[Pelis Agent Factory Advisor] Agentic Workflow Maturity Report — March 2026

[github-actions[bot]]

📊 Executive Summary

gh-aw-firewall has an impressive 21 agentic workflows covering security, CI/CD, documentation, smoke testing, and issue management — placing it firmly in the top tier of agentic workflow adoption. The most significant opportunities are adding issue triage (currently zero automated labeling), a workflow health manager to monitor the growing agent ecosystem, and a container image security scanner to cover the Docker supply chain.

---

🎓 Patterns Learned from Pelis Agent Factory

The Pelis Agent Factory documentation site (https://github.github.io/gh-aw/) describes 100+ workflows used in production across these categories:

Category	Key Patterns Observed
Fault Investigation	CI Doctor (69% PR merge rate), Breaking Change Checker, Schema Drift Detector
Testing & Validation	Daily Test Improver, CLI Consistency Checker (78% merge rate), Workflow Health Manager
Security	Daily Secrets Analysis, Daily Malicious Code Scan, Static Analysis Report (57 discussions)
Documentation	Doc Updater (96% merge rate), Glossary Maintainer (100% merge rate), Noob Tester
Issue Management	Issue Arborist, Issue Monster (task dispatcher), Sub-Issue Closer, Mergefest
Observability	Metrics Collector, Portfolio Analyst, Audit Workflows (93 audit discussions)
Code Quality	Code Simplifier (83% merge rate), Duplicate Code Detector (79% merge rate)
Releases	Changeset Generator (78% merge rate)

How this repo compares: It has implemented the high-value security and CI patterns well, runs three AI engines simultaneously for smoke testing (unique!), and is more security-focused than a typical repo — befitting its domain as a network firewall tool. What it lacks is the meta-observability layer and some of the lower-friction automation patterns (issue triage, code quality agents).

---

📋 Current Agentic Workflow Inventory

Workflow	Purpose	Trigger	Assessment
security-guard	PR security reviewer	PR open/sync	✅ Excellent — uses Claude
security-review	Daily comprehensive threat modeling	Daily + dispatch	✅ Strong coverage
secret-digger-claude	Hourly secret scanning	Every hour (cron)	✅ Thorough (3 engines)
secret-digger-codex	Hourly secret scanning	Every hour (cron)	✅
secret-digger-copilot	Hourly secret scanning	Every hour (cron)	✅
dependency-security-monitor	CVE detection + patch PRs	Daily	✅ Strong
ci-doctor	Investigate CI failures	workflow_run failure	✅ High value
ci-cd-gaps-assessment	Daily CI/CD pipeline gap analysis	Daily	✅ Meta insight
doc-maintainer	Sync docs with code changes	Daily (skip-if-match)	✅ Active
cli-flag-consistency-checker	CLI flag vs. docs drift	Weekly	✅ Domain-relevant
test-coverage-improver	Add tests for security-critical paths	Weekly (skip-if-match)	✅ Security-focused
issue-monster	Dispatch issues to Copilot agent	Hourly + on issues	✅ Task dispatcher
issue-duplication-detector	Flag duplicate issues	On issue open	✅ Using cache-memory
plan	/plan slash command	Slash command	✅ Interactive
smoke-claude	End-to-end Claude smoke test	PR + every 12h	✅ Unique multi-engine
smoke-codex	End-to-end Codex smoke test	PR + every 12h	✅
smoke-copilot	End-to-end Copilot smoke test	PR + every 12h	✅
smoke-chroot	Chroot isolation smoke test	PR (path-filtered)	✅
build-test	PR build verification	PR open/sync	✅
update-release-notes	AI-enhanced release notes	On release	✅
pelis-agent-factory-advisor	This advisor	Daily	🔄 Running now

---

🚀 Actionable Recommendations

P0 — Implement Immediately

🏷️ Issue Triage Agent

What: Automatically analyze new issues, apply labels (bug, security, feature, documentation, question, help-wanted), and leave a brief comment explaining the label and potential next steps.

Why: The repo currently has zero automated issue labeling. Issues like #130 (NAT rule bypass) and #422 (DNS propagation) sit without labels, making triage invisible. For a security tool with external users, fast triage signals responsiveness and helps maintainers prioritize security bugs.

How: Standard issue triage pattern from Pelis Factory — on issues: [opened, reopened], analyze title/body in context of the codebase (AWF is a network firewall), apply one label from allowed set, comment to explain.

