feat: deterministic enforcement hooks for migration quality

[AlexDeMichieli]

What this brings

This PR adds 5 hooks to the CLI plugin that enforce migration quality deterministically — the agent cannot bypass these checks.

Hooks overview

Hook	Event	Trigger	Behavior
Secret detection	preToolUse	create|edit (matcher)	Hard-denies file writes with hardcoded secrets. Forces ${{ secrets.NAME }}.
File deletion guard	preToolUse	bash (matcher)	Hard-denies rm outside .github/ci-archive/. Prevents source code deletion.
Quality check + actionlint	postToolUse	create|edit (matcher)	After each workflow write, injects warnings into agent context: unpinned actions, placeholders, write-all permissions, missing permissions, actionlint errors. Agent sees these on the same turn.
Quality gate	agentStop	every turn	Scans ALL workflow files when agent finishes a turn. Blocks completion (decision: "block") if any workflows have issues, forcing the agent to fix them. 3-attempt safety valve prevents infinite loops.
Migration scorecard	sessionEnd	session end	Appends an entry to .github/MIGRATION-SCORECARD.md — audit artifact with session ID, timestamp, completion reason, and workflow quality counts (total/clean/issues). Each session appends rather than overwrites, so you see progression across multiple passes.

How enforcement works

Agent writes workflow → postToolUse injects quality warnings (same turn)
Agent finishes turn   → agentStop blocks if issues remain (forces another turn)
Agent blocked 3x      → safety valve releases
Session ends          → sessionEnd appends scorecard entry

actionlint runs in 3 hooks: postToolUse (per-file immediate), agentStop (all-files gate), sessionEnd (final counts). The agent cannot skip linting.

What is actionlint and how do hooks help?

actionlint is a static analysis tool for GitHub Actions workflow files. It catches syntax errors, invalid triggers, unpinned actions, shellcheck issues, bad permissions, incorrect needs: references, and more. Running it after every migration is critical — without it, generated workflows may look correct but fail at runtime.

Before hooks, the agent had to: (1) load the actionlint skill into context (~4.5k tokens), (2) install actionlint via shell commands, (3) run it manually, (4) read the output, (5) fix issues — each step a separate agent turn consuming ~100k+ input tokens. The agent could also skip any of these steps since skills are advisory.

With hooks, this entire cycle is handled deterministically by three hooks:

• postToolUse (matcher: create|edit): Fires immediately after the agent writes a workflow file. Auto-installs actionlint if missing, runs it on the file, and injects errors as additionalContext on the same turn — the agent sees issues without spending extra turns.
• agentStop: Fires when the agent finishes a turn. Scans all workflow files with actionlint. If any have errors, returns decision: "block" forcing the agent to fix them before completing. The agent cannot finish with broken workflows.
• sessionEnd: Fires at session close. Runs actionlint on all workflows for the final clean/issues count in the migration scorecard.

The hooks cannot be skipped or ignored — they're shell commands that execute outside the model. This is the difference between "please run actionlint" (instruction the agent can ignore) and "actionlint will run and block you" (hook).

actionlint auto-install

All 3 hooks that use actionlint will install it automatically if not present:

• Linux (cloud agent): downloads pinned v1.7.11 binary from GitHub releases (checksum-verified upstream)
• macOS (CLI): brew install actionlint
• Already installed: skips with zero overhead

Timeouts are set to 60s/60s/45s to accommodate the one-time install. This eliminates the dependency on the agent remembering to invoke the actionlint skill for installation — the hook handles it deterministically.

Migration scorecard

The sessionEnd hook appends to .github/MIGRATION-SCORECARD.md after every session. Multiple passes show quality progression:

# Migration Scorecard

## 2026-06-03T15:48:35Z
- Session: 9404dcaf-13f7-4d29-a2a3-6611f5ac281b
- Reason: complete
- Workflows: 3 total, 0 clean, 3 with issues

## 2026-06-03T15:49:29Z
- Session: a3089be4-ce5e-47ae-947d-6b5c52cc0f01
- Reason: complete
- Workflows: 3 total, 1 clean, 2 with issues

Each workflow is checked for:

• Unpinned actions — version tags (@v4) instead of SHA refs
• Placeholder text — TODO, FIXME, CHANGEME, PLACEHOLDER, XXX
• Over-broad permissions — permissions: write-all
• actionlint errors — syntax/semantic issues caught by the linter

A workflow must pass all four checks to count as "clean."

Correct hooks API

Uses the hooks reference API correctly:

• permissionDecision: "deny" / permissionDecisionReason for preToolUse blocks
• matcher regex filtering on preToolUse and postToolUse (replaces shell-level tool name checks)
• agentStop with decision: "block" / reason for forced continuation
• sessionEnd for audit artifacts
• stdin JSON payloads with toolName, toolArgs, cwd, sessionId

Testing

• Unit tested: 21 cases covering all 5 hooks — secret allow/deny, rm guard, quality detection, gate blocking with safety-valve, scorecard generation and append behavior
• Live tested: Two-pass Copilot CLI 1.0.58 session with --log-level debug — confirmed all 5 hook types fire, agentStop returns decision: "block", sessionEnd appends scorecard entries with real session IDs, and the second pass shows quality improvement
• Auto-install verified: All 3 actionlint hooks contain Linux (pinned binary) and macOS (brew) install paths with bumped timeouts

Cloud agent compatibility

All 5 hooks use events supported by Copilot cloud agent. agentStop decision: "block" forces another turn (counts against job timeout). sessionEnd fires once per job. Only bash command hooks are used (no PowerShell). actionlint auto-installs from GitHub releases on Linux.

