feat: deterministic enforcement hooks for migration quality

[AlexDeMichieli]

What this brings

This PR adds deterministic enforcement hooks to the actions-migrator plugin. The hooks run as shell commands outside the model — the agent does not generate them, parse them, or have to remember to run them — and they're registered once in plugin/hooks.json for all three Copilot surfaces (CLI, Cloud agent, and VS Code). On CLI and VS Code, a deny stops the agent because the user is the loop’s pacemaker. On Cloud agent, hooks fire and deny individual tool calls but the autonomous loop may retry through other write tools — see Enforcement strength varies by surface for the full picture and the additionalContext pattern that strengthens denials there.

Hooks overview

Hook	Event	Behavior
Secret detection	preToolUse	Denies file writes containing hardcoded secrets; emits an additionalContext policy rule for autonomous surfaces. Forces secrets.NAME references.
Destructive-op guard	preToolUse	Denies rm, mv, git rm, git mv, unlink, and find -delete outside .github/ci-archive/; emits an additionalContext policy rule for autonomous surfaces. Allows CI-source archival. Blocks path traversal.
Quality check + actionlint	postToolUse	After each workflow write, injects warnings into agent context (unpinned actions, placeholders, over-broad permissions, missing permissions, actionlint errors) on the same turn.
Quality gate	agentStop (CLI)	Scans all workflow files when the agent finishes a turn. Blocks completion if any workflow has issues, forcing a fix. 3-attempt safety valve prevents infinite loops.
Migration scorecard	sessionEnd (CLI) / Stop (VS Code)	Appends an entry to .github/MIGRATION-SCORECARD.md — an audit artifact with session ID, timestamp, completion reason, and per-file quality table. Appends rather than overwrites, so progression across passes is visible.

How enforcement works

Agent writes workflow → postToolUse injects quality warnings (same turn)
Agent finishes turn   → agentStop/Stop blocks if issues remain (forces another turn)
Agent blocked 3x      → safety valve releases
Session ends          → sessionEnd/Stop appends scorecard entry

The hooks run as shell commands invoked by the runtime, not advice the model has to remember. On CLI / VS Code that gives a hard-gate semantic (the agent stops on deny). On Cloud agent the agent may try alternate write tools after a deny — see Enforcement strength varies by surface. The deny outputs include additionalContext carrying a session-level policy so the autonomous loop sees the rule as it picks subsequent tools.

Cross-surface support (CLI + Cloud agent + VS Code)

Hooks must work on every surface a migration can run on. The three surfaces send different payload schemas, which we captured directly from live hook invocations:

	Copilot CLI / Cloud agent	VS Code Agent Plugins
tool name field	toolName	tool_name
tool args	toolArgs (a JSON string)	tool_input (an object)
session field	sessionId	session_id
tool result	toolResult	tool_response
tool names	bash, create, edit	run_in_terminal, create_file, replace_string_in_file
deny output	top-level permissionDecision	hookSpecificOutput.permissionDecision
lifecycle (gate/scorecard)	agentStop + sessionEnd	Stop
matchers	honored	parsed but ignored (every hook runs on every tool)

A single hooks.json adapts to both:

• Normalized input: reads .toolName // .tool_name; parses args whether .toolArgs is a JSON string (fromjson) or .tool_input is an object; normalizes command, filePath/path/file_path, and content/new_string.
• Dual output: emits both top-level and hookSpecificOutput shapes so each surface reads the field it expects.
• Lifecycle under both names: sessionEnd (CLI) and Stop (VS Code) run the same scorecard script; the Stop variant honors stop_hook_active to avoid infinite loops.
• Self-guarding hooks: because VS Code ignores matchers, each preToolUse hook no-ops when its field is absent.

actionlint auto-install

The three hooks that use actionlint install it automatically if absent:

• Linux (Cloud agent): downloads pinned v1.7.11 binary from GitHub releases (checksum-verified).
• macOS (CLI): brew install actionlint.
• Already installed: skips with zero overhead.

This removes the dependency on the agent remembering to install the linter — the hook handles it deterministically.

