refactor: move .github/scripts to .github/automation and add Dockerfile

Consolidate all agent automation assets (scripts, prompts, Dockerfile)
under .github/automation/ for a single home for AI-powered workflows.

- Rename .github/scripts/ -> .github/automation/
- Add Dockerfile for AgentCore Harness PR reviewer container
- Add README documenting the automation directory
- Update all workflow and action references to new paths

Author: jesseturner21

.github/actions/strands-action/action.yml

@@ -159,11 +159,11 @@ runs:
         SYSTEM_PROMPT: ${{ inputs.system_prompt }}
         MCP_SERVERS: ${{ inputs.mcp_servers }}
         STRANDS_PROMPT: ${{ inputs.prompt }}
-        PYTHONPATH: ${{ github.action_path }}:${{ github.workspace }}/.github/scripts/python
+        PYTHONPATH: ${{ github.action_path }}:${{ github.workspace }}/.github/automation/python
         VIRTUAL_ENV: ${{ github.action_path }}/.venv
       run: |
         if [ -f "${{ github.action_path }}/custom_agent_runner.py" ]; then
           "${{ github.action_path }}/.venv/bin/python" "${{ github.action_path }}/custom_agent_runner.py"
         else
-          "${{ github.action_path }}/.venv/bin/python" "${{ github.workspace }}/.github/scripts/python/agent_runner.py"
+          "${{ github.action_path }}/.venv/bin/python" "${{ github.workspace }}/.github/automation/python/agent_runner.py"
         fi

.github/automation/Dockerfile

@@ -0,0 +1,32 @@
+FROM public.ecr.aws/docker/library/python:3.12-slim
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    jq \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install GitHub CLI
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+    > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update \
+    && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# Tokens are passed as build args only — not stored in env vars
+ARG CLONE_TOKEN
+ARG GITHUB_TOKEN
+
+# Configure git to use clone token for HTTPS clones
+RUN git config --global url."https://${CLONE_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+# Persist gh CLI auth so GITHUB_TOKEN doesn't need to be in the environment
+RUN mkdir -p /root/.config/gh \
+    && echo "github.com:" > /root/.config/gh/hosts.yml \
+    && echo "  oauth_token: ${GITHUB_TOKEN}" >> /root/.config/gh/hosts.yml \
+    && echo "  user: agentcore-cli-automation" >> /root/.config/gh/hosts.yml \
+    && echo "  git_protocol: https" >> /root/.config/gh/hosts.yml
+
+WORKDIR /opt/workspace

.github/automation/README.md

@@ -0,0 +1,44 @@
+# Agent Automation
+
+Infrastructure and scripts for AI-powered automation in the agentcore-cli repo.
+
+## Structure
+
+```
+automation/
+├── Dockerfile          # Container image for AgentCore Harness (PR reviewer)
+├── javascript/         # GitHub Actions helper scripts
+│   └── process-inputs.cjs   # Input processing for /strands command workflow
+├── prompts/            # Prompt templates for harness invocations
+│   ├── system.md       # System prompt (workspace context)
+│   └── review.md       # PR review task prompt
+└── python/             # Python scripts
+    ├── harness_review.py           # Invokes AgentCore Harness to review PRs
+    ├── agent_runner.py             # Strands Agent runner for GitHub Actions
+    ├── github_tools.py             # GitHub API tools for Strands Agents
+    ├── handoff_to_user.py          # Agent-to-user handoff tool
+    ├── notebook.py                 # Notebook management tool
+    └── str_replace_based_edit_tool.py  # File editing tool
+```
+
+## Harness PR Reviewer
+
+The Dockerfile builds a container image used by [AgentCore Harness](https://docs.aws.amazon.com/bedrock/latest/userguide/agentcore.html) to review pull requests. The container includes `git`, `gh` CLI, and is configured with GitHub credentials at build time (tokens are baked into git config and gh auth, not exposed as env vars).
+
+The review workflow (`.github/workflows/pr-ai-review.yml`) triggers on PR open/reopen:
+1. Checks the PR author is authorized (team membership or write access)
+2. Assumes an AWS role via OIDC
+3. Runs `harness_review.py` which signs a request with SigV4 and streams the harness response
+
+### Building the container
+
+```bash
+finch build \
+  --build-arg CLONE_TOKEN=<pat-for-cloning> \
+  --build-arg GITHUB_TOKEN=<pat-for-gh-api> \
+  -t pr-reviewer .github/automation/
+```
+
+## Strands Agent
+
+The `agent_runner.py` script powers the `/strands` slash command workflow. It loads tools (GitHub, notebook, editor, MCP servers) and runs a Strands Agent with the configured model and prompts. See `.github/workflows/strands-command.yml`.