[Pelis Agent Factory Advisor] Agentic Workflow Advisor Report - 2026-02-20 #987
Description
📊 Executive Summary
The gh-aw-firewall repository has a strong agentic workflow foundation with 28 compiled workflows covering security, smoke testing, CI investigation, and documentation. However, it is missing key observability, issue organization, release automation, and continuous code quality workflows that are proven high-value in Pelis Agent Factory. The biggest untapped opportunities are a Workflow Health Manager (meta-agent), Issue Triage, Metrics/Audit workflows, and a Changeset generator.
🎓 Patterns Learned from Pelis Agent Factory
From the Documentation Site
The Pelis Agent Factory blog series documents 100+ workflows across 14 categories. Key patterns with standout metrics:
| Pattern | Metric |
|---|---|
| CI Doctor | 69% PR merge rate on AI-proposed fixes |
| CLI Consistency Checker | 78% PR merge rate, 80 merged PRs |
| Changeset Generator | 78% PR merge rate, 22 merged PRs |
| Workflow Health Manager | 40 issues → 34 PRs, 5 direct PRs merged |
| Audit Workflows | 93 discussion reports, 9 issues |
| Daily Testify Expert | 13/19 issues led to merged PRs (100% causal chain) |
Key Principles Observed
- Meta-agents are high value — Agents that monitor other agents (Workflow Health Manager, Audit Workflows, Portfolio Analyst) create outsized impact by catching problems in the automation layer itself.
- Specialization > generalism — Focused workflows outperform broad ones. A dedicated Breaking Change Checker catches things a general security review misses.
- Cache memory enables continuity — Workflows like Issue Duplication Detector use
cache-memoryfor cross-run state, enabling pattern detection across time. - Observability is essential at scale — With 28+ workflows, there's no way to manually track which agents are working. Metrics Collector and Audit Workflows solve this.
- Rate limiting prevents chaos — Issue Monster's
skip-if-matchpattern prevents parallel work explosions.
From the githubnext/agentics Repository
The agentics repo contains portable reference workflows including: daily-test-improver, code-simplifier, duplicate-code-detector, daily-doc-updater, unbloat-docs, link-checker, ci-coach, ci-doctor, and contribution-check.
📋 Current Agentic Workflow Inventory
| Workflow | Purpose | Trigger | Assessment |
|---|---|---|---|
build-test-{bun,cpp,deno,dotnet,go,java,node,rust} |
Multi-language PR build tests | PR | ✅ Excellent - comprehensive language coverage |
ci-cd-gaps-assessment |
CI/CD pipeline gap analysis | Daily | ✅ Good observability |
ci-doctor |
Investigates CI failures | workflow_run | ✅ Well-implemented, but hardcoded workflow list needs maintenance |
cli-flag-consistency-checker |
CLI flag/doc sync | Weekly | ✅ Good - creates discussion reports |
dependency-security-monitor |
CVE monitoring + dep updates | Daily | ✅ Strong security coverage |
doc-maintainer |
Documentation sync | Daily | gh aw compile |
issue-duplication-detector |
Duplicate issue detection | Issue opened | ✅ Good - uses cache-memory correctly |
issue-monster |
Task dispatcher to Copilot agents | Issue opened + hourly | ✅ Excellent - well rate-limited |
pelis-agent-factory-advisor |
This workflow | Daily | ✅ Running |
plan |
/plan slash command |
Slash command | ✅ Good ChatOps addition |
secret-digger-{claude,codex,copilot} |
Red team secrets scanning | Hourly x3 | ✅ Exceptional - 3 engines provide diversity |
security-guard |
PR security review | PR | ✅ Claude-powered, good for security-critical repo |
security-review |
Comprehensive daily security audit | Daily | ✅ Deep evidence-based review |
smoke-{claude,codex,copilot,chroot,gemini} |
Engine smoke tests | PR + scheduled | ✅ Excellent multi-engine coverage |
test-coverage-improver |
Test coverage PRs | Weekly | ✅ Good, but security-critical code needs more frequency |
update-release-notes |
Enhance release notes | Release published | ✅ Good reactive automation |
🚀 Actionable Recommendations
P0 — Implement Immediately
Fix: Compile doc-maintainer.md
What: The doc-maintainer workflow shows compiled: No — it is not generating a lock file and therefore not running.
Why: Documentation drift accumulates silently. This is a daily workflow that should be creating PRs for documentation updates.
How:
gh aw compile .github/workflows/doc-maintainer.md
npx tsx scripts/ci/postprocess-smoke-workflows.tsEffort: Low (minutes)
P0: Add Issue Triage Agent
What: Automatically label new issues as bug, feature, enhancement, documentation, question, help-wanted, etc. with a brief comment explaining the label.
Why: Open issues (like the current Secret Digger failures) have no labels, making triage and prioritization harder. This is the "hello world" of agentic workflows and is immediately valuable.