Migration scorecard

sessionEnd/Stop appends to .github/MIGRATION-SCORECARD.md after each session. Multiple passes show quality progression with per-file detail:

# Migration Scorecard

## 2026-06-18T18:14:20Z
- Session: 357db4ba-e5b8-4edd-9427-c6ae319fe269
- Reason: complete
- Workflows: 1 total, 1 clean, 0 with issues

| File | Issues |
|------|--------|
| ci.yml | clean |

Each workflow is checked for unpinned actions (@v4 instead of SHA), placeholder text (TODO/FIXME/etc.), over-broad permissions (write-all), missing permissions block, and actionlint errors. A workflow must pass all checks to count as "clean."

Enforcement strength varies by surface

Hooks fire on all three surfaces, but how strongly they enforce depends on the execution model:

Surface	Loop	Hook deny means
CLI	Interactive	Hard gate — deny surfaces to the user, agent stops.
VS Code	Interactive chat	Hard gate — deny surfaces in chat, agent stops.
Cloud agent	Autonomous	Friction — tool.execution_complete: <tool> success=false is logged, the agent silently retries through other write tools (e.g., falls back from bash to apply_patch).

Verified in AlexDeMichieli/cca-hook-repro-consumer: a hook denying create|edit|write|str_replace|bash got bypassed when the agent routed the same write through apply_patch. Hook fired (success=false on the bash call); enforcement was not hard.

Implication: on Cloud agent, skills are the primary enforcement layer — the agent reading and following the rule in migration-core is more reliable than hooks alone, since hooks raise the retry cost but don't stop the agent. Hooks remain valuable as deterministic backstops on CLI/VS Code and as friction (plus per-call logging) on Cloud agent.

Tests

A committed test suite guards against silent breakage — critical because the surfaces use different schemas and a change that breaks one would otherwise go unnoticed.

• plugin/hooks.test.sh — 22 contract tests exercising every hook against both CLI and VS Code payloads (deny / allow / quality-context / scorecard / loop-guard).
• .github/workflows/hooks-test.yml — runs the suite on every PR touching the hooks and validates hooks.json parses. A schema or behavior change that breaks any surface now fails the PR.
• Negative-tested: deliberately removing the VS Code arg parsing makes the suite fail exactly the 4 VS Code destructive-guard cases and exit non-zero — proving the tests catch this class of regression.

Validation performed

Surface	How	Result
Contract tests	bash plugin/hooks.test.sh	22/22 pass (CLI + VS Code schemas)
VS Code (live)	Agent-mode chat, captured raw hook stdin	PreToolUse, PostToolUse, UserPromptSubmit, Stop all fire with correct create_file / run_in_terminal payloads
CLI (end-to-end)	copilot --allow-all --agent actions-migrator:jenkins-migrator	rm README.md blocked; Jenkinsfile migrated to clean ci.yml (12 SHA-pinned actions + least-privilege permissions); original archived via git mv; scorecard = 1 clean, 0 with issues

Issues found and fixed during testing:

• git mv / mv / find -delete bypass of the original rm-only guard — the guard now covers all destructive verbs while still allowing CI-source archival into .github/ci-archive/.
• Shell redirects (2>&1, > file) caused false-positive denies — the guard now strips redirect operators before checking targets.
• Parallel sessions shared one /tmp quality-gate counter — now keyed per sessionId.
• Cloud agent cwd — lifecycle hooks fall back to $GITHUB_WORKSPACE then $PWD so the scorecard lands in the cloned repo, not the plugin install dir.

Adoption

Consumers enable the plugin on all three surfaces with one committed file — see consumer-template/.github/copilot/settings.json:

{ "enabledPlugins": { "actions-migrator@actions-migrations-via-copilot": true } }

This single declaration drives the CLI auto-install, Cloud agent plugin load, and VS Code workspace recommendation. No personalized paths or per-user setup required.

