feat: deterministic enforcement hooks for migration quality

[AlexDeMichieli]

What this brings

This PR adds deterministic enforcement hooks to the actions-migrator plugin. The hooks enforce migration quality as shell commands that execute outside the model — the agent cannot skip or ignore them — and they run identically across all three Copilot surfaces (CLI, Cloud agent, and VS Code) from a single plugin/hooks.json.

Hooks overview

Hook	Event	Behavior
Secret detection	preToolUse	Hard-denies file writes containing hardcoded secrets. Forces ${{ secrets.NAME }}.
Destructive-op guard	preToolUse	Hard-denies rm, mv, git rm, git mv, unlink, and find -delete outside .github/ci-archive/. Allows CI-source archival. Blocks path traversal.
Quality check + actionlint	postToolUse	After each workflow write, injects warnings into agent context (unpinned actions, placeholders, over-broad permissions, missing permissions, actionlint errors) on the same turn.
Quality gate	agentStop (CLI)	Scans all workflow files when the agent finishes a turn. Blocks completion if any workflow has issues, forcing a fix. 3-attempt safety valve prevents infinite loops.
Migration scorecard	sessionEnd (CLI) / Stop (VS Code)	Appends an entry to .github/MIGRATION-SCORECARD.md — an audit artifact with session ID, timestamp, completion reason, and per-file quality table. Appends rather than overwrites, so progression across passes is visible.

How enforcement works

Agent writes workflow → postToolUse injects quality warnings (same turn)
Agent finishes turn   → agentStop/Stop blocks if issues remain (forces another turn)
Agent blocked 3x      → safety valve releases
Session ends          → sessionEnd/Stop appends scorecard entry

The hooks cannot be skipped — they are shell commands run by the runtime, not advice the model may ignore. This is the difference between "please run actionlint" and "actionlint will run and block you."

Cross-surface support (CLI + Cloud agent + VS Code)

Hooks must work on every surface a migration can run on. The three surfaces send different payload schemas, which we captured directly from live hook invocations:

	Copilot CLI / Cloud agent	VS Code Agent Plugins
tool name field	toolName	tool_name
tool args	toolArgs (a JSON string)	tool_input (an object)
session field	sessionId	session_id
tool result	toolResult	tool_response
tool names	bash, create, edit	run_in_terminal, create_file, replace_string_in_file
deny output	top-level permissionDecision	hookSpecificOutput.permissionDecision
lifecycle (gate/scorecard)	agentStop + sessionEnd	Stop
matchers	honored	parsed but ignored (every hook runs on every tool)

A single hooks.json adapts to both:

• Normalized input: reads .toolName // .tool_name; parses args whether .toolArgs is a JSON string (fromjson) or .tool_input is an object; normalizes command, filePath/path/file_path, and content/new_string.
• Dual output: emits both top-level and hookSpecificOutput shapes so each surface reads the field it expects.
• Lifecycle under both names: sessionEnd (CLI) and Stop (VS Code) run the same scorecard script; the Stop variant honors stop_hook_active to avoid infinite loops.
• Self-guarding hooks: because VS Code ignores matchers, each preToolUse hook no-ops when its field is absent.

actionlint auto-install

The three hooks that use actionlint install it automatically if absent:

• Linux (Cloud agent): downloads pinned v1.7.11 binary from GitHub releases (checksum-verified).
• macOS (CLI): brew install actionlint.
• Already installed: skips with zero overhead.

This removes the dependency on the agent remembering to install the linter — the hook handles it deterministically.

Migration scorecard

sessionEnd/Stop appends to .github/MIGRATION-SCORECARD.md after each session. Multiple passes show quality progression with per-file detail:

# Migration Scorecard

## 2026-06-18T18:14:20Z
- Session: 357db4ba-e5b8-4edd-9427-c6ae319fe269
- Reason: complete
- Workflows: 1 total, 1 clean, 0 with issues

| File | Issues |
|------|--------|
| ci.yml | clean |

Each workflow is checked for unpinned actions (@v4 instead of SHA), placeholder text (TODO/FIXME/etc.), over-broad permissions (write-all), missing permissions block, and actionlint errors. A workflow must pass all checks to count as "clean."

