feat(workflows): add orchestration workflows and documentation #29
Conversation
Add orchestration workflows that coordinate all validation and security checks: - pr-validation.yml: Orchestrates all validation checks for pull requests including linting, spell checking, link validation, frontmatter validation, and PowerShell analysis - main.yml: Orchestrates security scans and maintenance workflows for main branch including Checkov, Gitleaks, SHA staleness checks, and weekly security maintenance - README.md: Comprehensive documentation for all workflows including usage examples, workflow descriptions, and configuration details These orchestration workflows call the reusable validation and security workflows created in previous PRs. They provide a single entry point for running all checks and enable consistent CI/CD automation across the repository. Resolves: #16 🚀 - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new modular GitHub Actions workflow architecture by adding three new workflow files: pr-validation.yml, main.yml, and their comprehensive documentation in README.md. The changes establish a security-focused CI/CD pipeline with parallel execution and proper dependency pinning validation.
- Implements parallel execution of 9-10 validation and security scanning jobs
- Adds strict dependency SHA-pinning validation to PR checks
- Documents the complete workflow architecture with security best practices
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/pr-validation.yml | New PR validation workflow orchestrating 9 reusable workflows plus a dependency-pinning-check job |
| .github/workflows/main.yml | New main branch CI workflow with 5 validation and security jobs |
| .github/workflows/README.md | Comprehensive documentation of workflow architecture, security practices, and usage patterns |
Comments suppressed due to low confidence (1)
.github/workflows/README.md:1
- The workflow architecture diagram for main.yml shows 9 jobs, but the actual implementation only includes 5 jobs. Remove the lines for psscriptanalyzer, frontmatter-validation, link-lang-check, and markdown-link-check to match the actual implementation.
---
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Updated pr-validation.yml description to correctly state 10 jobs (9 reusable workflows + 1 inline dependency-pinning-check) - Added dependency-pinning-check to pr-validation jobs list - Corrected main.yml to show 5 jobs instead of 9 - Updated main.yml jobs list to only include actual jobs - Added dependency-pinning-check to workflow architecture diagram 🔒 - Generated by Copilot
- resolve merge conflict in workflows README.md - condense workflow documentation from 1213 to 560 lines - replace verbose descriptions with compact tables - remove marketing claims and performance benchmarks - consolidate orchestrator, validation, and security workflow docs 📚 - Generated by Copilot
Dependency Review✅ No vulnerabilities or license issues found.Scanned Manifest Filespackage-lock.json
package.json
requirements.txt
|
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…rkflows - remove gitleaks-scan and checkov-scan jobs from pr-validation.yml - remove gitleaks-scan and checkov-scan jobs from main.yml - add codeql-analysis and dependency-pinning-scan to main.yml - workflows now reference only existing reusable workflows 🔧 - Generated by Copilot
- remove duplicate result publishing strategy section - remove non-existent workflow documentation (gitleaks, checkov) - correct workflow filename references (ps-script-analyzer.yml) - fix heading structure and section organization - move Security Workflows section to proper location - add backticks to configuration table workflow references 📚 - Generated by Copilot
…idation - add explicit PR activity types (opened, synchronize, reopened) to pr-validation - add develop branch support for branch-to-branch PRs - integrate CodeQL security analysis into pr-validation and main orchestrators - move CodeQL to first job in pr-validation for early security feedback - remove standalone push/PR triggers from codeql-analysis (now orchestrator-only) - keep weekly scheduled CodeQL scan for continuous security monitoring 🏗️ - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… duplicate CodeQL runs - remove pull_request trigger (now handled by pr-validation.yml) - remove dependency-review job (conditional on pull_request) - security-scan now only runs on push to main/develop branches - prevents duplicate CodeQL execution on PRs 🔧 - Generated by Copilot
- delete security-scan.yml (CodeQL coverage now via orchestrators) - remove security-scan.yml from orchestrator workflows table in README - consolidate security scanning: PRs use pr-validation, main uses main.yml - weekly standalone CodeQL scan maintained for continuous monitoring 🗑️ - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 11 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- standardize CodeQL job naming to codeql-analysis across all workflows - fix documentation accuracy for job counts and job lists - apply markdown style guidelines (asterisk markers, backticks) - enhance clarity with footnotes and improved explanations 📝 - Generated by Copilot
