Add .github/copilot-instructions.md for coding agent onboarding #1
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
…ent efficiency Co-authored-by: Jamie-BitFlight <25075504+Jamie-BitFlight@users.noreply.github.com>
|
@copilot please address the issues here https://github.com/bitflight-devops/pre-commit-pep723-linter-wrapper/actions/runs/20803698589/job/59754017685#step:3:1 |
- Pin actions/checkout@v5 to commit SHA 08c6903 - Pin anothrNick/github-tag-action@1.70.0 to commit SHA 777684d - Pin astral-sh/setup-uv@v7 to commit SHA eb1897b - Pin ncipollo/release-action@v1 to commit SHA cdcc88a - Add persist-credentials: false to checkout action - Fix template injection vulnerability by using environment variable Fixes zizmor security scan failures with 4 high-severity findings Co-authored-by: Jamie-BitFlight <25075504+Jamie-BitFlight@users.noreply.github.com>
Fixed in commit 37dd6ab. The zizmor security scan was failing due to:
All actions are now pinned to specific commit SHAs with version comments for maintainability, persist-credentials is set to false, and the template injection is fixed by using an environment variable. |
|
@copilot after mitigating the identified issues are the pipelines passing and is the app still working? |
Yes! After the security mitigations: ✅ zizmor security scan is passing - Run 20804034453 completed successfully (commit 37dd6ab) ✅ App functionality verified - All 39 tests pass locally The security fixes (pinned actions to commit SHAs, added persist-credentials: false, fixed template injection) resolved the vulnerabilities without breaking functionality. |
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive coding agent onboarding documentation and implements security improvements to GitHub Actions workflows.
Changes:
- Adds
.github/copilot-instructions.mdwith detailed project documentation, build commands, architecture overview, and common pitfalls - Pins all GitHub Actions in
auto-publish.ymlto specific commit SHAs with version comments for security - Adds
persist-credentials: falseto checkout action to mitigate credential exposure risks - Uses environment variables for tag references to prevent template injection vulnerabilities
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/copilot-instructions.md |
Comprehensive onboarding guide covering project overview, build/test commands, architecture, CI/CD workflows, and coding conventions |
.github/workflows/auto-publish.yml |
Security hardening through action pinning, credential protection, and template injection prevention |
Plan: Fix zizmor security scan failures
Original prompt
Your task is to "onboard" this repository to Copilot coding agent by adding a .github/copilot-instructions.md file in the repository that contains information describing how a coding agent seeing it for the first time can work most efficiently.
You will do this task only one time per repository and doing a good job can SIGNIFICANTLY improve the quality of the agent's work, so take your time, think carefully, and search thoroughly before writing the instructions.
- Reduce the likelihood of a coding agent pull request getting rejected by the user due to generating code that fails the continuous integration build, fails a validation pipeline, or having misbehavior. - Minimize bash command and build failures. - Allow the agent to complete its task more quickly by minimizing the need for exploration using grep, find, str_replace_editor, and code search tools. - Instructions must be no longer than 2 pages. - Instructions must not be task specific.Add the following high level details about the codebase to reduce the amount of searching the agent has to do to understand the codebase each time:
Add information about how to build and validate changes so the agent does not need to search and find it each time.
List key facts about the layout and architecture of the codebase to help the agent find where to make changes with minimal searching.
- A description of the major architectural elements of the project, including the relative paths to the main project files, the location
- A description of the checks run prior to check in, including any GitHub workflows, continuous integration builds, or other validation pipelines.
- Document the steps so that the agent can replicate these itself.
- Any explicit validation steps that the agent can consider to have further confidence in its changes.
- Dependencies that aren't obvious from the layout or file structure.
- Finally, fill in any remaining space with detailed lists of the following, in order of priority: the list of files in the repo root, the
- Perform a comprehensive inventory of the codebase. Search for and view: - README.md, CONTRIBUTING.md, and all other documentation files. - Search the codebase for build steps and indications of workarounds like 'HACK', 'TODO', etc. - All scripts, particularly those pertaining to build and repo or environment setup. - All build and actions pipelines. - All project files. - All configuration and linting files. - For each file: - think: are the contents or the existence of the file information that the coding agent will need to implement, build, test, validate, or demo a code change? - If yes: - Document the command or information in detail. - Explicitly indicate which commands work and which do not and the order in which commands should be run. - Document any errors encountered as well as the steps taken to workaround them. - Document any other steps or information that the agent can use to reduce time spent exploring or trying and failing to run bash commands. - Finally, explicitly instruct the agent to trust the instructions and only perform a search if the information in the instructions is...of configuration files for linting, compilation, testing, and preferences.
contents of the README, the contents of any key source files, the list of files in the next level down of directories, giving priority to the more structurally important and snippets of code from key source files, such as the one containing the main method.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.