Skip to content

Home

Jump to bottom
Emmanuel Knafo, Ph.D. edited this page Apr 3, 2026 · 49 revisions

Agentic Accelerator Framework Wiki

Welcome to the Agentic Accelerator Framework wiki — a living record of building, extending, and operating the framework's four domains (Security, Accessibility, Code Quality, and FinOps) using custom GitHub Copilot agents, GitHub Advanced Security, and Microsoft Defender for Cloud.

This wiki captures real, non-deterministic agentic sessions where Copilot automode and subagents scaffold entire repositories, generate sample applications, build SARIF converters, produce Power BI PBIPs, create workshop labs, and automate screenshot capture — all from a single prompt invocation.

DIY: Build the Code Quality Domain

The DIY guide walks through creating the Code Quality domain's two repositories — code-quality-scan-demo-app (scanner platform with 5 sample apps in C#, Python, Java, TypeScript, and Go) and code-quality-scan-workshop (10 hands-on labs). The following sections document a live Copilot automode session executing this guide end-to-end.

Launching Copilot Automode

With the Agentic Accelerator Framework workspace open in VS Code, the /scaffold-domain domain=code-quality prompt is invoked. Copilot enters automode and the DomainScaffolder agent begins orchestrating the build. The Copilot Chat panel shows the agent's plan with a todo list tracking each scaffolding phase:

VS Code Copilot Chat in automode with DomainScaffolder agent showing the initial scaffolding plan and todo list for the Code Quality domain

Progress can be monitored in VS Code's Explorer panel or by watching newly created repositories appear in the GitHub organization:

VS Code Explorer panel showing the workspace file tree updating as the DomainScaffolder agent generates new files and directories

Non-Deterministic Journey #1

Each run of the scaffolding agent produces a slightly different execution path — this is the nature of agentic workflows. The following screenshots document the first full journey from invocation to completion.

Phase 1: Repository Structure and Planning

The agent analyzes the existing Accessibility and FinOps domain structures to determine the target layout for Code Quality. It reads the Domain Parity and Contribution Guide, the domain scaffolding skill, and the DIY documentation:

VS Code Copilot Chat showing the DomainScaffolder agent analyzing existing domain repositories for structural parity — reading domain-parity-and-contribution.md and SKILL.md

The agent formulates its execution plan, identifying all artifacts to generate — repository scaffolds, GitHub Actions workflows, SARIF converters, bootstrap scripts, and Copilot configuration files:

VS Code Copilot Chat displaying the DomainScaffolder execution plan with phases for repository creation, sample app generation, pipeline setup, and workshop labs

Phase 2: Subagent Delegation

The workload is substantial — 5 sample apps, 10 workshop labs, SARIF converters, Power BI PBIP, bootstrap scripts, and CI/CD pipelines. The DomainScaffolder delegates to subagents (Explore for codebase research, Phase Implementor for file generation) to divide and parallelize the work:

VS Code Copilot Chat showing subagent delegation — DomainScaffolder invoking Explore subagent for codebase analysis and Phase Implementor for file creation

Phase 3: Scaffolding in Progress

With subagents active, files begin materializing. The agent creates directory structures, generates configuration files, and writes initial source code:

VS Code Copilot Chat showing active file generation — agent creating .github/workflows, src/converters, and infra directories with progress updates in the todo list

The scaffolding continues with GitHub Actions workflow files, Dockerfile templates, and Bicep infrastructure definitions:

VS Code Copilot Chat displaying continued scaffolding output — workflow YAML files and infrastructure-as-code templates being generated

Phase 4: Repository Content Emerging

Switching to the VS Code Explorer, the generated file tree becomes visible. The demo-app repository takes shape with its expected structure — src/, infra/, .github/workflows/, scripts/, and Copilot artifacts:

VS Code Explorer showing the code-quality-scan-demo-app repository structure with src/converters, infra/main.bicep, .github/workflows, scripts, and agents directories

The workshop repository scaffolding has not started yet at this point — the agent completes the demo-app first before moving to the workshop:

VS Code Explorer showing the demo-app repository populated while the workshop repository is still empty — sequential scaffolding approach

Back in the Copilot Chat panel, the agent reports progress on the demo-app structure and prepares to generate the 5 sample applications:

VS Code Copilot Chat showing demo-app repository structure complete — agent transitioning to sample app generation phase with updated todo list

Phase 5: Sample App Generation

The agent begins creating the 5 sample applications, each with intentional code quality violations to serve as scanner targets. The apps span C# (ASP.NET Minimal API), Python (Flask), Java (Spring Boot), TypeScript (Next.js), and Go (stdlib net/http):

VS Code Explorer showing code-quality-demo-app-001 through demo-app-005 directories being created with language-specific project files — C#, Python, Java, TypeScript, Go

The generation follows a deliberate order — C# first, then Python, then Java, with each app including infra/main.bicep, Dockerfile, start-local.ps1/stop-local.ps1, and an intentionally incomplete test suite:

VS Code Copilot Chat showing sequential sample app generation — C# ASP.NET app complete, Python Flask app in progress, Java Spring Boot queued

Phase 6: Screenshot Automation and Power BI

With sample apps generated, the agent moves to screenshot automation. It creates capture-screenshots.ps1 and screenshot-manifest.json for manifest-driven screenshot capture across all workshop labs:

VS Code Copilot Chat showing screenshot automation generation — creating capture-screenshots.ps1 with manifest-driven capture supporting freeze-execute, playwright-navigate, and script methods