- keep feature branch dependency versions (cspell 9.3.1, markdownlint-cli 0.45.0) - retain markdown-link-check 3.14.1 dependency 🔀 - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 9 changed files in this pull request and generated 18 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- clarify CodeQL execution strategy documentation - make cron comment more concise in codeql-analysis.yml - remove duplicate security-scan.yml workflow - extract inline dependency-pinning-check to reusable workflow 🔧 - Generated by Copilot
…ing, and CodeQL - fix markdown link check soft-fail by using step outcomes instead of env vars - fix dependency pinning SARIF generation and scan only github-actions (not npm) - remove CodeQL JavaScript scanning from orchestration workflows - add if-no-files-found: ignore to PSScriptAnalyzer artifact upload 🔧 - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 10 out of 12 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- remove trailing blank line in security-scan.yml - add historical context to CodeQL architecture documentation 📝 - Generated by Copilot
…nning - add threshold parameter to Test-DependencyPinning.ps1 (default 95%) - implement threshold-based compliance checking in workflow and script - remove redundant workflow-level failure step in favor of script-level enforcement - add comprehensive examples for threshold usage 🔒 - Generated by Copilot
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 13 changed files in this pull request and generated 14 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * **CodeQL PR validation**: Runs via `pr-validation.yml` on all PR activity (open, push, reopen) | ||
| * **Main branch**: Runs via `main.yml` on every push to main | ||
| * **Weekly scan**: Standalone scheduled run every Sunday at 4 AM UTC for continuous security monitoring |
There was a problem hiding this comment.
The documentation states "CodeQL PR validation: Runs via pr-validation.yml on all PR activity" but the actual pr-validation.yml workflow in this PR does not include a CodeQL job. This is inconsistent with the workflow implementation.
Similarly, line 227 states "Main branch: Runs via main.yml on every push to main" but the actual main.yml workflow also does not include a CodeQL job.
Based on the actual workflows in this PR:
pr-validation.ymlhas 8 jobs, none of which are CodeQLmain.ymlhas 4 jobs, none of which are CodeQL- Only
weekly-security-maintenance.ymlincludes acodeql-analysisjob
Please update this architecture section to reflect the actual workflow execution or add the missing CodeQL jobs to the orchestrator workflows if they were intended to be included.
| Compose multiple reusable workflows for comprehensive validation and security scanning. | ||
|
|
||
| ## Current Workflows | ||
| | Workflow | Triggers | Jobs | Mode | Purpose | |
There was a problem hiding this comment.
According to the markdown guidelines (CodingGuidelineID: 1000002), tables should be surrounded by a blank line before and after. There is no blank line before this table begins. Add a blank line between line 49 and line 50.
| @@ -12,7 +12,7 @@ on: | |||
| description: 'Comma-separated list of dependency types to check' | |||
There was a problem hiding this comment.
The default value for dependency-types changed from 'actions,containers' to 'github-actions'. However, the parameter description on line 12 still says "Comma-separated list of dependency types to check" without specifying what valid values are (e.g., github-actions, npm, pip, containers).
Additionally, this creates an inconsistency: the default was checking both actions and containers, but now only checks github-actions. Is github-actions the new canonical name for what was previously called actions? If so, the old containers check is being silently dropped from the default.
Please either:
- Document the valid values in the description
- Clarify if
containerschecking is intentionally removed from the default - Update the description to match the script's actual parameter name (
IncludeTypesas used on line 92)
| description: 'Comma-separated list of dependency types to check' | |
| description: 'Comma-separated list of dependency types to check. Valid values: github-actions, npm, pip, containers. Default is github-actions. (Parameter is passed as IncludeTypes to the script.)' |
| # Run validation script | ||
| # Run validation script (JSON format) | ||
| & scripts/security/Test-DependencyPinning.ps1 @params | ||
| $jsonExitCode = $LASTEXITCODE |
There was a problem hiding this comment.
The script exit code from the JSON format run ($jsonExitCode = $LASTEXITCODE) is captured but never used. This means if the first run fails, the workflow will continue to generate SARIF format and then succeed even if it shouldn't have. The script's exit code should be checked and honored.