How:
---
description: Issue Triage Agent
on:
issues:
types: [opened, reopened]
permissions:
issues: read
tools:
github:
toolsets: [issues, labels]
lockdown: false
safe-outputs:
add-labels:
allowed: [bug, feature, enhancement, documentation, question, help-wanted, good-first-issue, security, performance, agentic-failure]
add-comment: {}
timeout-minutes: 5
---
# Issue Triage Agent
Label new issues in $\{\{ github.repository }} using these labels: bug, feature, enhancement, documentation, question, help-wanted, good-first-issue, security, performance, agentic-failure.
After labeling, comment on the issue with why the label was chosen and a brief note on how it might be addressed. For security issues, note urgency.Effort: Low (~30 min)
P1 — Plan for Near-Term
P1: Add Workflow Health Manager (Meta-Agent)
What: A meta-agent that monitors all other agentic workflows — checking for failures, stalled agents, missing outputs, and quality degradation. Creates issues when workflows are unhealthy.
Why: With 28 workflows, it's impossible to manually check each one. The Pelis Agent Factory's Workflow Health Manager created 40 issues with a 34-PR downstream impact. This is especially important since ci-doctor monitors standard workflows but not the agentic workflow runs themselves.
How: Daily schedule, uses agentic-workflows tool to check recent runs, audit-workflows pattern — creates issues for any workflow with repeated failures, zero outputs, or cost anomalies.
Effort: Medium (2-4 hours)
P1: Add Audit Workflows (Observability)
What: A meta-agent that analyzes recent runs of all agentic workflows, summarizing costs, outputs, success rates, and anomalies into a weekly discussion.
Why: The Pelis Agent Factory's Audit Workflows generated 93 discussion reports and identified costly/broken agents. This repo now has 28 workflows — without observability, it's a black box. Pairs well with the Workflow Health Manager.
How:
---
description: Weekly audit of all agentic workflow performance and health
on:
schedule: weekly
workflow_dispatch:
permissions:
actions: read
contents: read
tools:
agentic-workflows:
github:
toolsets: [default, actions]
safe-outputs:
create-discussion:
title-prefix: "[Workflow Audit] "
category: "general"
timeout-minutes: 30
---
# Workflow Audit Agent
Analyze the last 7 days of agentic workflow runs. For each workflow: report success/failure rates, outputs generated (PRs, issues, comments, discussions), estimated token usage, and any anomalies. Flag workflows that produced no outputs or had repeated failures. Create a prioritized list of health issues.Effort: Medium (2-4 hours)
P1: Add Changeset / Release Automation
What: When a PR is merged, analyze the changes and propose a version bump (major/minor/patch per semver) and draft changelog entry. Bundle into a PR that updates package.json version and CHANGELOG.md.
Why: The existing update-release-notes runs after release — this fills the gap before release. This is a security firewall tool where version bumps signal security fixes. Pelis Factory's Changeset Generator had a 78% merge rate on 28 proposed PRs.
How:
---
description: Automated version bump and changelog generator
on:
push:
branches: [main]
workflow_dispatch:
skip-if-match:
query: 'is:pr is:open in:title "[release]"'
max: 1
permissions:
contents: read
pull-requests: read
tools:
github:
toolsets: [default]
bash:
- "git log:*"
- "git tag:*"
safe-outputs:
create-pull-request:
title-prefix: "[release] "
draft: true
labels: [release, automated]
timeout-minutes: 10
---
# Changeset Generator
Analyze commits since the last version tag. Determine if this warrants a major/minor/patch bump. Update package.json version and CHANGELOG.md. For security-critical changes (iptables, squid config, container hardening), prefer minor/major bumps.Effort: Medium (3-5 hours)
P1: Add Breaking Change Checker
What: On every PR, detect changes that could break backwards compatibility: removed CLI flags, changed default behaviors, modified environment variable names, API contract changes.
Why: This is a CLI tool distributed via npm and binaries. Breaking changes without major version bumps frustrate users. The Pelis Factory's Breaking Change Checker creates alert issues before they reach production.
How: PR trigger, reads src/cli.ts, src/types.ts, compares to main branch, flags removals or signature changes as potential breaking changes.
Effort: Medium (2-3 hours)
P2 — Consider for Roadmap
P2: Add Continuous Simplicity / Code Quality Agent
What: Weekly agent that identifies code that can be simplified — dead code, overly complex functions, repeated patterns — and proposes targeted PRs.
Why: The Pelis Factory's CLI Consistency Checker achieved 78% PR merge rate with 80 merged PRs. TypeScript codebases accumulate technical debt. The firewall codebase has security-critical paths that benefit from clarity.
Effort: Medium
P2: Upgrade Test Coverage Improver from Weekly → Daily
What: The test-coverage-improver runs weekly. Given the security-critical nature of this codebase (iptables manipulation, container security), daily incremental test additions would be more appropriate — guarded by the existing skip-if-match to prevent PR pile-up.
