Files
awesome-copilot/docs
Swetha Kumar 72fae201df Add mcp-security-baseline skill (#2212)
* Add mcp-security-baseline skill

An Agent Skill that reviews MCP server and client source code against a security
baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance
report with file/line evidence. Complements mcp-security-audit, which checks
.mcp.json configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback: remove ignored keywords field, link MCP spec

- Remove the top-level `keywords` field: it is not a recognized skill
  front-matter field and is ignored (skills are indexed for search by
  name + description only). The keyword terms are already present in the
  description, so discovery is unaffected.
- Link the MCP 2025-03-26 specification at the protocol-version check so
  the agent has it for quick reference.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback: fix unsafe-deserialization example, link current MCP spec

- Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)`
  to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage.
- Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26
  baseline on the protocol-version check.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-09 00:49:40 +00:00
..
2025-10-29 06:07:13 +11:00

Agentic Workflows

Agentic Workflows are AI-powered repository automations that run coding agents in GitHub Actions. Defined in markdown with natural language instructions, they enable event-triggered and scheduled automation with built-in guardrails and security-first design.

How to Contribute

See CONTRIBUTING.md for guidelines on how to contribute new workflows, improve existing ones, and share your use cases.

How to Use Agentic Workflows

What's Included:

  • Each workflow is a single .md file with YAML frontmatter and natural language instructions
  • Workflows are compiled to .lock.yml GitHub Actions files via gh aw compile
  • Workflows follow the GitHub Agentic Workflows specification

To Install:

  • Install the gh aw CLI extension: gh extension install github/gh-aw
  • Copy the workflow .md file to your repository's .github/workflows/ directory
  • Compile with gh aw compile to generate the .lock.yml file
  • Commit both the .md and .lock.yml files

To Activate/Use:

  • Workflows run automatically based on their configured triggers (schedules, events, slash commands)
  • Use gh aw run <workflow> to trigger a manual run
  • Monitor runs with gh aw status and gh aw logs

When to Use:

  • Automate issue triage and labeling
  • Generate daily status reports
  • Maintain documentation automatically
  • Run scheduled code quality checks
  • Respond to slash commands in issues and PRs
  • Orchestrate multi-step repository automation
Name Description Triggers
Daily Issues Report Generates a daily summary of open issues and recent activity as a GitHub issue schedule
OSPO Contributors Report Monthly contributor activity metrics across an organization's repositories. schedule, workflow_dispatch
OSPO Organization Health Report Comprehensive weekly health report for a GitHub organization. Surfaces stale issues/PRs, merge time analysis, contributor leaderboards, and actionable items needing human attention. schedule, workflow_dispatch
OSPO Stale Repository Report Identifies inactive repositories in your organization and generates an archival recommendation report. schedule, workflow_dispatch
OSS Release Compliance Checker Analyzes a target repository against open source release requirements and posts a detailed compliance report as an issue comment. issues, workflow_dispatch
Relevance Check Slash command to evaluate whether an issue or pull request is still relevant to the project slash_command, roles
Relevance Summary Manually triggered workflow that summarizes all open issues and PRs with a /relevance-check response into a single issue workflow_dispatch
Weekly Comment Sync Weekly workflow that finds stale code comments or README snippets, makes text-only synchronization updates, and opens a draft pull request when changes are needed. schedule, workflow_dispatch