cloud-development/agents/azure-logic-apps-expert.md | Adds Azure Logic Apps expert agent instructions. |
| plugins/azure-cloud-development/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/awesome-copilot/skills/suggest-awesome-github-copilot-skills/SKILL.md | Adds “suggest skills” skill definition. |
| plugins/awesome-copilot/skills/suggest-awesome-github-copilot-instructions/SKILL.md | Adds “suggest instructions” skill definition. |
| plugins/awesome-copilot/skills/suggest-awesome-github-copilot-agents/SKILL.md | Adds “suggest agents” skill definition. |
| plugins/awesome-copilot/agents/meta-agentic-project-scaffold.md | Adds an agent for scaffolding by pulling from awesome-copilot. |
| plugins/awesome-copilot/.github/plugin/plugin.json | Switches agents list to ./agents; normalizes skills paths. |
| plugins/automate-this/.github/plugin/plugin.json | Normalizes skills path (removes trailing /). |
| plugins/arize-ax/skills/arize-trace/references/ax-setup.md | Adds ax CLI troubleshooting reference. |
| plugins/arize-ax/skills/arize-trace/references/ax-profiles.md | Adds ax profile setup reference. |
| plugins/arize-ax/skills/arize-prompt-optimization/references/ax-setup.md | Adds ax CLI troubleshooting reference (prompt optimization). |
| plugins/arize-ax/skills/arize-prompt-optimization/references/ax-profiles.md | Adds ax profile setup reference (prompt optimization). |
| plugins/arize-ax/skills/arize-link/references/EXAMPLES.md | Adds Arize deep link examples reference. |
| plugins/arize-ax/skills/arize-link/SKILL.md | Adds Arize deep-link generation skill. |
| plugins/arize-ax/skills/arize-instrumentation/references/ax-profiles.md | Adds ax profile setup reference (instrumentation). |
| plugins/arize-ax/skills/arize-experiment/references/ax-setup.md | Adds ax CLI troubleshooting reference (experiments). |
| plugins/arize-ax/skills/arize-experiment/references/ax-profiles.md | Adds ax profile setup reference (experiments). |
| plugins/arize-ax/skills/arize-evaluator/references/ax-setup.md | Adds ax CLI troubleshooting reference (evaluators). |
| plugins/arize-ax/skills/arize-evaluator/references/ax-profiles.md | Adds ax profile setup reference (evaluators). |
| plugins/arize-ax/skills/arize-dataset/references/ax-setup.md | Adds ax CLI troubleshooting reference (datasets). |
| plugins/arize-ax/skills/arize-dataset/references/ax-profiles.md | Adds ax profile setup reference (datasets). |
| plugins/arize-ax/skills/arize-annotation/references/ax-setup.md | Adds ax CLI troubleshooting reference (annotations). |
| plugins/arize-ax/skills/arize-annotation/references/ax-profiles.md | Adds ax profile setup reference (annotations). |
| plugins/arize-ax/skills/arize-annotation/SKILL.md | Adds Arize annotation config + span annotation skill. |
| plugins/arize-ax/skills/arize-ai-provider-integration/references/ax-setup.md | Adds ax CLI troubleshooting reference (provider integration). |
| plugins/arize-ax/skills/arize-ai-provider-integration/references/ax-profiles.md | Adds ax profile setup reference (provider integration). |
| plugins/arize-ax/.github/plugin/plugin.json | Normalizes skills paths (removes trailing /). |
| mcp-allowlist.yaml | Adds MCP allowlist configuration (warn mode). |
| governance/policy.yaml | Adds strict-mode governance policy with rings, approvals, auditing. |
| .github/workflows/security-scan.yml | Adds a security scan workflow (dependency review + secret regex scan). |
| .github/workflows/governance-check.yml | Adds a governance validation workflow for PRs. |
Comment on lines
+39
to
+71
| - name: Validate MCP allowlist | ||
| run: | | ||
| python3 -c " | ||
| import yaml, sys | ||
| with open('mcp-allowlist.yaml') as f: | ||
| data = yaml.safe_load(f) | ||
| known = data.get('known', []) | ||
| blocked = data.get('blocked', []) | ||
| mode = data.get('enforcement', 'warn') | ||
| print(f'Enforcement: {mode}') | ||
| print(f'Known servers: {len(known)}') | ||
| print(f'Blocked servers: {len(blocked)}') | ||
| overlap = set(known) & set(blocked) | ||
| if overlap: | ||
| print(f'::error::Servers in both known and blocked: {overlap}') | ||
| sys.exit(1) | ||
| print('✅ MCP allowlist is valid') | ||
| " | ||
|
|
||
| - name: Validate governance policy | ||
| run: | | ||
| python3 -c " | ||
| import yaml | ||
| with open('governance/policy.yaml') as f: | ||
| data = yaml.safe_load(f) | ||
| mode = data.get('kernel', {}).get('mode', 'unset') | ||
| rings = data.get('rings', {}) | ||
| blocked = data.get('blocked_patterns', []) | ||
| print(f'Policy mode: {mode}') | ||
| print(f'Rings defined: {len(rings)}') | ||
| print(f'Blocked patterns: {len(blocked)}') | ||
| print('✅ Governance policy is valid') | ||
| " |
There was a problem hiding this comment.
