agent-governance-toolkit/.github/workflows/ai-contributor-guide.yml at cb7b16770c96b4db13cf08afe9a5596c5cc90386 · imran-siddique/agent-governance-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# AI-powered contributor helper for the agent-governance-toolkit.
# Welcomes first-time contributors with helpful, personalized context:
# - For issues: analyzes the issue and suggests relevant packages/code areas
# - For PRs: provides a friendly first-PR review with extra guidance
# Builds OSS community by making the contribution experience welcoming.
name: AI Contributor Guide

on:
  issues:
    types: [opened]
  pull_request_target:
    types: [opened]

permissions:
  contents: read
  pull-requests: write
  issues: write
  models: read

jobs:
  guide-issue:
    name: Guide First-Time Issue Author
    runs-on: ubuntu-latest
    # Only trigger for first-time contributors (never seen before or first contribution)
    if: >-
      github.event_name == 'issues' &&
      (github.event.issue.author_association == 'NONE' ||
       github.event.issue.author_association == 'FIRST_TIME_CONTRIBUTOR')
    continue-on-error: true
    # SECURITY: pull_request_target — this job does NOT checkout PR head code.
    # It only checks out the base branch for the composite action, and context
    # is fetched via GitHub API. Permissions are scoped to minimum needed.
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Guide contributor on issue
        uses: ./.github/actions/ai-agent-runner
        with:
          agent-type: contributor-guide
          github-token: ${{ secrets.GITHUB_TOKEN }}
          model: gpt-4o
          fallback-model: gpt-4o-mini
          max-tokens: "4000"
          context-mode: issue
          output-mode: issue-comment
          custom-instructions: |
            You are a friendly OSS community helper for microsoft/agent-governance-toolkit.
            A first-time contributor has opened an issue. Welcome them warmly!

            Your response should:
            1. **Welcome** them to the project
            2. **Analyze** their issue and suggest which package(s) might be relevant:
               - agent-os: Core policy engine, agent lifecycle
               - agent-mesh: Agent discovery, routing, trust mesh
               - agent-hypervisor: Execution sandboxing, resource isolation
               - agent-sre: Reliability, chaos testing, SLOs
               - agent-compliance: Compliance frameworks, audit logging
               - agent-marketplace: Agent registry
               - agent-lightning: High-performance inference
               - agent-runtime: Runtime execution environment
            3. **Point to relevant code** — suggest specific directories to look at
            4. **Link to resources**:
               - [CONTRIBUTING.md](../blob/main/CONTRIBUTING.md)
               - [QUICKSTART.md](../blob/main/QUICKSTART.md)
               - [Code of Conduct](../blob/main/CODE_OF_CONDUCT.md)
            5. **Offer next steps** — what they can do to help resolve this

            Be encouraging and specific. Avoid generic boilerplate.

  guide-pr:
    name: Guide First-Time PR Author
    runs-on: ubuntu-latest
    # Only trigger for first-time contributors on PRs
    # Uses pull_request_target for security (runs on base branch context)
    if: >-
      github.event_name == 'pull_request_target' &&
      (github.event.pull_request.author_association == 'NONE' ||
       github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR')
    continue-on-error: true
    # SECURITY: pull_request_target — this job does NOT checkout PR head code.
    # Permissions scoped to minimum: contents:read for base checkout, pr:write
    # for posting the welcome comment.
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Guide PR author
        uses: ./.github/actions/ai-agent-runner
        with:
          agent-type: contributor-guide
          github-token: ${{ secrets.GITHUB_TOKEN }}
          model: gpt-4o
          fallback-model: gpt-4o-mini
          max-tokens: "4000"
          context-mode: pr-diff
          output-mode: pr-comment
          custom-instructions: |
            You are a friendly OSS community helper for microsoft/agent-governance-toolkit.
            A first-time contributor has opened a pull request. Welcome them!

            Your response should:
            1. **Welcome** them and thank them for contributing
            2. **Review their PR** with extra kindness — explain WHY things should be
               different, not just what to change
            3. **Highlight what they did well** before suggesting improvements
            4. **Explain project conventions**:
               - We use ruff for linting (select E,F,W)
               - Tests go in packages/{name}/tests/
               - We follow conventional commits (feat:, fix:, docs:, etc.)
               - Security-sensitive code gets extra scrutiny
            5. **Link to resources**:
               - [CONTRIBUTING.md](../blob/main/CONTRIBUTING.md)
               - [QUICKSTART.md](../blob/main/QUICKSTART.md)
            6. **Explain next steps** — what happens in the review process

            Be warm, specific, and constructive. First impressions matter for OSS!