View all files | ||||
A hardened template for running CoCo as an autonomous scan-issue-fix agent on GitHub Actions. Scan every push, score each finding, auto-fix the safe ones, and route the rest to human review.
Important
Requires Cortex Code (CoCo) beta channel, version 1.1.9+204229.0400c522997b or later. The workflows install from the beta channel automatically (CORTEX_CHANNEL=beta). Verify: cortex exec --version
This repository is provisioned by the $devops-coco-agents:scaffold-for-github skill — you do not set it up manually.
| .github/workflows/cortex-scan.yml | Scan Python files on push/schedule, route findings by severity |
| .github/workflows/cortex-fix.yml | Auto-fix issues labeled coco:auto-fix; called by comment-fix |
| .github/workflows/cortex-comment-fix.yml | Triggered by /coco fix comment on any coco:needs-review issue |
| .github/coco-config.yml | Fix ceiling policy — change via PR for a full audit trail |
| .cortex/prompts/scan.md | IDD-structured scan prompt |
| .cortex/prompts/fix.md | IDD-structured fix prompt |
| .agentignore | Gitignore-style patterns the scan agent skips |
| connections.toml.template | Reference for the Snowflake connection used in CI |
Install Cortex Code (CoCo)
Install the scaffold plugin:
In the CoCo chat panel:
or: $devops-coco-agents:scaffold-for-github
The scaffold walks through six guided steps — repo creation, OIDC provisioning, secrets, branch protection — and lands you here in under 10 minutes.
The fix ceiling is controlled by .github/coco-config.yml:
| off | Never | Always needs-review |
| conservative | severity=low AND complexity=low AND confidence=high | needs-review |
| aggressive | confidence >= medium | needs-review |
Change the ceiling via PR — the git history is your audit trail. Set COCO_MAX_AUTO as a repository variable to override at runtime without a PR.
Every scan run logs the active ceiling to the Actions summary:
This repository is set up by the CoCo scaffold skill, which provisions:
To scaffold a new project using this template:
or: $devops-coco-agents:scaffold-for-github
See the full scaffold guide.
Scan trigger — cortex-scan.yml watches demo/** by default (smoke test path). Change paths: to match your codebase:
Scan exclusions — add patterns to .agentignore to skip files or directories.
Fix ceiling — edit .github/coco-config.yml and merge the PR.
| GITHUB_TOKEN (auto) | issues: write, pull-requests: write, contents: write, id-token: write — set in each workflow's permissions: block |
| SNOWFLAKE_* secrets | Provisioned by scaffold skill via OIDC |
Commits follow Conventional Commits. See AGENTS.md for agent and contributor conventions.