Token savings

Without hooks, a typical actionlint cycle looks like this:

Turn	What happens	Input tokens
1	Agent decides to invoke the actionlint skill	~100k
2	Agent reads skill, runs install command, reads output	~105k
3	Agent runs actionlint, reads lint output, starts fixing	~105k
4	Agent finishes fixing, moves on	~105k

That's 3 extra turns (~315k input tokens) just for linting — repeated for every workflow file.

With hooks, the same cycle is:

Turn	What happens	Input tokens
1	Agent writes workflow. Hook auto-installs actionlint (if needed), runs it, injects results as additionalContext on the same turn. Agent sees errors immediately.	~100k
2	Agent fixes errors. Hook re-runs actionlint, confirms clean.	~100k

That's ~100-200k saved per workflow file — no skill invocation, no manual install, no separate lint run. At scale across dozens of migrations with multiple workflow files each, this adds up.

Note: The actionlint skill is intentionally kept in this PR. Hooks and the skill are complementary, not redundant:

• CLI / Cloud agent: Hooks fire automatically (install + run + inject results). The skill may still be loaded by the agent since platform skills and agents reference it — this is intentional to preserve CCA compatibility.
• CCA / VS Code: Does not support hooks. The skill and its references across platform skills and agents are the only linting mechanism.

Follow-up: Once CCA supports hooks, remove plugin/skills/actionlint/SKILL.md and strip the "pair with actionlint" references from all 7 platform skills, migration-core, and all agent files. This will eliminate the redundant skill invocation on CLI/cloud and fully realize the token savings described above.

Files changed

• plugin/hooks.json — 5 production hooks with auto-install, matcher filtering, correct API fields, and append scorecard
• plugin/README.md — updated hooks documentation

[Copilot]

Pull request overview

This PR introduces a plugin/hooks.json hook pack for the Copilot CLI plugin to deterministically enforce migration-quality constraints (block/deny unsafe tool calls, inject workflow quality feedback, and produce an audit scorecard), and documents the new enforcement model in plugin/README.md.

Changes:

• Adds deterministic enforcement hooks (preToolUse, postToolUse, agentStop, sessionEnd) in plugin/hooks.json.
• Implements workflow “quality” detection (unpinned actions, placeholders, write-all, missing permissions, actionlint) and a blocking quality gate with a 3-attempt safety valve.
• Documents hook behavior, rationale, and how to enable/disable hooks in plugin/README.md.

Show a summary per file

File	Description
plugin/hooks.json	Adds 5 hooks to block hardcoded secrets and unsafe deletions, lint/check workflows, enforce a blocking quality gate, and append a migration scorecard.
plugin/README.md	Documents the hooks, their lifecycle events, and how to verify/disable them.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 7

[AlexDeMichieli]

Fixed. Secret detection now: (1) extracts only the content/new_string field from toolArgs, (2) checks each line individually — a line must match a secret keyword + [:=] + 8+ chars of value AND not contain \${ on that same line, (3) secrets: inherit no longer triggers because inherit is <8 chars and there's no [:=] value pattern.

[AlexDeMichieli]

Fixed. The rm guard now: (1) checks for ... path traversal BEFORE checking ci-archive paths — any target containing .. is denied immediately, (2) uses a case statement with glob patterns (*/.github/ci-archive/* and *.github/ci-archive/*) for literal matching instead of regex, so xgithub/ci-archive no longer slips through.

[AlexDeMichieli]

Fixed. All 3 hooks now download to a temp file and verify SHA256 (900919a8...) before extracting. Checksum mismatch aborts install and surfaces an explicit warning. Also fixed the PR description — removed the 'checksum-verified upstream' claim and replaced with accurate description.

[AlexDeMichieli]

Fixed. agentStop now includes grep -qE '^permissions:' || W='no-permissions ' in its per-file scan, consistent with postToolUse.

[AlexDeMichieli]

Fixed. sessionEnd scorecard now includes grep -qE '^permissions:' || HAS=1 so missing-permissions counts as an issue. Consistent with all other hooks.

[AlexDeMichieli]

Fixed. Description changed to 'Appends an entry to' and hook description changed to 'Append migration scorecard entry'.

[AlexDeMichieli]

Fixed. All 3 hooks now: (1) on checksum mismatch, abort install and inject explicit warning via additionalContext, (2) after install attempt, re-check command -v actionlint — if still missing, inject 'actionlint not available (install failed)' warning, (3) agentStop adds 'actionlint-unavailable' to the issues list so it blocks completion.