Skills retained — complementary to hooks

The actionlint skill and the migration-core / platform skill guidance are intentionally kept. The earlier plan was to thin them out once hooks shipped, on the assumption hooks would deterministically replace skill-driven enforcement. End-to-end testing on Cloud agent (above) shows that's not safe today — the autonomous loop routes around hooks via alternate write tools.

So the layering is:

• Skills = primary enforcement on Cloud agent (the agent following positive rules like "always SHA-pin")
• Hooks = primary enforcement on CLI / VS Code (hard gate denials), friction + observability layer on Cloud agent
• Together they form a belt-and-suspenders model across surfaces

No follow-up "skill removal" PR. Future PRs may reword guidance as positive instructions ("always use SHA pinning") rather than "the hook will block this," but the content stays.

Token cost reduction

Each LLM turn re-prompts the model with the full session context (which grows monotonically across the session), so turns are the unit of cost — not just dollars but also wall-clock latency. Hooks move deterministic procedural work out of those turns and into shell scripts that run in milliseconds.

Per workflow file migrated, hooks remove turns the agent would otherwise spend on:

Procedural work	Without hooks	With hooks
Decide to invoke actionlint, install it, run it, parse output	~2–3 turns	0 turns — postToolUse runs actionlint and injects results as additionalContext on the same turn the agent just wrote the file
Install actionlint on first use	~1 turn	0 turns — hook auto-downloads SHA-pinned binary or uses brew install
Write the migration scorecard	~1 turn	0 turns — sessionEnd / Stop hook appends it deterministically
Re-check workflow quality before declaring done	~1 turn (if the user re-prompts; often skipped, leading to bad output)	0 turns — agentStop gate forces another fix turn if issues remain

Aggregated across a real migration, that's roughly 4–5 turns shifted from model time to script time per workflow file. On a multi-file migration (10+ workflows) the savings compound — each saved turn is also ~5–15s of model latency, so token cost and wall-clock duration both drop.

Scope of the claim

• No specific dollar / token figure is claimed — exact savings depend on the model in use, context size, retry behavior, and the workflow being migrated. The turn count reduction is the verifiable, model-independent measure.
• On Cloud agent, preToolUse deny-style hooks (secret detection, destructive guard) are friction rather than hard gates — the autonomous agent may retry through alternate tools (verified in a minimal repro). This partially offsets savings from those specific hooks on that surface.
• The postToolUse injection (actionlint warnings same-turn) and lifecycle hooks (sessionEnd scorecard, agentStop gate on CLI) save turns on all surfaces regardless of the agent's tool choices, because they run on every relevant event.

How to test it yourself

Contract tests (no Copilot session needed)

git clone https://github.com/github/actions-migrations-via-copilot.git
cd actions-migrations-via-copilot
bash plugin/hooks.test.sh        # 22/22 expected; requires bash + jq only

CLI (end-to-end)

# install the plugin from a local clone
copilot plugin install ./plugin

# in any repo with a CI source file (e.g. a Jenkinsfile):
copilot --allow-all --agent actions-migrator:jenkins-migrator -p \
  "Try to delete README.md via bash rm. Then migrate the Jenkinsfile to \
   .github/workflows/ci.yml with SHA-pinned actions and least-privilege \
   permissions, and archive the original to .github/ci-archive/ via git mv. \
   Report which steps the hook blocked. Do not create a PR."

# verify enforcement fired:
test -f README.md && echo "README intact (delete was blocked)"
grep -c '@[0-9a-f]\{40\}' .github/workflows/ci.yml   # SHA pins
cat .github/MIGRATION-SCORECARD.md                     # scorecard

VS Code Agent Plugins (preview)

// 1. VS Code user settings.json — enable plugins + point at the local clone
//    (For real adoption, users instead commit consumer-template/.github/copilot/settings.json
//     to their repo; the local path here is only for testing an un-published build.)
"chat.plugins.enabled": true,
"chat.pluginLocations": {
  "/absolute/path/to/actions-migrations-via-copilot/plugin": true
}

2. Developer: Reload Window
3. Open a repo containing a Jenkinsfile, open Copilot Chat in Agent mode, send:

   Use the jenkins-migrator agent. Try to delete README.md via the terminal,
   then migrate the Jenkinsfile to .github/workflows/ci.yml with SHA-pinned
   actions and least-privilege permissions, and archive the original to
   .github/ci-archive/ via git mv. Do not create a PR.