Effort: Low (< 1 hour to write, compile, and ship)

# Example frontmatter
on:
  issues:
    types: [opened, reopened]
permissions:
  issues: read
safe-outputs:
  add-labels:
    allowed: [bug, security, feature, documentation, question, help-wanted, good-first-issue]
  add-comment:
    max: 1
timeout-minutes: 5

---

🩺 Workflow Health Manager

What: A meta-agent that periodically audits all 21 agentic workflow runs, detecting no-op patterns, excessive costs, misconfigured triggers, and quality degradation. Creates issues for problems found.

Why: Issue #1401 "No-Op Runs" already shows that some workflows are running without producing useful output. With 21 workflows running daily/hourly, invisible inefficiency accumulates quickly. In the Pelis Factory, the Workflow Health Manager created 40 issues, 5 direct PRs + 14 causal chain PRs — one of the highest-leverage workflows. As the workflow collection grows, meta-monitoring becomes essential.

How: Use agentic-workflows tool to analyze recent runs across all workflows. Flag: workflows with zero outputs in past 7 days, workflows with degraded tool calls, unusual token consumption spikes, and failed runs not caught by CI Doctor.

Effort: Medium (workflow body requires careful analysis instructions + uses cache-memory for trend tracking)

---

P1 — Plan for Near-Term

🔍 Breaking Change Checker

What: On every PR, analyze the diff for changes that might break existing users — CLI flag renames/removals, changed default behaviors, removed environment variables, altered Docker API surface.

Why: gh-aw-firewall is a CLI tool with external users. The repo has open issues about backward compatibility (e.g., #1328 support for common api base) and the AGENTS.md explicitly documents the CLI flag contract. Breaking changes that slip through cause pain at release time. The Pelis Factory breaking change checker created alert issues (e.g., flagging CLI version updates in #14113).

How: Trigger on PR, use bash tool to run git diff, analyze changes to src/cli.ts, action.yml, and container entry points for API-surface changes. Post a review comment if breaking changes detected.

Effort: Medium

---

🐳 Container Image Security Scanner

What: Weekly agentic workflow that triggers docker scout or trivy scans on the three container images (squid, agent, api-proxy), analyzes CVE findings, and creates issues for HIGH/CRITICAL vulnerabilities.

Why: The firewall's threat model depends on the security of its own container images. The dependency-security-monitor covers npm packages, but there's no coverage for the Ubuntu 22.04 base images, squid, or Node.js in api-proxy. A fresh ubuntu:22.04 image can have dozens of unpatched CVEs.

How: Weekly schedule, use bash with docker scout cves or trivy image, parse JSON output, create issues for HIGH+ findings using create-issue safe output. Deduplicate using cache-memory.

Effort: Medium

---

📊 Audit Workflows (Meta-Agent)

What: Daily workflow that downloads and analyzes logs from all other agentic workflow runs, producing a discussion report covering: success rates, token usage trends, cost estimates, and error patterns.

Why: With 21 workflows, some running hourly, there is no consolidated view of the agent ecosystem's health and cost. The Pelis Factory's Audit Workflows created 93 audit discussions and uncovered optimization opportunities. Given the 3 secret-digger workflows running hourly, visibility into whether they're providing value or just burning tokens is important.

How: Use agentic-workflows tool to fetch recent runs, aggregate metrics, produce a daily [Audit] discussion with structured tables.

Effort: Low-Medium

---

P2 — Consider for Roadmap

🔧 Code Simplifier

What: Daily agent that analyzes recently modified TypeScript/JavaScript code for complexity, verbosity, and duplication, then creates PRs with targeted simplifications.

Why: The codebase (especially src/docker-manager.ts which is 1000+ lines) grows complex over time. The Pelis Factory Code Simplifier achieved 83% merge rate on 6 PRs. With active development adding new features (api-proxy, GHEC support, DLP), a cleanup agent would help maintain readability.

How: Daily schedule, git log --since 7 days, analyze changed TypeScript files, propose simplifications as a draft PR.

Effort: Low

---

🌳 Issue Arborist

What: Periodically analyze open issues to identify related ones, group them as sub-issues under a parent, and create discussion reports about issue relationships.

Why: Issues like #130 (child container NAT bypass), #422 (DNS propagation), #240 (performance benchmarks), #1328 (common api base) are related thematically but not linked. The Pelis Factory Issue Arborist created 18 parent issues to organize work. This would help maintainers see which issues cluster around a theme (e.g., "network isolation improvements").

Effort: Low

---

📝 Schema Consistency Checker

What: Weekly agent that verifies that TypeScript types (src/types.ts), CLI flags (src/cli.ts), action.yml inputs, AGENTS.md documentation, and environment variable documentation (docs/environment.md) are all consistent with each other.

