feat(workflow): add copilot-setup-steps.yml for Coding Agent environment

[katriendg]

Description

Adds copilot-setup-steps.yml workflow to bridge the devcontainer environment to GitHub Actions runners for Copilot Coding Agent. The workflow pre-installs Node.js 20, Python 3.11, and PowerShell modules to match local development capabilities, enabling agents to use the same npm scripts for validation in the cloud environment.

• Created .github/workflows/copilot-setup-steps.yml with SHA-pinned actions for checkout, setup-node, and setup-python
• Added tool verification step confirming availability of node, npm, python3, pwsh, and shellcheck
• Updated .github/copilot-instructions.md with new "Coding Agent Environment" section documenting pre-installed tools and npm script usage
• Applied minimal contents: read permissions following principle of least privilege

Related Issue(s)

Closes #388

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

N/A - only updated copilot-instructions.md for the cloud agent.

Testing

• Workflow triggers on push/PR to its own path for validation
• Tool verification step confirms all dependencies are available
• npm scripts listed via npm run --list for agent reference

Checklist

Required Checks

• Documentation is updated (if applicable) - This will be a follow-up PR to update documentation after workflow is merged and verified
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Copilot instructions (.github/instructions/*.instructions.md)

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

The workflow uses SHA-pinned actions for security:

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (v4.2.2)
• actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 (v4.1.0)
• actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f (v5.1.1)

The job is named copilot-setup-steps as required by GitHub Copilot documentation for automatic recognition.

Intentionally excluded or leveraged from runners:

• gitleaks - Secret scanning runs in CI workflows via security-scan.yml, following the principle that security validation belongs in the pipeline, not the agent's editing environment. GitHub's push protection provides an additional layer of defense.
• shellcheck - Pre-installed on ubuntu-latest runners (v0.9.0-1), no explicit installation needed.
• Pester 5.7.1 - Pre-installed on GitHub-hosted runners, no explicit installation needed.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	6044e13b5dc448c55e2357c09f80417699197238	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 8 10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/setup-python	39cd14951b08e74b54015e9e001cdefcf80e669f	🟢 5	Details Check Score Reason Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/copilot-setup-steps.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.41%. Comparing base (4bb857d) to head (47f31e1).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #398      +/-   ##
==========================================
- Coverage   52.44%   52.41%   -0.04%     
==========================================
  Files          17       17              
  Lines        3110     3110              
==========================================
- Hits         1631     1630       -1     
- Misses       1479     1480       +1     

Flag	Coverage Δ
pester	52.41% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds a GitHub Actions workflow to configure the environment for GitHub Copilot Coding Agent, ensuring tool parity with the local devcontainer. The workflow pre-installs Node.js 20, Python 3.11, PowerShell modules, and verifies tool availability to enable cloud-based agents to run the same validation scripts as local developers.

Changes:

• Created .github/workflows/copilot-setup-steps.yml to pre-install development tools and dependencies for Copilot Coding Agent
• Updated .github/copilot-instructions.md with new "Coding Agent Environment" section documenting pre-installed tools, npm script usage, and environment synchronization practices

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/copilot-setup-steps.yml	New workflow that sets up Node.js 20, Python 3.11, PowerShell modules, and verifies tool availability for Copilot Coding Agent with SHA-pinned actions
.github/copilot-instructions.md	Added documentation section describing the cloud agent environment, available tools, npm scripts for validation, and synchronization guidance

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.