← 返回首页
GitHub - Snowflake-Labs/github-coco-agent: GitHub Actions template for CoCo agentic DevOps — autonomous scan, fix, and PR workflows with Snowflake OIDC auth · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Resetting focus

Snowflake-Labs/github-coco-agent

Go to file
Code

Repository files navigation

More items

Agentic DevOps with Snowflake CoCo — GitHub Actions

A hardened template for running CoCo as an autonomous scan-issue-fix agent on GitHub Actions. Scan every push, score each finding, auto-fix the safe ones, and route the rest to human review.

Important

Requires Cortex Code (CoCo) beta channel, version 1.1.9+204229.0400c522997b or later. The workflows install from the beta channel automatically (CORTEX_CHANNEL=beta). Verify: cortex exec --version

This repository is provisioned by the $devops-coco-agents:scaffold-for-github skill — you do not set it up manually.

What's in this repo

File Purpose
.github/workflows/cortex-scan.yml Scan Python files on push/schedule, route findings by severity
.github/workflows/cortex-fix.yml Auto-fix issues labeled coco:auto-fix; called by comment-fix
.github/workflows/cortex-comment-fix.yml Triggered by /coco fix comment on any coco:needs-review issue
.github/coco-config.yml Fix ceiling policy — change via PR for a full audit trail
.cortex/prompts/scan.md IDD-structured scan prompt
.cortex/prompts/fix.md IDD-structured fix prompt
.agentignore Gitignore-style patterns the scan agent skips
connections.toml.template Reference for the Snowflake connection used in CI

Quick start

  1. Install Cortex Code (CoCo)

  2. Install the scaffold plugin:

    cortex plugin install https://github.com/Snowflake-Labs/devops-snowflake-coco-agents
  3. In the CoCo chat panel:

    scaffold for agentic devops with GitHub

    or: $devops-coco-agents:scaffold-for-github

The scaffold walks through six guided steps — repo creation, OIDC provisioning, secrets, branch protection — and lands you here in under 10 minutes.

How it works

flowchart TD trigger["push to main / weekly schedule"] --> scan["cortex-scan\nScore each finding\nSEVERITY × COMPLEXITY × CONFIDENCE"] scan -->|"low risk"| autofix["Label: coco:auto-fix"] scan -->|"higher risk"| review["Label: coco:needs-review"] autofix --> fix1["cortex-fix\nopens PR automatically"] review --> human["developer reviews\ncomments /coco fix"] human --> fix2["cortex-fix\nopens PR on request"]
Loading

Smart fix mode

The fix ceiling is controlled by .github/coco-config.yml:

fix_mode: max_auto: conservative # off | conservative | aggressive
Ceiling Auto-fix when Otherwise
off Never Always needs-review
conservative severity=low AND complexity=low AND confidence=high needs-review
aggressive confidence >= medium needs-review

Change the ceiling via PR — the git history is your audit trail. Set COCO_MAX_AUTO as a repository variable to override at runtime without a PR.

Every scan run logs the active ceiling to the Actions summary:

::notice::Fix ceiling: conservative (source: .github/coco-config.yml)

Setup

This repository is set up by the CoCo scaffold skill, which provisions:

  • Snowflake SERVICE user, role, and warehouse with OIDC trust (no stored secrets)
  • All GitHub secrets and the COCO_MAX_AUTO variable
  • Branch protection

To scaffold a new project using this template:

scaffold for agentic devops with GitHub

or: $devops-coco-agents:scaffold-for-github

See the full scaffold guide.

Customization

Scan trigger — cortex-scan.yml watches demo/** by default (smoke test path). Change paths: to match your codebase:

on: push: branches: [main] paths: ["src/**/*.py", "*.py"] # adapt to your project layout

Scan exclusions — add patterns to .agentignore to skip files or directories.

Fix ceiling — edit .github/coco-config.yml and merge the PR.

Permissions

Token Required permissions
GITHUB_TOKEN (auto) issues: write, pull-requests: write, contents: write, id-token: write — set in each workflow's permissions: block
SNOWFLAKE_* secrets Provisioned by scaffold skill via OIDC

Contributing

Commits follow Conventional Commits. See AGENTS.md for agent and contributor conventions.

About

GitHub Actions template for CoCo agentic DevOps — autonomous scan, fix, and PR workflows with Snowflake OIDC auth

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Footer

© 2026 GitHub, Inc.