Why: Security-critical code paths (domain validation, capability dropping, iptables rules) need comprehensive testing. Weekly cadence means gaps persist for 7 days.
Effort: Low (change schedule: weekly to schedule: daily)
P2: Add Link Checker
What: Weekly check of all links in documentation files (README, docs/, docs-site/) to detect broken external links.
Why: Documentation links to external resources (Squid docs, Docker, npm packages) rot over time. Available as githubnext/agentics/link-checker.
How:
gh aw add-wizard githubnext/agentics/link-checkerEffort: Low (30 min)
P2: Update ci-doctor Monitored Workflow List
What: The ci-doctor workflow monitors a hardcoded list of workflows. Several newer workflows are missing: Smoke Gemini, Secret Digger (Claude/Codex/Copilot), Security Review, Daily Doc Maintainer, Dependency Security Monitor.
Why: CI failures in security-critical workflows like Secret Digger and Security Review go uninvestigated without CI Doctor coverage.
Effort: Low (add workflow names to the list in ci-doctor.md and recompile)
P3 — Future Ideas
P3: Issue Arborist — Sub-Issue Linking
What: Automatically link related issues as parent/sub-issue relationships based on content similarity and topic.
Why: As issue volume grows, the Arborist helps maintainers navigate related work. Created 77 discussion reports and 18 parent issues in Pelis Factory.
Effort: Medium
P3: Mergefest — Auto-merge Main into PRs
What: Automatically merge main into open PR branches when main advances significantly, reducing the "please rebase" ceremony.
Why: Reduces manual overhead for long-lived PRs, especially agentic-created PRs from test-coverage-improver and doc-maintainer.
Effort: Low-Medium
P3: Firewall Domain Compliance Monitor
What: Domain-specific to this repo: daily check that all workflows' network.allowed domains are still justified and minimal. Flag any workflows using defaults that could be locked down further.
Why: This repo builds a firewall — its own workflows should model excellent firewall hygiene. Domains in network.allowed should be regularly audited.
Effort: Low
📈 Maturity Assessment
| Dimension | Current Level | Notes |
|---|---|---|
| Security automation | ⭐⭐⭐⭐⭐ 5/5 | Exceptional: 3 red-team agents, daily security review, PR guard, dependency monitor |
| CI/CD quality | ⭐⭐⭐⭐ 4/5 | Strong: CI Doctor, CI/CD gaps assessment; missing breaking change checker |
| Documentation | ⭐⭐⭐ 3/5 | Good intent but doc-maintainer is broken (not compiled) |
| Issue management | ⭐⭐ 2/5 | Issue Monster exists but no triage; issues accumulate unlabeled |
| Observability | ⭐⭐ 2/5 | No meta-agents monitoring the workflows themselves |
| Release automation | ⭐⭐⭐ 3/5 | Release notes agent exists; missing changelog/version bump |
| Code quality | ⭐⭐ 2/5 | Test coverage improver exists; no refactoring/simplicity agents |
| Overall | 3.1/5 | Strong security foundation, gaps in observability and code quality |
Target Level: 4/5 — achievable with P0/P1 items above.
🔄 Comparison with Best Practices
What This Repo Does Well
- Best-in-class security automation: The triple-engine secret-digger pattern (Claude + Codex + Copilot) is more rigorous than most repos. Running 3 red-team agents hourly is exceptional.
- Multi-engine smoke testing: 5 engines (claude, codex, copilot, chroot, gemini) provides excellent regression coverage.
- Rate-limited task dispatch: Issue Monster's
skip-if-matchguard is a sophisticated production-quality pattern. - Security-domain-specific workflows: Security Guard and Security Review are tailored to the firewall domain, not generic.
What It Could Improve
- No observability layer: With 28 workflows, the lack of Audit Workflows and Workflow Health Manager means problems go unnoticed. This is the Improve links in readme to AW project #1 gap vs. Pelis Factory best practices.
- Issue hygiene: No triage agent means issues pile up unlabeled. Basic labeling enables better prioritization.
- Broken workflow: doc-maintainer is not compiled — a simple fix with real impact.
Unique Opportunities (Firewall/Security Domain)
- Domain audit workflow: Check that all
network.allowedlists in workflows are minimal (eating your own dogfood). - Container security drift detector: Periodic check that container Dockerfiles and seccomp profiles haven't regressed.
- iptables rule validator: Automated verification that iptables rules match documented intent.
Report generated by the Pelis Agent Factory Advisor workflow. Previous run data stored in cache-memory at /tmp/gh-aw/cache-memory/patterns.md.
Note: This was intended to be a discussion, but discussions could not be created due to permissions issues. This issue was created as a fallback.
Tip: Discussion creation may fail if the specified category is not announcement-capable. Consider using the "Announcements" category or another announcement-capable category in your workflow configuration.
Generated by Pelis Agent Factory Advisor
- expires on Feb 27, 2026, 3:26 AM UTC