Add after line 102:
if ($jsonExitCode -ne 0) {
Write-Host "JSON validation failed with exit code $jsonExitCode"
exit $jsonExitCode
}| $jsonExitCode = $LASTEXITCODE | |
| $jsonExitCode = $LASTEXITCODE | |
| if ($jsonExitCode -ne 0) { | |
| Write-Host "JSON validation failed with exit code $jsonExitCode" | |
| exit $jsonExitCode | |
| } |
| * Creates GitHub annotations for violations | ||
| * Exports JSON results and markdown summary | ||
| * Uploads artifacts with 30-day retention | ||
| | Event | Workflows That Run | CodeQL Included | |
There was a problem hiding this comment.
According to the markdown guidelines (CodingGuidelineID: 1000002), tables should be surrounded by a blank line before and after. There is no blank line before this table begins. Add a blank line between line 238 and line 239.
| # Pass dependency types filter to script | ||
| if ('${{ inputs.dependency-types }}') { | ||
| $params['DependencyTypes'] = '${{ inputs.dependency-types }}' | ||
| $params['IncludeTypes'] = '${{ inputs.dependency-types }}' |
There was a problem hiding this comment.
The workflow input parameter is named dependency-types (line 10-15) but it's being passed to the PowerShell script as IncludeTypes (line 92). While this might work if the script parameter is actually named IncludeTypes, the naming inconsistency is confusing.
According to the script documentation in Test-DependencyPinning.ps1 (line 32-33 in this PR), the parameter is indeed .PARAMETER IncludeTypes with description "Comma-separated list of dependency types to check."
For clarity and consistency:
- Either rename the workflow input to
include-typesto match the script parameter naming - Or add a comment explaining the parameter name mapping
- Update the workflow input description to match the script's parameter description exactly
| # GitHub Actions Workflows | ||
|
|
||
| This directory contains GitHub Actions workflow definitions for continuous integration, code quality validation, security scanning, and automated maintenance in the HVE Core project. | ||
| This directory contains GitHub Actions workflows for continuous integration, security scanning, and automated maintenance of the `hve-core` repository. |
There was a problem hiding this comment.
According to the markdown guidelines (CodingGuidelineID: 1000002), documents should begin with a top-level heading as the first line. The preamble text "This directory contains GitHub Actions workflows..." should come after a level-1 heading title, not before it.
Expected structure:
# GitHub Actions Workflows
This directory contains GitHub Actions workflows for continuous integration...| * Example: `weekly-security-maintenance.yml` | ||
| * Purpose: Run multiple related checks and generate consolidated reports | ||
| * Typically run on schedule or manual trigger | ||
| | Pattern | Purpose | Example | |
There was a problem hiding this comment.
According to the markdown guidelines (CodingGuidelineID: 1000002), tables should be surrounded by a blank line before and after. There is no blank line before this table begins. Add a blank line between line 32 and line 33.
| ### Validation Workflows | ||
|
|
||
| ## Using Reusable Workflows | ||
| | Workflow | Tool | Purpose | Key Inputs | Artifacts | |
There was a problem hiding this comment.
According to the markdown guidelines (CodingGuidelineID: 1000002), tables should be surrounded by a blank line before and after. There is no blank line before this table begins. Add a blank line between line 63 and line 64.
| | Feature branch push (no open PR)[^1] | None | ❌ No | | ||
|
|
||
| **Exit Behavior**: Fails on Error or Warning severity issues | ||
| [^1]: Feature branches without an open PR are not validated. Open a PR to main or develop to trigger validation workflows. |
There was a problem hiding this comment.
According to markdown guidelines, footnote references should be separated from tables by a blank line. Add a blank line between the table (ending at line 245) and the footnote definition on line 247.