Why: The repo already has the cli-flag-consistency-checker for CLI flags, but broader schema drift between TypeScript interfaces and their documentation is not checked. WrapperConfig in src/types.ts has grown to many fields — documentation and code can easily drift.

Effort: Low

---

P3 — Future Ideas

📈 Portfolio Analyst

What: Weekly analysis of the agent portfolio — which workflows are high-ROI (producing PRs/issues that get merged), which are low-ROI (running but not producing value), with token cost estimates.

Why: With 21 workflows and 3 secret-diggers running hourly, cost transparency matters. The Pelis Factory Portfolio Analyst identified "workflows that were costing money unnecessarily."

Effort: Medium

---

👶 Documentation Noob Tester

What: Monthly agent that reads the docs site from a "first-time user" perspective, follows setup instructions, identifies confusing steps, and creates issues for UX improvements.

Why: The repo has a full Astro/Starlight docs site at docs-site/. New users setting up AWF for the first time face: Docker requirements, sudo usage, domain whitelisting syntax, and proxy configuration. These are non-trivial.

Effort: Medium

---

🔄 Changeset Generator

What: On PR merge to main, analyze commit messages and generate a changelog entry + version bump suggestion, automating the release prep process.

Why: update-release-notes.md already helps after release, but there's no automation for preparing releases (version bump, changelog). The Pelis Factory Changeset Generator had a 78% merge rate.

Effort: Low

---

📈 Maturity Assessment

Dimension	Level	Notes
Security Automation	⭐⭐⭐⭐⭐ 5/5	Exceptional — 6 security workflows, multi-engine secret scanning, PR reviews
CI/CD Automation	⭐⭐⭐⭐ 4/5	Strong — CI Doctor, gap assessment, smoke tests across 3 engines
Documentation	⭐⭐⭐⭐ 4/5	Good — doc-maintainer + CLI checker, lacks noob testing
Issue Management	⭐⭐⭐ 3/5	Partial — Issue Monster + dedup, missing triage labels and arborist
Code Quality	⭐⭐ 2/5	Gap — no continuous simplicity/refactoring agent
Observability	⭐⭐ 2/5	Gap — no meta-monitoring, no audit/portfolio workflows
Release Automation	⭐⭐⭐ 3/5	Partial — release notes updater, but no changeset agent

Current Overall Level: 4/5 — Above average, with exceptional security coverage (befitting the domain). The primary gap is the observability/meta-monitoring layer and routine code quality automation.

Target Level: 4.5/5 — Adding issue triage (P0) and a Workflow Health Manager (P0) would close the most important gaps with minimal effort.

---

🔄 Comparison with Best Practices

What it does well:

• 🏆 Multi-engine smoke testing — running Claude, Codex, and Copilot smoke tests simultaneously is unique and highly valuable for a firewall that supports all three
• 🏆 Security depth — 6 security-focused workflows goes beyond typical repos; the secret-digger running on 3 engines hourly is aggressive and appropriate for a security tool
• ✅ skip-if-match guards on doc and test workflows prevent redundant PRs
• ✅ cache-memory used in issue-duplication-detector for persistent state
• ✅ shared/mcp-pagination.md imports show awareness of MCP response limits

What it could improve:

• ❌ No issue triage = no labels = harder to prioritize (simplest win available)
• ❌ No meta-monitoring = invisible inefficiency (issue [agentics] No-Op Runs #1401 already surfaced this)
• ❌ Container image supply chain not covered by any security workflow
• ❌ No causal chain automation — issue-monster assigns to Copilot, but there's no arborist linking related issues or sub-issue closer to clean up completed work

Unique domain opportunities:

• A "Firewall Rule Auditor" — periodically reviews the Squid ACL generation logic (src/squid-config.ts) against the documented security model to ensure no ACL bypass patterns have crept in
• A "Container Hardening Checker" — reviews Dockerfile changes for security best practices (non-root USER, no COPY --chown issues, capability drops)

---

📝 Notes for Future Runs

Stored in /tmp/gh-aw/cache-memory/notes.txt:

• First advisor run on 2026-03-24
• 21 agentic workflows found
• Top gaps: issue triage (P0), workflow health manager (P0), container scanner (P1)
• Known issue [agentics] No-Op Runs #1401 (no-op runs) directly motivates Workflow Health Manager recommendation

AI generated by Pelis Agent Factory Advisor

• expires on Mar 31, 2026, 3:28 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-31T03:28:39.574Z.

Closed by Workflow