Token savings

Without hooks, a typical actionlint cycle costs ~3 extra agent turns per workflow file:

Turn	What happens	Input tokens
1	Agent decides to invoke the actionlint skill	~100k
2	Agent reads skill, installs, reads output	~105k
3	Agent runs actionlint, reads lint output, starts fixing	~105k
4	Agent finishes fixing, moves on	~105k

That's ~3 extra turns (~315k input tokens) just for linting — repeated per workflow file, and skippable since skills are advisory.

With hooks, the same cycle is:

Turn	What happens	Input tokens
1	Agent writes workflow. Hook auto-installs actionlint, runs it, injects results as additionalContext on the same turn.	~100k
2	Agent fixes errors. Hook re-runs actionlint, confirms clean.	~100k

That's ~100–200k saved per workflow file — no skill invocation, no manual install, no separate lint run. At scale across dozens of migrations this compounds.

Tests

A committed test suite guards against silent breakage — critical because the surfaces use different schemas and a change that breaks one would otherwise go unnoticed.

• plugin/hooks.test.sh — 22 contract tests exercising every hook against both CLI and VS Code payloads (deny / allow / quality-context / scorecard / loop-guard).
• .github/workflows/hooks-test.yml — runs the suite on every PR touching the hooks and validates hooks.json parses. A schema or behavior change that breaks any surface now fails the PR.
• Negative-tested: deliberately removing the VS Code arg parsing makes the suite fail exactly the 4 VS Code destructive-guard cases and exit non-zero — proving the tests catch this class of regression.

Validation performed

Surface	How	Result
Contract tests	bash plugin/hooks.test.sh	22/22 pass (CLI + VS Code schemas)
VS Code (live)	Agent-mode chat, captured raw hook stdin	PreToolUse, PostToolUse, UserPromptSubmit, Stop all fire with correct create_file / run_in_terminal payloads
CLI (end-to-end)	copilot --allow-all --agent actions-migrator:jenkins-migrator	rm README.md blocked; Jenkinsfile migrated to clean ci.yml (12 SHA-pinned actions + least-privilege permissions); original archived via git mv; scorecard = 1 clean, 0 with issues

Issues found and fixed during testing:

• git mv / mv / find -delete bypass of the original rm-only guard — the guard now covers all destructive verbs while still allowing CI-source archival into .github/ci-archive/.
• Shell redirects (2>&1, > file) caused false-positive denies — the guard now strips redirect operators before checking targets.
• Parallel sessions shared one /tmp quality-gate counter — now keyed per sessionId.
• Cloud agent cwd — lifecycle hooks fall back to $GITHUB_WORKSPACE then $PWD so the scorecard lands in the cloned repo, not the plugin install dir.

Adoption

Consumers enable the plugin on all three surfaces with one committed file — see consumer-template/.github/copilot/settings.json:

{ "enabledPlugins": { "actions-migrator@actions-migrations-via-copilot": true } }

This single declaration drives the CLI auto-install, Cloud agent plugin load, and VS Code workspace recommendation. No personalized paths or per-user setup required.

actionlint skill: kept here, removal tracked separately

The actionlint skill is intentionally retained in this PR. Hooks and the skill were originally complementary because earlier surfaces didn't support hooks — the skill was the only linting mechanism on Cloud agent / VS Code.

That condition is now met: this PR demonstrates hooks firing on CLI, Cloud agent, and VS Code, so the skill is no longer required for cross-surface parity. Removing it is deferred to a follow-up PR (delete plugin/skills/actionlint/SKILL.md and strip the "pair with actionlint" references from the 7 platform *-migration skills, migration-core, and the agent files). Keeping the subtractive change separate from this additive one lets each be reviewed and reverted independently, and fully realizes the token savings above once merged.

How to test it yourself

Contract tests (no Copilot session needed)

git clone https://github.com/github/actions-migrations-via-copilot.git
cd actions-migrations-via-copilot
bash plugin/hooks.test.sh        # 22/22 expected; requires bash + jq only

CLI (end-to-end)

# install the plugin from a local clone
copilot plugin install ./plugin

# in any repo with a CI source file (e.g. a Jenkinsfile):
copilot --allow-all --agent actions-migrator:jenkins-migrator -p \
  "Try to delete README.md via bash rm. Then migrate the Jenkinsfile to \
   .github/workflows/ci.yml with SHA-pinned actions and least-privilege \
   permissions, and archive the original to .github/ci-archive/ via git mv. \
   Report which steps the hook blocked. Do not create a PR."