🤖 I have created a release *beep* *boop* --- ## [1.1.0](hve-core-v1.0.0...hve-core-v1.1.0) (2026-01-19) ### ✨ Features * **.devcontainer:** add development container configuration ([#24](#24)) ([45debf5](45debf5)) * **.github:** add github metadata and mcp configuration ([#23](#23)) ([1cb898d](1cb898d)) * **agent:** Add automated installation via hve-core-installer agent ([#82](#82)) ([a2716d5](a2716d5)) * **agents:** add brd-builder.agent.md for building BRDs ([#122](#122)) ([bfdc9f3](bfdc9f3)) * **agents:** redesign installer with Codespaces support and method documentation ([#123](#123)) ([6329fc0](6329fc0)) * **ai:** Establish AI-Assisted Development Framework ([#48](#48)) ([f5199a4](f5199a4)) * **build:** implement automated release management with release-please ([#86](#86)) ([90150e2](90150e2)) * **chatmodes:** add architecture diagram builder agent ([#145](#145)) ([db24637](db24637)) * **config:** add development tools configuration files ([#19](#19)) ([9f97522](9f97522)) * **config:** add npm package configuration and dependencies ([#20](#20)) ([fcba198](fcba198)) * **copilot:** add GitHub Copilot instruction files ([#22](#22)) ([4927284](4927284)) * **copilot:** add specialized chat modes for development workflows ([#21](#21)) ([ae8495f](ae8495f)) * **docs:** add comprehensive AI artifact contribution documentation ([#76](#76)) ([d81cf96](d81cf96)) * **docs:** add getting started guide for project configuration ([#57](#57)) ([3b864fa](3b864fa)) * **docs:** add repository foundation and documentation files ([#18](#18)) ([ad7efb6](ad7efb6)), closes [#2](#2) * **docs:** add RPI workflow documentation and restructure docs folder ([#102](#102)) ([c3af708](c3af708)) * **extension:** hve core vs code extension ([#149](#149)) ([041a1fd](041a1fd)) * **extension:** implement pre-release versioning with agent maturity filtering ([#179](#179)) ([fb38233](fb38233)) * **instructions:** add authoring standards for prompt engineering artifacts ([#177](#177)) ([5de3af9](5de3af9)) * **instructions:** add extension quick install and enhance installer agent ([#176](#176)) ([48e3d58](48e3d58)) * **instructions:** add VS Code variant prompt and gitignore recommendation to installer ([#185](#185)) ([b400493](b400493)) * **instructions:** add writing style guide for markdown content ([#151](#151)) ([02df6a8](02df6a8)) * **instructions:** consolidate C# guidelines and update prompt agent fields ([#158](#158)) ([65342d4](65342d4)) * **instructions:** provide guidance on using safe commands to reduce interactive prompting ([#117](#117)) ([1268580](1268580)) * **linting:** add linting and validation scripts ([#26](#26)) ([66be136](66be136)) * **prompt-builder:** enhance prompt engineering instructions and validation protocols ([#155](#155)) ([bc5004f](bc5004f)) * **prompts:** add ADR placement planning and update template paths ([#69](#69)) ([380885f](380885f)) * **prompts:** add git workflow prompts from edge-ai ([#84](#84)) ([56d66b6](56d66b6)) * **prompts:** add github-add-issue prompt and github-issue-manager chatmode with delegation pattern ([#55](#55)) ([d0e1789](d0e1789)) * **prompts:** add PR template discovery and integration to pull-request prompt ([#141](#141)) ([b8a4c7a](b8a4c7a)) * **prompts:** add task research initiation prompt and rpi agent([#124](#124)) ([5113e3b](5113e3b)) * **release:** implement release management strategy ([#161](#161)) ([6164c3b](6164c3b)) * Risk Register Prompt ([#146](#146)) ([843982c](843982c)) * **scripts:** enhanced JSON Schema validation for markdown frontmatter ([#59](#59)) ([aba152c](aba152c)) * **security:** add checksum validation infrastructure ([#106](#106)) ([07528fb](07528fb)) * **security:** add security scanning scripts ([#25](#25)) ([82de5a1](82de5a1)) * **workflows:** add CodeQL security analysis to PR validation ([#132](#132)) ([e5b6e8f](e5b6e8f)) * **workflows:** add orchestration workflows and documentation ([#29](#29)) ([de442e0](de442e0)) * **workflows:** add security reusable workflows ([#28](#28)) ([2c74399](2c74399)) * **workflows:** add validation reusable workflows ([#27](#27)) ([f52352d](f52352d)) ### 