feat: add example OSPO agentic workflows#799
Closed
ashleywolf wants to merge 17 commits intogithub:mainfrom
Closed
feat: add example OSPO agentic workflows#799ashleywolf wants to merge 17 commits intogithub:mainfrom
ashleywolf wants to merge 17 commits intogithub:mainfrom
Conversation
Adds a new skill that scans any GitHub repository for open source readiness across 8 checks: LICENSE, CONTRIBUTING.md, dependency license compatibility, README quality, SECURITY.md, CODE_OF_CONDUCT.md, CI/CD workflows, and issue/PR templates. Produces a scored readiness report with a letter grade (A-F) and actionable recommendations for OSPO review and compliance.
- TypeScript MCP server with 3 tools: - scan_dependencies: clones repo, npm install, license-checker - check_license_compatibility: flags copyleft/unknown/non-OSI - generate_sbom: CycloneDX 1.5 SBOM generation - .mcp.json for auto-start via Copilot CLI - Updated SKILL.md Check 3 to use MCP tools with API fallback - Added optional SBOM generation section
This reverts commit d89a819.
Separate skill with a TypeScript MCP server that provides: - scan_dependencies: clones repo, npm install, license-checker for all transitive deps - check_license_compatibility: flags copyleft/unknown/non-OSI conflicts - generate_sbom: CycloneDX 1.5 SBOM generation Works alongside the ospo-readiness skill (unchanged).
- Detect Python projects (requirements.txt, pyproject.toml, setup.py, Pipfile) - Use python3 venv + pip-licenses for dependency license scanning - Add license normalizer mappings for common Python license strings (e.g. 'Mozilla Public License 2.0 (MPL 2.0)' → 'MPL-2.0') - Add Python-2.0, HPND to permissive license set - Update SKILL.md to document both npm and Python support
The MCP-powered dependency scanner is a separate standalone project, not part of this community skills submission. Only the text-based ospo-readiness skill belongs here.
Introduces a new top-level agentic-workflows/ directory for GitHub Agentic Workflow (.md) files that compile with gh aw. Starts with 6 curated OSPO workflows: - org-health: weekly org health report with stale items, merge times, leaderboards - contributors-report: new/returning contributor metrics - release-compliance-checker: OSS release readiness audit - stale-repos: detect inactive repositories - dora-metrics: DORA engineering metrics (deploy freq, lead time, CFR, MTTR) - team-permissions-audit: flag direct (non-team) collaborator access Includes a top-level README introducing agentic workflows and an OSPO category README with quick-start guide. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
bot
force-pushed
the
main
branch
from
dc8b0cc to
3cefa0b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new top-level Agentic Workflows content area to the repo (starting with an OSPO category), plus an ospo-readiness skill and skills index entry to complement the new automation-focused content.
Changes:
- Introduces
agentic-workflows/documentation plus an OSPO subfolder with 6 copy/pastegh awworkflow sources. - Adds a new
skills/ospo-readinessskill for interactive repo readiness scanning. - Updates the skills index (
docs/README.skills.md) to include the new skill.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
agentic-workflows/README.md |
Introduces the new “Agentic Workflows” top-level content type and explains format/guardrails. |
agentic-workflows/ospo/README.md |
OSPO-specific index and usage instructions for the new workflow set. |
agentic-workflows/ospo/org-health.md |
New weekly org health reporting workflow definition and instructions. |
agentic-workflows/ospo/contributors-report.md |
New monthly contributors metrics workflow definition and instructions. |
agentic-workflows/ospo/release-compliance-checker.md |
New issue-triggered OSS release compliance audit workflow definition and instructions. |
agentic-workflows/ospo/stale-repos.md |
New monthly stale repository reporting workflow definition and instructions. |
agentic-workflows/ospo/dora-metrics.md |
New monthly DORA metrics workflow definition and instructions. |
agentic-workflows/ospo/team-permissions-audit.md |
New monthly team permissions audit workflow definition and instructions. |
skills/ospo-readiness/SKILL.md |
Adds an interactive OSPO readiness scanning skill with scoring rubric and output format. |
docs/README.skills.md |
Adds the new skill to the skills index for discoverability. |
agentic-workflows/README.md
Outdated
Comment on lines
97
to
103
| ## Available Workflow Categories | ||
|
|
||
| | Category | Description | | ||
| |---|---| | ||
| | **[OSPO](ospo/)** | Open Source Program Office — org health, contributor metrics, compliance, repo hygiene | | ||
|
|
||
| > More categories coming soon: DevRel, Security, InnerSource, DevOps |
There was a problem hiding this comment.
This PR introduces a new top-level content type (agentic-workflows/), but the repository-level discovery docs aren’t updated to include it (e.g., the root README.md “toolkit” links and “Repository Structure” section, and there’s no docs/README.agentic-workflows.md index like other content types). Add it to those indexes so users can find these workflows consistently.
Collaborator
Author
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
|
|
||
| permissions: | ||
| contents: read | ||
| issues: read |
There was a problem hiding this comment.
This workflow declares permissions: issues: read, but step 7 creates or updates an issue. With read-only issue permissions, issue creation/updates will fail; change to issues: write.
Suggested change
| issues: read | |
| issues: write |
Comment on lines
+83
to
+87
| | PRs merged (last 30d) | `org:<ORG> is:pr is:merged merged:>={SINCE}` | | ||
| | PRs closed unmerged (last 30d) | `org:<ORG> is:pr is:closed is:unmerged closed:>={SINCE}` | | ||
| | Stale issues (60+ days) | `org:<ORG> is:issue is:open updated:<={60_DAYS_AGO}` | | ||
| | Stale PRs (30+ days) | `org:<ORG> is:pr is:open updated:<={30_DAYS_AGO}` | | ||
|
|
There was a problem hiding this comment.
The stale issue/PR search queries use placeholders like {60_DAYS_AGO} / {30_DAYS_AGO}, but those values aren’t defined in Step 1 (only STALE_ISSUE_DAYS / STALE_PR_DAYS are). Define explicit cutoff dates (e.g., ISO timestamps) and reference those in the queries so the workflow is unambiguous.
Collaborator
Author
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
github-actions
bot
force-pushed
the
main
branch
5 times, most recently
from
7cfff8e to
dcb07a6
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ashleywolf
changed the title
- Remove redundant safe-outputs section from top-level README (already in example) - Remove duplicate Quick Start from OSPO README - Condense org-health report template from 83-line example to 10-line section list - Condense compliance-checker report template similarly - Total: 1183 → 712 lines (-40%) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
bot
force-pushed
the
main
branch
from
dcb07a6 to
a70a351
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
github-actions
bot
force-pushed
the
main
branch
from
a70a351 to
b32fe27
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
agentic-workflows/directory with example GitHub Agentic Workflow files for Open Source Program Offices. These are ready-to-use.mdworkflow files that can be copied into a repo and compiled withgh aw compile.New Content
agentic-workflows/README.md— Overview of what agentic workflows are, how to use them, and links to official docs.agentic-workflows/ospo/— 4 example OSPO workflows:Notes
agentic-workflows/folder can expand with more categories (e.g.devrel/,security/,devops/).github/workflows/and compile withgh awospo-readinessskill (interactive scanning vs. scheduled automation)