# verify enforcement fired:
test -f README.md && echo "README intact (delete was blocked)"
grep -c '@[0-9a-f]\{40\}' .github/workflows/ci.yml   # SHA pins
cat .github/MIGRATION-SCORECARD.md                     # scorecard

VS Code Agent Plugins (preview)

// 1. VS Code user settings.json — enable plugins + point at the local clone
//    (For real adoption, users instead commit consumer-template/.github/copilot/settings.json
//     to their repo; the local path here is only for testing an un-published build.)
"chat.plugins.enabled": true,
"chat.pluginLocations": {
  "/absolute/path/to/actions-migrations-via-copilot/plugin": true
}

2. Developer: Reload Window
3. Open a repo containing a Jenkinsfile, open Copilot Chat in Agent mode, send:

   Use the jenkins-migrator agent. Try to delete README.md via the terminal,
   then migrate the Jenkinsfile to .github/workflows/ci.yml with SHA-pinned
   actions and least-privilege permissions, and archive the original to
   .github/ci-archive/ via git mv. Do not create a PR.

4. Expected: the README delete is blocked by the preToolUse hook; the workflow
   is created SHA-pinned with a permissions block; .github/MIGRATION-SCORECARD.md
   is written by the Stop hook.

To inspect raw hook execution in VS Code, open Output → "GitHub Copilot Chat Hooks" — it shows each hook firing with the stdin payload.

Cloud agent (github.com)

# in the target repo, commit the consumer template so the plugin auto-loads:
mkdir -p .github/copilot
cp /path/to/consumer-template/.github/copilot/settings.json .github/copilot/settings.json
git add .github/copilot/settings.json && git commit -m "Enable actions-migrator plugin" && git push
# then open an issue ("Migrate the Jenkinsfile to GitHub Actions") and assign Copilot;
# inspect the resulting PR for the SHA-pinned workflow and MIGRATION-SCORECARD.md.

Files changed

• plugin/hooks.json — cross-surface enforcement hooks (secret detection, destructive guard, quality check, quality gate, scorecard) with auto-install and dual-schema input/output.
• plugin/hooks.test.sh — 22 contract tests across CLI and VS Code schemas.
• .github/workflows/hooks-test.yml — CI that runs the suite on every hooks change.
• consumer-template/ — drop-in settings.json + README for enabling the plugin across surfaces.
• plugin/README.md — hooks documentation.

[Copilot]

Pull request overview

This PR introduces a plugin/hooks.json hook pack for the Copilot CLI plugin to deterministically enforce migration-quality constraints (block/deny unsafe tool calls, inject workflow quality feedback, and produce an audit scorecard), and documents the new enforcement model in plugin/README.md.

Changes:

• Adds deterministic enforcement hooks (preToolUse, postToolUse, agentStop, sessionEnd) in plugin/hooks.json.
• Implements workflow “quality” detection (unpinned actions, placeholders, write-all, missing permissions, actionlint) and a blocking quality gate with a 3-attempt safety valve.
• Documents hook behavior, rationale, and how to enable/disable hooks in plugin/README.md.

Show a summary per file

File	Description
plugin/hooks.json	Adds 5 hooks to block hardcoded secrets and unsafe deletions, lint/check workflows, enforce a blocking quality gate, and append a migration scorecard.
plugin/README.md	Documents the hooks, their lifecycle events, and how to verify/disable them.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 7

[AlexDeMichieli]

Fixed. Secret detection now: (1) extracts only the content/new_string field from toolArgs, (2) checks each line individually — a line must match a secret keyword + [:=] + 8+ chars of value AND not contain \${ on that same line, (3) secrets: inherit no longer triggers because inherit is <8 chars and there's no [:=] value pattern.

[AlexDeMichieli]

Fixed. The rm guard now: (1) checks for ... path traversal BEFORE checking ci-archive paths — any target containing .. is denied immediately, (2) uses a case statement with glob patterns (*/.github/ci-archive/* and *.github/ci-archive/*) for literal matching instead of regex, so xgithub/ci-archive no longer slips through.

