feat: add agentic workflows and security posture

[pmalarme]

Summary

This pull request introduces several foundational files and configurations to support secure, maintainable development in a Python monorepo for AI agents. The changes include new GitHub Actions for Python environment setup, security review automation, agentic workflow documentation, and repository ownership metadata. The most important changes are grouped below.

GitHub Actions and Security Improvements:

• Added a composite GitHub Action (.github/actions/setup-python-env) to standardize Python environment setup using uv, with robust input validation and security checks for dependency installation flags. Includes documentation and an action definition file. [1] [2]
• Introduced a Security Reviewer Agent (.github/agents/security-reviewer.agent.md) that provides a detailed checklist for reviewing code changes across 15 security posture categories, ensuring secure-by-default practices in the codebase.

Agentic Workflows Support:

• Added comprehensive documentation for the Agentic Workflows agent (.github/agents/agentic-workflows.agent.md), detailing prompt routing, supported workflow types, usage instructions, and security best practices for AI-powered workflow automation.

Repository and Workflow Metadata:

• Created a .gitattributes rule to treat workflow lock files as generated and resolve merge conflicts automatically.
• Added a .github/CODEOWNERS template to define ownership for different repository areas, including agents, workflows, and documentation.
• Introduced .github/aw/actions-lock.json to pin third-party GitHub Actions by SHA for supply chain security and reproducibility.

Testing

• uv run poe check

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

[Copilot]

Pull request overview

Copilot reviewed 44 out of 46 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

agents/agent1/src/python_agent_template/agents/agent1/validators/errors/empty_string_error.py:5

• This module is missing from __future__ import annotations, but the repo’s convention (and the updated coding standards) states it should be at the top of every module. Add the future import under the module docstring to keep annotation behavior consistent across the codebase.

[github-actions]

Security Review Summary

This PR introduces GitHub Actions workflows, composite actions, agentic workflow infrastructure, and Python agent improvements. The overall security posture is good — no critical or high severity issues were found.

Findings (medium / low only — non-blocking)

#	Severity	File	Category	Summary
1	Medium	.github/actions/setup-python-env/action.yml:42	Input Validation	extra-args flag validation uses an incomplete denylist; an allowlist of permitted flags would be more robust
2	Low	.github/workflows/monorepo-release.yml:42	Input Validation	VERSION extracted from pyproject.toml is not format-validated before use in git commands, unlike the equivalent check in python-release.yml

What looks good

• All third-party GitHub Actions are pinned by SHA (actions/checkout@de0fac2e..., astral-sh/setup-uv@f0ec1fc3..., actions/upload-pages-artifact@7b1f4a76...).
• persist-credentials: false is set consistently across all checkout steps.
• Secrets accessed correctly via ${{ secrets.* }} — no hardcoded credentials found anywhere.
• Inline credential helper pattern (git -c credential.helper=!f() {...}) is used correctly in both release workflows — token never written to .git/config or embedded in URLs.
• Workflow permissions follow least privilege — most workflows are contents: read; write permissions are scoped only to the release jobs that need them.
• python-release.yml validates $NAME and $VERSION from wheel filenames before passing them to git commands.
• python-docker-build.yml validates agent names with an allowlist regex (^[a-z0-9][a-z0-9_-]*$) before using them in shell paths.
• action.yml character-level format check (^-[a-zA-Z0-9=._:/@+-]+$) prevents most injection attempts in extra-args.
• Validator module (require_non_blank_strings, error hierarchy with __slots__ = ()) follows project conventions cleanly.
• No secrets, tokens, or PII detected in source code, tests, comments, or documentation.
• .gitignore correctly excludes .env files and credential material.

[github-actions]

Security Review Summary

This PR introduces GitHub Actions workflows, a composite setup action, agentic workflow definitions, a security reviewer agent, and new input-validation utilities for the agent1 package. The overall security posture of the changes is good, with several proactive improvements already present (pinned Action SHAs, persist-credentials: false throughout, validated agent name/version inputs, inline credential helpers for git push, and a proper input-validation decorator with test coverage).

Two findings were identified, both low/informational severity:

Findings

#	Severity	File	Category	Summary
1	🟡 Low	.github/actions/setup-python-env/action.yml line 41	Input Validation	Denylist used instead of allowlist for extra-args flag validation — case-sensitive check could miss aliases
2	ℹ️ Informational	.github/workflows/create-issue-command.md line 38	Input Validation / Prompt Injection	User-controlled slash command text injected verbatim into AI prompt; blast radius is limited by safe-outputs sandboxing

What looks good

• ✅ All third-party GitHub Actions are pinned to full SHAs with version comments
• ✅ persist-credentials: false is set on all checkout steps
• ✅ Workflow permissions follow least-privilege (contents: read for most workflows)
• ✅ Agent name and version values in release workflows are validated with allowlist regexes before being used in git commands
• ✅ Git push uses an inline credential helper — no tokens written to .git/config or embedded in URLs
• ✅ Docker build workflow validates agent names before using them in docker build paths
• ✅ New Python validator utilities have comprehensive test coverage including edge cases (whitespace-only, None, wrong type)
• ✅ No hardcoded secrets, tokens, or credentials anywhere in the diff
• ✅ uv.lock moved out of .gitignore — lock file will now be committed and tracked

These findings are not blocking. No critical or high severity issues were found.