feat(ci): add daily pelis agent factory advisor agentic workflow

[Copilot]

Adds a daily agentic workflow that analyzes the repository for missed opportunities to add, enhance, or improve agentic workflows based on Pelis Agent Factory patterns.

Configuration

• Schedule: Daily run with manual dispatch support
• Cache: cache-memory: true for persistent knowledge across runs
• Output: Creates discussions with [Pelis Agent Factory Advisor] prefix
• Tools: All bash commands enabled (bash: ["*"]), plus web-fetch, github, and agentic-workflows tools
• Network: Restricted to github domains

Agent Behavior

• Crawls Pelis Agent Factory docs at githubnext.github.io/gh-aw/blog/2026-01-12-welcome-to-pelis-agent-factory/
• Explores github.com/githubnext/agentics for reference implementations
• Inventories existing workflows and analyzes repo structure
• Outputs prioritized recommendations (P0-P3) with impact/effort/reasoning

Files Added

• .github/workflows/pelis-agent-factory-advisor.md - Workflow definition
• .github/workflows/pelis-agent-factory-advisor.lock.yml - Compiled GitHub Action (generated via gh aw compile)

Original prompt

Add a daily run agentic workflow ("pelis agent factory advisor") that is an expert of agentic workflows. This agnet knows the common patterns of agentic workflows from the knowledge of pelis agent factory https://githubnext.github.io/gh-aw/blog/2026-01-12-welcome-to-pelis-agent-factory/ (instruct the agent to crawl all the pages from this site. Note, YOU DON'T HAVE TO CRAWL IT, but you should provide prompt to let the agent crawl the site) and https://github.com/githubnext/agentics/tree/main

It's tasked to examine this repo and provide missed opportunities to add, enhance, improve existing or new agentic workflows to make the repo much more automated and agentic ready.

This workflow should enable cache. this workflow should output to a discussion in the format of actionable items, priority, and reasoning on why.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Mossaka]

@copilot generate the github action and push

[Copilot]

@copilot generate the github action and push

Generated the GitHub Action lock file using gh aw compile and pushed in commit 198dc04.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	77.19%	77.19%	➡️ +0.00%
Statements	77.27%	77.27%	➡️ +0.00%
Functions	77.17%	77.17%	➡️ +0.00%
Branches	69.76%	69.76%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests
• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection

Test Results:

• ✅ GitHub MCP: Retrieved PR list successfully
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file contents

Status: PASS

AI generated by Smoke Claude

[Mossaka]

@copilot enable all tools

[Copilot]

Enabled all bash tools by changing to bash: ["*"] and recompiled the lock file in commit 7547a7c.

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests
• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection

Test Results:

• ✅ GitHub MCP (reviewed PRs)
• ✅ Playwright (GitHub title verified)
• ✅ File write (/tmp/gh-aw/agent/smoke-test-copilot-21092096085.txt)
• ✅ Bash tool (file verified)

Status: PASS

CC: @Mossaka (author & assignee)

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• ci: add agentic documentation preview workflow with Playwright #246: ci: add agentic documentation preview workflow with Playwright
• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository

Test Results:

• ✅ GitHub MCP: Retrieved recent PRs
• ✅ Playwright: Navigated to GitHub (title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Write: Created test file
• ✅ Bash: Verified file content

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository
• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security

Test Results:

• ✅ GitHub MCP: Retrieved PRs successfully
• ❌ Playwright: Blocked (azureedge.net not whitelisted for browser downloads)
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file creation
• ✅ Curl Alternative: Fetched GitHub page title "GitHub · Change is constant"

Overall Status: PARTIAL PASS

cc: @Mossaka @copilot

AI generated by Smoke Copilot

[github-actions]

🔒 Security Review: Supply Chain Security Weakening Detected

Critical Issue: Removal of Commit SHA Pinning for GitHub Actions

This PR removes commit SHA pinning from multiple GitHub Actions workflows, replacing immutable commit references with mutable version tags. This weakens the repository's supply chain security and reverses hardening implemented in PR #266.

---

📍 Affected Files and Lines

1. .github/workflows/codeql.yml

• Lines 38, 41, 50: Changed from commit SHAs to version tags

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+ uses: actions/checkout@v4

- uses: github/codeql-action/init@f68537f3d8a6955880f700730943f8a754454193 # v4
+ uses: github/codeql-action/init@v4

- uses: github/codeql-action/analyze@f68537f3d8a6955880f700730943f8a754454193 # v4
+ uses: github/codeql-action/analyze@v4

2. .github/workflows/container-scan.yml

• Lines 53, 88: Removed SHA pinning from security scanning uploads

- uses: github/codeql-action/upload-sarif@a4fda0891d53e117609b7ddb3570638c2c6d7c89 # v3
+ uses: github/codeql-action/upload-sarif@v3

3. .github/workflows/pr-title.yml

• Line 12: Removed SHA pinning

- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+ uses: amannn/action-semantic-pull-request@v5

4. .github/workflows/release.yml

• Lines 21, 24, 50, 57, 70, 95, 265, 280: Multiple critical actions unpinned

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+ uses: actions/checkout@v4

- uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+ uses: docker/build-push-action@v5

(And several others)

---

⚠️ Security Impact

Why this weakens security:

1. Immutable vs Mutable References

   • Commit SHAs are immutable: once pinned, the code cannot change
   • Version tags are mutable: @v4 can be moved to point to different code

2. Supply Chain Attack Surface

   • Attackers who compromise an action's repository can modify version tags
   • Existing workflows using mutable tags would automatically pull malicious code
   • SHA pinning prevents this attack vector

3. Reverses Previous Hardening

   • PR ci: pin GitHub Actions to commit SHAs for supply chain security #266 explicitly added SHA pinning "for supply chain security"
   • This PR undoes that security improvement without justification

4. Inconsistent Security Posture

   • Interestingly, sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 retains SHA pinning
   • This inconsistency suggests accidental regression rather than intentional policy change

---

🔧 Recommended Action

Revert the SHA unpinning changes:

1. Restore commit SHA references in all four workflow files
2. Keep the new pelis-agent-factory-advisor workflow additions (those appear benign)
3. If version tag usage is intentional, please provide security justification in PR description

Note: The new workflow file pelis-agent-factory-advisor.lock.yml appears to be a legitimate addition for agentic workflow advice and doesn't introduce security concerns to the firewall itself (though it does use an outdated awf version v0.8.2 vs current v0.10.0).

---

Security Risk Level: 🔴 HIGH - Increases supply chain attack surface

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #272 🗺️