There was a problem hiding this comment.
Looking great!! A few thoughts!
Sorry, something went wrong.
| - **Match the project’s existing style.** Follow the conventions visible in | ||
| the surrounding source files (naming, headers, namespaces, C++ standard | ||
| level, use of `enum class`, etc.). | ||
| - **Preserve behaviour.** A coding-standards fix is a refactor at the source |
There was a problem hiding this comment.
I might emphasize and/or expand this further.
In conversation with Vincent, he expressed a lot of skepticism about autofix. In some of the examples we saw from other similar projects, their autofix often did dangerous things to suppress the warning and/or introduce UB.
So maybe this should be something more like:
Sorry, something went wrong.
| @@ -0,0 +1,157 @@ | |||
| [//]: # "Include this file in the repository to provide instructions to GitHub Copilot AUtofix. For more information, see https://docs.github.com/copilot/copilot-for-business/copilot-instructions." | |||
| # GitHub Copilot instructions | |||
There was a problem hiding this comment.
We should give instructions here and in the user_manual that tells the user where to put this file.
Additionally, I'm not sure that we want to make this part of instructions. I think we may want to make this an AGENT.md, or a skill.
Typically copilot instructions will be loaded into the context in full for every prompt. The instructions here should probably only be loaded when necessary. We may have to sync with folks internally about whether we can use an agent file, and how to make that the agent used by autofix. That might not be possible. If so we hopefully can use skill effectively.
If we end up making this a skill, it might be worth making a copilot-instructions.md that is very short, that ensures the skill is loaded. "When fixing alerts, use the skill [...]"
Sorry, something went wrong.
|
|
||
| - Creating databases and running the CodeQL Coding Standards queries with the [CodeQL Action](https://github.com/github/codeql-action) (for GitHub Actions CI/CD system). | ||
| - Uploading the SARIF results files for a CodeQL Coding Standards analysis to the GitHub [Code Scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) feature. | ||
| - Using [Agentic Autofix in Code Scanning](https://docs.github.com/en/code-security/concepts/code-scanning/copilot-autofix-for-code-scanning) (use the reference [copilot-instructions.md](copilot-instructions.md) file provided). |
There was a problem hiding this comment.
I'd provide more detailed instructions here for how to install into a project.
And we also need to update the user_manual version with author and date etc
Sorry, something went wrong.
Description
This pull request introduces comprehensive repository-wide instructions for GitHub Copilot, specifically focused on configuring Copilot's agentic autofix feature for CodeQL Coding Standards compliance. It also updates the user manual to reference these new Copilot instructions as part of the certified use cases.
Key changes:
Copilot configuration and guidance:
Documentation updates:
Change request type
Rules with added or modified queries
Release change checklist
A change note (development_handbook.md#change-notes) is required for any pull request which modifies:
If you are only adding new rule queries, a change note is not required.
Author: Is a change note required?
🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.
Reviewer: Confirm that either a change note is not required or the change note is required and has been added.
Query development review checklist
For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:
Author
As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
Reviewer
As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.