Require project URL for campaign orchestrator workflows

[Copilot]

Fix: Campaign orchestrator requires a GitHub Project URL to track Dependabot PRs and bundle issues ✅

Summary

This PR adds validation to ensure that campaign orchestrator workflows have a required GitHub Project URL for tracking work items (Dependabot PRs, bundle issues, security alerts, etc.).

Campaign orchestrators coordinate multiple workflows and track progress on GitHub Project boards. Without a project URL, they cannot track Dependabot PRs, manage bundle issues, or provide visibility into campaign progress.

Changes

New Validation Logic:

• pkg/workflow/campaign_project_validation.go - Campaign detection and validation
• pkg/workflow/campaign_project_validation_test.go - Comprehensive test suite (12 test cases)
• pkg/workflow/compiler_orchestrator_engine.go - Integrated validation into compilation flow

Campaign Detection (Aligned with Safe-Output Patterns):

Workflows are identified as campaigns based on explicit campaign indicators:

1. Campaign labels (agentic-campaign or z_campaign_*) in safe-outputs configurations (add-labels, create-issue, create-pull-request, create-discussion)
2. Campaign ID (campaign-id) in repo-memory tool configuration

The detection is consistent with how safe outputs like update-issue, add-labels, etc. are identified - by checking for their presence in configuration maps.

Note: update-project is NOT used as a detection criterion to avoid false positives. Workflows can use project management features without being campaign orchestrators. Campaign characteristics are explicitly declared through labels or campaign IDs.

Project URL Requirement:

• The project field in frontmatter is required for campaign workflows
• Must be a non-empty string or configuration object with a URL field

Workflow Fixes:
Added project: https://github.com/orgs/githubnext/projects/144 to 4 campaign workflows:

1. .github/workflows/dependabot-bundler.md ✅
2. .github/workflows/code-scanning-fixer.md ✅
3. .github/workflows/secret-scanning-triage.md ✅
4. .github/workflows/security-fix-pr.md ✅

Test Updates:

• Fixed update_project_handler_config_test.go to include project URL for test workflow using update-project

Testing Results ✅

• ✅ All 145 workflows compile successfully
• ✅ All unit tests pass (12 campaign validation tests)
• ✅ Linting passes
• ✅ Validation catches campaigns missing project URLs with clear error messages
• ✅ No false positives for non-campaign workflows using project features

Error Messages

The validation provides clear, actionable error messages:

✗ campaign orchestrator requires a GitHub Project URL to track work items.
  Please add a 'project' field to the frontmatter with a valid GitHub Project URL
  (e.g., project: https://github.com/orgs/myorg/projects/123).
  Campaign detected via: campaign labels in safe-outputs (agentic-campaign or z_campaign_*)

Design Rationale

Campaign Detection Philosophy:

• Campaigns are identified by explicit declarations (labels, IDs)
• Similar to how safe outputs are detected (by presence in config maps)
• update-project alone doesn't make a workflow a campaign (it's a tool, not an identity)
• This avoids false positives while catching all true campaign orchestrators

Implementation Complete

All requirements met:

• ✅ Campaign detection logic aligned with safe-output patterns
• ✅ Project URL validation
• ✅ Comprehensive tests
• ✅ All workflows fixed
• ✅ Clear error messages
• ✅ All tests passing
• ✅ No false positives

Original prompt

Fix: Campaign orchestrator requires a GitHub Project URL to track Dependabot PRs and bundle issues

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[mnkiefer]

@copilot project: should act as follows: When added to the font-matter, this is the source of truth for all project urls. If not in frontmatter, fallback and look for it in the markdown.

[Copilot]

@copilot project: should act as follows: When added to the font-matter, this is the source of truth for all project urls. If not in frontmatter, fallback and look for it in the markdown.

Done! The project: field now works exactly as you described:

1. Frontmatter is the source of truth - When project: is in frontmatter, it's used (commit 3ca8531)
2. Markdown fallback - If not in frontmatter, the validation searches for GitHub Project URLs in the markdown body

The implementation:

• Checks frontmatter first (source of truth)
• Falls back to searching markdown for https://github.com/orgs/*/projects/* or https://github.com/users/*/projects/* patterns
• Added 7 new test cases for the markdown fallback functionality
• All 23 tests pass ✅

Example markdown fallback:

# Campaign

Track progress at https://github.com/orgs/githubnext/projects/144

[mnkiefer]

@copilot Revert what is not part of this last commit (logic)

[Copilot]

@copilot Revert what is not part of this last commit (logic)

Reverted the markdown fallback logic (commit 077f440). The validation now only checks the frontmatter project field as originally implemented. Campaign workflows must have project: in their frontmatter - no markdown body fallback.

[mnkiefer]

@copilot Check other safe outputs like update-issue and how they are identified.

[Copilot]

@copilot Check other safe outputs like update-issue and how they are identified.

I reviewed how safe outputs like update-issue are identified (by checking for their presence in the safe-outputs map) and aligned the campaign detection accordingly.

Campaign Detection (commit cb17d5b):

• ✅ Campaign labels (agentic-campaign, z_campaign_*) in safe-outputs configs
• ✅ campaign-id in repo-memory configuration
• ❌ NOT using update-project presence (avoids false positives)

Rationale:
Similar to how update-issue, add-labels, etc. are detected by their configuration presence, campaigns are identified by explicit campaign indicators (labels, IDs), not by the presence of project management tools. This prevents flagging non-campaign workflows that simply use project features.

Result:

• All tests pass ✅
• No false positives for workflows using update-project without campaign characteristics
• Campaign workflows still caught correctly via labels/IDs

[github-actions]

🔍 PR Triage Results

Category: chore | Risk: medium | Priority: 45/100

Scores Breakdown

• Impact: 20/50 - Adds project URL requirement for campaign orchestrator
• Urgency: 10/30 - Recent PR (0 days old) with standard urgency
• Quality: 15/20 - Not draft, CI pending completion

📋 Recommended Action: batch_review

This PR is part of Batch #4: Chore Updates (batch-chore-001) along with PR #12827. Review together for configuration consistency.

Next Steps:

1. Wait for CI completion
2. Validate project URL requirement
3. Review with batch-chore-001

---

Triaged by PR Triage Agent on 2026-01-31 | Run #21540069309

AI generated by PR Triage Agent

[mnkiefer]

@copilot Revert all these changes. The issue is that a missing tool was recoded for workflow dispatch, even though the frontmatter contained the correct safe outputs for it.