The workflow imports yaml in Python, but GitHub-hosted runners don’t include PyYAML by default. This will fail with ModuleNotFoundError: No module named 'yaml'. Add an explicit step to install PyYAML before these validations (or switch to a parser available by default).
| fi | ||
| done | ||
| if [ "$STATUS" = "fail" ]; then | ||
| echo "::warning::Required governance files are missing" |
There was a problem hiding this comment.
The step marks missing “required” files but never fails the job, so PRs can merge even when governance prerequisites aren’t present. If these files are truly required (as the step name indicates), exit non-zero when STATUS=fail so the workflow enforces the requirement.
Suggested change
| echo "::warning::Required governance files are missing" | |
| echo "::error::Required governance files are missing" | |
| exit 1 |
Comment on lines
+73
to
+81
| - name: Check for hardcoded secrets | ||
| run: | | ||
| PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{48}|ghp_[a-zA-Z0-9]{36}|-----BEGIN (RSA |EC )?PRIVATE KEY-----)' | ||
| if grep -rPn "$PATTERNS" --include="*.py" --include="*.yaml" --include="*.yml" --include="*.json" --exclude-dir=.git --exclude-dir=__pycache__ --exclude-dir=.pytest_cache . 2>/dev/null; then | ||
| echo "::error::Potential hardcoded secrets detected" | ||
| exit 1 | ||
| else | ||
| echo "✅ No hardcoded secrets detected" | ||
| fi |
There was a problem hiding this comment.
This secret scan omits several common leak locations you’re adding in this PR (notably *.md, *.env, and potentially *.csv). If the goal is to catch hardcoded secrets in PR content, align the include list with security-scan.yml (or use a dedicated secret scanning action) to avoid false negatives.
Comment on lines
+7
to
+12
| enforcement: warn | ||
|
|
||
| # Known MCP servers used by awesome-copilot agents and skills. | ||
| known: | ||
| - github # GitHub API access for PR/commit/issue data | ||
| - fetch # Web fetch for documentation references |
There was a problem hiding this comment.
The allowlist is labeled as “MCP servers”, but the entries look like tool names rather than MCP server identifiers. This will likely generate noisy “unknown server” warnings once agents define actual mcp-servers blocks (e.g., the CAST Imaging agents). Consider clarifying whether this list is for tool names vs. MCP server names, and/or expanding known to match the actual configured MCP server IDs used in agent front matter.
There was a problem hiding this comment.
This changes the plugin manifest from enumerating agent files to pointing at the ./agents directory. If the plugin loader expects explicit file paths (as implied by the prior manifest style and other manifests listing ./agents/<file>.md), this can break discovery/loading. Prefer listing the actual agent markdown files (or confirm directory-based discovery is supported everywhere and documented).
Suggested change
| "./agents/<agent-file-1>.md", | |
| "./agents/<agent-file-2>.md" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds Agent Governance Toolkit (AGT) governance artifacts to enable automated governance validation on PRs.
Changes
Why
Standardizing governance across all repos using the AGT pattern established in agent-sre, ai-native-team, and sdlc-toolkit.