🐛 Bug Fixes * **build:** add token parameter to release-please action ([#166](#166)) ([c9189ec](c9189ec)) * **build:** disable MD012 lint rule in CHANGELOG for release-please compatibility ([#173](#173)) ([54502d8](54502d8)), closes [#172](#172) * **build:** pin npm commands for OpenSSF Scorecard compliance ([#181](#181)) ([c29db54](c29db54)) * **build:** remediate GHSA-g9mf-h72j-4rw9 undici vulnerability ([#188](#188)) ([634bf36](634bf36)) * **build:** seed CHANGELOG.md with version entry for release-please frontmatter preservation ([#170](#170)) ([2b299ac](2b299ac)) * **build:** use GitHub App token for release-please ([#167](#167)) ([070e042](070e042)) * **build:** use hashtable splatting for named parameters ([#164](#164)) ([02a965f](02a965f)) * **devcontainer:** remove unused Python requirements check ([#78](#78)) ([f17a872](f17a872)), closes [#77](#77) * **docs:** fix broken links and update validation for .vscode/README.md ([#118](#118)) ([160ae7a](160ae7a)) * **docs:** improve language consistency in Automated Installation section ([#139](#139)) ([a932918](a932918)) * **docs:** replace install button anchor with VS Code protocol handler ([#111](#111)) ([41a265e](41a265e)) * **docs:** update install badges to use aka.ms redirect URLs ([#114](#114)) ([868f655](868f655)) * **linting:** use cross-platform path separators in gitignore pattern matching ([#121](#121)) ([3f0aa1b](3f0aa1b)) * **scripts:** accepts the token (YYYY-MM-dd) in frontmatter validation ([#133](#133)) ([2648215](2648215)) * **tools:** correct Method 5 path resolution in hve-core-installer ([#129](#129)) ([57ef20d](57ef20d)) ### 📚 Documentation * add comprehensive RPI workflow documentation ([#153](#153)) ([cbaa4a9](cbaa4a9)) * enhance README with contributing, responsible AI, and legal sections ([#52](#52)) ([a424adc](a424adc)) ### ♻️ Refactoring * **instructions:** consolidate and enhance AI artifact guidelines ([#206](#206)) ([54dd959](54dd959)) * migrate chatmodes to agents architecture ([#210](#210)) ([712b0b7](712b0b7)) ### 🔧 Maintenance * **build:** clean up workflow permissions for Scorecard compliance ([#183](#183)) ([64686e7](64686e7)) * **deps-dev:** bump cspell in the npm-dependencies group ([#61](#61)) ([38650eb](38650eb)) * **deps-dev:** bump glob from 10.4.5 to 10.5.0 ([#74](#74)) ([b3ca9fd](b3ca9fd)) * **deps-dev:** bump markdownlint-cli2 from 0.19.1 to 0.20.0 in the npm-dependencies group ([#134](#134)) ([ebfbe84](ebfbe84)) * **deps-dev:** bump the npm-dependencies group across 1 directory with 2 updates ([#109](#109)) ([936ab84](936ab84)) * **deps-dev:** bump the npm-dependencies group with 2 updates ([#30](#30)) ([cf99cbf](cf99cbf)) * **deps:** bump actions/upload-artifact from 5.0.0 to 6.0.0 in the github-actions group ([#142](#142)) ([91eac8a](91eac8a)) * **deps:** bump js-yaml, markdown-link-check and markdownlint-cli2 ([#75](#75)) ([af03d0e](af03d0e)) * **deps:** bump the github-actions group with 2 updates ([#108](#108)) ([3e56313](3e56313)) * **deps:** bump the github-actions group with 2 updates ([#135](#135)) ([4538a03](4538a03)) * **deps:** bump the github-actions group with 2 updates ([#62](#62)) ([d1e0c09](d1e0c09)) * **deps:** bump the github-actions group with 3 updates ([#87](#87)) ([ed550f4](ed550f4)) * **deps:** bump the github-actions group with 6 updates ([#162](#162)) ([ec5bb12](ec5bb12)) * **devcontainer:** enhance gitleaks installation with checksum verification ([#100](#100)) ([5a8507d](5a8507d)) * **devcontainer:** refactor setup scripts for improved dependency management ([#94](#94)) ([f5f50d1](f5f50d1)), closes [#98](#98) * **security:** configure GitHub branch protection for OpenSSF compliance ([#191](#191)) ([90aab1a](90aab1a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This PR implements the top-level orchestration workflows that activate the entire CI/CD pipeline for the HVE Core project. These workflows provide single entry points for automated validation and security checks by calling the reusable workflows created in previous PRs.
The orchestration layer consists of:
Resolves: #16
🚀 - Generated by Copilot