[AlexDeMichieli]

Fixed. All 3 hooks now download to a temp file and verify SHA256 (900919a8...) before extracting. Checksum mismatch aborts install and surfaces an explicit warning. Also fixed the PR description — removed the 'checksum-verified upstream' claim and replaced with accurate description.

[AlexDeMichieli]

Fixed. agentStop now includes grep -qE '^permissions:' || W='no-permissions ' in its per-file scan, consistent with postToolUse.

[AlexDeMichieli]

Fixed. sessionEnd scorecard now includes grep -qE '^permissions:' || HAS=1 so missing-permissions counts as an issue. Consistent with all other hooks.

[AlexDeMichieli]

Fixed. Description changed to 'Appends an entry to' and hook description changed to 'Append migration scorecard entry'.

[AlexDeMichieli]

Fixed. All 3 hooks now: (1) on checksum mismatch, abort install and inject explicit warning via additionalContext, (2) after install attempt, re-check command -v actionlint — if still missing, inject 'actionlint not available (install failed)' warning, (3) agentStop adds 'actionlint-unavailable' to the issues list so it blocks completion.

[antgrutta]

@AlexDeMichieli, please set up a meeting with @ssulei7 and myself for a quick demo. This is good stuff and we're excited to rubber duck a couple things with you.

[AlexDeMichieli]

🚀 Jenkins to GitHub Actions Migration Report

📊 Migration Overview

Metric	Before (Jenkins)	After (GitHub Actions)
Pipeline Files	1 file	1 workflow
Pipeline Stages	3 stages	3 jobs
Pipeline Steps	3 steps	3 steps
Shared Libraries	0 libraries	N/A
Credentials	0 credentials	0 secrets/variables

🔄 Conversion Diagram

graph LR
    A[Jenkins Pipeline] --> B[GitHub Actions Workflow]

    subgraph "Jenkins Structure"
        D1[Stage: Build]
        D2[Stage: Test]
        D3[Stage: Deploy]
    end

    subgraph "GitHub Actions Structure"
        G1[Job: build]
        G2[Job: test]
        G3[Job: deploy]
    end

    D1 --> G1
    D2 --> G2
    D3 --> G3

Loading

🔧 Key Transformations

Stage and Step Conversions

• agent any → runs-on: ubuntu-latest
• Jenkins sequential stages → GitHub Actions jobs with needs: dependencies
• sh 'npm ci' → run: npm ci
• Added actions/checkout (not implicit in GitHub Actions unlike Jenkins SCM checkout)
• Added actions/setup-node with npm caching for faster builds

Trigger Mapping

• Jenkins pipeline (typically triggered by SCM polling or webhooks) → on: push and on: pull_request on main branch

✅ Validation Results

Linting Results

$ actionlint .github/workflows/ci.yml
(no output — zero errors)

Manual Verification Checklist

• YAML syntax validated
• All actions properly versioned and pinned to SHAs
• Job dependencies verified (build → test → deploy)
• Environment variables migrated (none required)
• Triggers match original behavior
• Least-privilege permissions applied

🔐 Security Improvements

• Implemented least-privilege permissions: contents: read
• All actions pinned to commit SHAs to prevent supply-chain attacks
• Only verified marketplace actions used (actions/checkout, actions/setup-node)

🔗 Variable and Secret Requirements

Required GitHub Secrets

None required for this pipeline.

Required GitHub Variables

None required for this pipeline.

🎯 Next Steps

1. Test the workflow by pushing to a feature branch
2. Adjust Node.js version if your project requires a different version than 20
3. Enhance the deploy job with actual deployment steps and environment protection rules
4. Add branch protection rules to require CI to pass before merging

📁 Original Jenkins Files

The original Jenkins pipeline file has been archived:

• Jenkinsfile → .github/ci-archive/Jenkinsfile

📚 Migration Notes

• The Jenkins pipeline used agent any which maps to ubuntu-latest as the default GitHub-hosted runner.
• Each stage was converted to a separate job with sequential dependencies to preserve the original execution order.
• actions/setup-node with npm caching was added to optimize install times since Jenkins environments typically have Node.js pre-installed globally.

---

Migration completed by GitHub Copilot Jenkins Migration Agent