4. Expected: the README delete is blocked by the preToolUse hook; the workflow
   is created SHA-pinned with a permissions block; .github/MIGRATION-SCORECARD.md
   is written by the Stop hook.

To inspect raw hook execution in VS Code, open Output → "GitHub Copilot Chat Hooks" — it shows each hook firing with the stdin payload.

Cloud agent (github.com)

# in the target repo, commit the consumer template so the plugin auto-loads:
mkdir -p .github/copilot
cp /path/to/consumer-template/.github/copilot/settings.json .github/copilot/settings.json
git add .github/copilot/settings.json && git commit -m "Enable actions-migrator plugin" && git push
# then open an issue ("Migrate the Jenkinsfile to GitHub Actions") and assign Copilot;
# inspect the resulting PR for the SHA-pinned workflow and MIGRATION-SCORECARD.md.

Where to find hook logs

Hook execution surfaces differently on each surface — useful for debugging:

Surface	Where to look
CLI	Inline stdout/stderr of the copilot process. Denials print directly.
VS Code	Output → "GitHub Copilot Chat Hooks" — shows each hook firing with the full stdin payload.
Cloud agent	Two layers: • Action logs (workflow run "Running Copilot cloud agent") show high-level signal: [plugins] Resolved plugin "…" confirms the plugin loaded, and tool.execution_complete: <tool> success=false indicates a hook denied that call. • logs/.copilot/logs-process-X.log inside the action artifacts (surfaced in staging environments) contains the full hook execution detail, including the deny reason string. Confirmed by the CCA team.

Files changed

• plugin/hooks.json — cross-surface enforcement hooks (secret detection, destructive guard, quality check, quality gate, scorecard) with auto-install and dual-schema input/output.
• plugin/hooks.test.sh — 22 contract tests across CLI and VS Code schemas.
• .github/workflows/hooks-test.yml — CI that runs the suite on every hooks change.
• consumer-template/ — drop-in settings.json + README for enabling the plugin across surfaces.
• plugin/README.md — hooks documentation.

[Copilot]

Pull request overview

This PR introduces a plugin/hooks.json hook pack for the Copilot CLI plugin to deterministically enforce migration-quality constraints (block/deny unsafe tool calls, inject workflow quality feedback, and produce an audit scorecard), and documents the new enforcement model in plugin/README.md.

Changes:

• Adds deterministic enforcement hooks (preToolUse, postToolUse, agentStop, sessionEnd) in plugin/hooks.json.
• Implements workflow “quality” detection (unpinned actions, placeholders, write-all, missing permissions, actionlint) and a blocking quality gate with a 3-attempt safety valve.
• Documents hook behavior, rationale, and how to enable/disable hooks in plugin/README.md.

Show a summary per file

File	Description
plugin/hooks.json	Adds 5 hooks to block hardcoded secrets and unsafe deletions, lint/check workflows, enforce a blocking quality gate, and append a migration scorecard.
plugin/README.md	Documents the hooks, their lifecycle events, and how to verify/disable them.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 7

[AlexDeMichieli]

Fixed. Secret detection now: (1) extracts only the content/new_string field from toolArgs, (2) checks each line individually — a line must match a secret keyword + [:=] + 8+ chars of value AND not contain \${ on that same line, (3) secrets: inherit no longer triggers because inherit is <8 chars and there's no [:=] value pattern.

[AlexDeMichieli]

Fixed. The rm guard now: (1) checks for ... path traversal BEFORE checking ci-archive paths — any target containing .. is denied immediately, (2) uses a case statement with glob patterns (*/.github/ci-archive/* and *.github/ci-archive/*) for literal matching instead of regex, so xgithub/ci-archive no longer slips through.

[AlexDeMichieli]

Fixed. All 3 hooks now download to a temp file and verify SHA256 (900919a8...) before extracting. Checksum mismatch aborts install and surfaces an explicit warning. Also fixed the PR description — removed the 'checksum-verified upstream' claim and replaced with accurate description.

[AlexDeMichieli]

Fixed. agentStop now includes grep -qE '^permissions:' || W='no-permissions ' in its per-file scan, consistent with postToolUse.

[AlexDeMichieli]

Fixed. sessionEnd scorecard now includes grep -qE '^permissions:' || HAS=1 so missing-permissions counts as an issue. Consistent with all other hooks.

[AlexDeMichieli]

Fixed. Description changed to 'Appends an entry to' and hook description changed to 'Append migration scorecard entry'.

[AlexDeMichieli]

Fixed. All 3 hooks now: (1) on checksum mismatch, abort install and inject explicit warning via additionalContext, (2) after install attempt, re-check command -v actionlint — if still missing, inject 'actionlint not available (install failed)' warning, (3) agentStop adds 'actionlint-unavailable' to the issues list so it blocks completion.

[antgrutta]

@AlexDeMichieli, please set up a meeting with @ssulei7 and myself for a quick demo. This is good stuff and we're excited to rubber duck a couple things with you.

[AlexDeMichieli]

🚀 Jenkins to GitHub Actions Migration Report

📊 Migration Overview

Metric	Before (Jenkins)	After (GitHub Actions)
Pipeline Files	1 file	1 workflow
Pipeline Stages	3 stages	3 jobs
Pipeline Steps	3 steps	3 steps
Shared Libraries	0 libraries	N/A
Credentials	0 credentials	0 secrets/variables

🔄 Conversion Diagram

graph LR
    A[Jenkins Pipeline] --> B[GitHub Actions Workflow]

    subgraph "Jenkins Structure"
        D1[Stage: Build]
        D2[Stage: Test]
        D3[Stage: Deploy]
    end

    subgraph "GitHub Actions Structure"
        G1[Job: build]
        G2[Job: test]
        G3[Job: deploy]
    end

    D1 --> G1
    D2 --> G2
    D3 --> G3

Loading

🔧 Key Transformations

Stage and Step Conversions

• agent any → runs-on: ubuntu-latest
• Jenkins sequential stages → GitHub Actions jobs with needs: dependencies
• sh 'npm ci' → run: npm ci
• Added actions/checkout (not implicit in GitHub Actions unlike Jenkins SCM checkout)
• Added actions/setup-node with npm caching for faster builds

Trigger Mapping

• Jenkins pipeline (typically triggered by SCM polling or webhooks) → on: push and on: pull_request on main branch

✅ Validation Results

Linting Results

$ actionlint .github/workflows/ci.yml
(no output — zero errors)

Manual Verification Checklist

• YAML syntax validated
• All actions properly versioned and pinned to SHAs
• Job dependencies verified (build → test → deploy)
• Environment variables migrated (none required)
• Triggers match original behavior
• Least-privilege permissions applied

🔐 Security Improvements

• Implemented least-privilege permissions: contents: read
• All actions pinned to commit SHAs to prevent supply-chain attacks
• Only verified marketplace actions used (actions/checkout, actions/setup-node)

🔗 Variable and Secret Requirements

Required GitHub Secrets

None required for this pipeline.

Required GitHub Variables

None required for this pipeline.

🎯 Next Steps

1. Test the workflow by pushing to a feature branch
2. Adjust Node.js version if your project requires a different version than 20
3. Enhance the deploy job with actual deployment steps and environment protection rules
4. Add branch protection rules to require CI to pass before merging

📁 Original Jenkins Files

The original Jenkins pipeline file has been archived:

• Jenkinsfile → .github/ci-archive/Jenkinsfile

📚 Migration Notes

• The Jenkins pipeline used agent any which maps to ubuntu-latest as the default GitHub-hosted runner.
• Each stage was converted to a separate job with sequential dependencies to preserve the original execution order.
• actions/setup-node with npm caching was added to optimize install times since Jenkins environments typically have Node.js pre-installed globally.

---

Migration completed by GitHub Copilot Jenkins Migration Agent