The agent also generates the Power BI PBIP — a star schema semantic model with Fact_CodeQualityFindings, dimension tables, and four report pages (Quality Overview, Coverage by Repository, Complexity Analysis, Test Generation Tracking):

VS Code Explorer showing generated power-bi directory with TMDL semantic model files, Fact_CodeQualityFindings table definition, and dimension tables for Date, Repository, ScanTool, Language, and Severity

Phase 7: Workshop Labs

The final major phase generates the 10 workshop labs (Labs 00–08 plus ADO variants for Labs 06 and 07). Each lab directory includes step-by-step instructions, expected outputs, and platform-specific sections:

VS Code Explorer showing the workshop repository with lab-00 through lab-08 directories, plus lab-06-ado and lab-07-ado, each containing README.md and step files

Completion

The DomainScaffolder agent marks the task complete. The todo list shows all phases finished — repository structure, sample apps, SARIF converters, bootstrap scripts, GitHub Actions workflows, Power BI PBIP, screenshot automation, and workshop labs:

VS Code Copilot Chat showing DomainScaffolder task complete — all todo items checked, final summary reporting repositories scaffolded with full domain parity

Verification of What Was Done in First Iteration

After the DomainScaffolder completes, manual verification is essential. Agentic scaffolding produces the bulk of the artifacts, but several configuration steps require human review before the repositories are production-ready. The checklist below documents each finding from the first iteration.

Template Repository Flag

The code-quality-scan-workshop repository was created as a regular repo instead of a GitHub template repository. The "Template repository" checkbox in Settings → General must be enabled manually so that new workshop instances can be created via Use this template:

GitHub repository Settings page for code-quality-scan-workshop showing the Template repository checkbox unchecked — needs to be enabled manually

GitHub Pages Enablement

GitHub Pages was not enabled on the workshop repository during scaffolding. Navigate to Settings → Pages and select the deployment branch (typically main or gh-pages) and folder (/docs or root) to activate the workshop site:

GitHub Pages settings for code-quality-scan-workshop showing Pages not yet enabled — Source dropdown set to None

Once Pages is enabled and the source branch is configured, GitHub deploys the Jekyll-based site. The Pages settings page confirms the deployment URL:

GitHub Pages settings after enabling Pages — deployment source configured, site URL shown as devopsabcs-engineering.github.io/code-quality-scan-workshop

Pipeline Trigger Verification

Enabling Pages should trigger the initial GitHub Actions deployment pipeline. Check the Actions tab to confirm the workflow runs successfully. The first run builds and deploys the Jekyll site:

GitHub Actions tab for code-quality-scan-workshop showing the Pages deployment workflow triggered after enabling GitHub Pages

Lab Rendering and Mermaid Diagram Issues

The workshop labs render on GitHub Pages, but Mermaid diagrams embedded in the Markdown do not display correctly. GitHub Pages' default Jekyll renderer does not support Mermaid natively — a custom plugin, JavaScript include, or pre-rendered SVG approach is needed. Screenshots are also missing at this stage since capture-screenshots.ps1 has not been executed yet:

GitHub Pages rendering of a workshop lab showing lab content fully rendered but Mermaid diagram blocks displaying as raw code instead of diagrams — screenshot placeholders also empty

Known issues from first iteration:

  • Mermaid diagrams render as raw code blocks — need Mermaid JS include or pre-rendered SVGs
  • Screenshot placeholders are empty — run capture-screenshots.ps1 after demo apps are deployed

Repository Metadata Gaps

Both the code-quality-scan-demo-app and code-quality-scan-workshop repositories are missing several metadata items that the existing Accessibility and FinOps domains have:

  • No topics/tags — Add relevant GitHub topics (code-quality, sarif, github-copilot, agentic-ai, workshop, etc.)
  • No description — Set the repository description in Settings → General
  • No website link — Add the GitHub Pages URL to the About section (top-right of the repo page) so users can discover the workshop site
GitHub repository About section for code-quality-scan-workshop showing empty Description, no Website URL, and no Topics — all need to be populated for discoverability

Next Steps: Manual Actions Required

The following actions must be completed manually before the Code Quality domain reaches full parity with the existing Accessibility and FinOps domains:

  1. Enable the template flag on code-quality-scan-workshop
  2. Add repository topics, description, and website URL to both repos
  3. Fix Mermaid rendering — add a Mermaid JS include to the Jekyll layout or pre-render diagrams as SVGs
  4. Run deploy-all.yml — deploy all 5 demo apps to Azure so the scanner targets are live
  5. Run capture-screenshots.ps1 — capture all workshop screenshots after demo apps are deployed
  6. Run bootstrap scripts (setup-oidc.ps1, bootstrap-demo-apps.ps1) if Azure AD federation has not been configured

The deploy-all workflow is available in the demo-app repository's Actions tab. Trigger it manually to provision all 5 sample applications to Azure App Service:

GitHub Actions tab for code-quality-scan-demo-app showing the deploy-all workflow ready to be triggered manually — deploys all 5 demo apps to Azure App Service

Bootstrap and Deployment — Hands-On Fixes

Before deploy-all.yml can succeed, the Azure AD federation and GitHub secrets infrastructure must be in place. This section documents the bootstrap process and the issues encountered during the first iteration.

Running the Bootstrap Scripts

The correct execution order is:

  1. setup-oidc.ps1 — Creates Azure AD app registrations and federated credentials for workload identity federation (OIDC)
  2. bootstrap-demo-apps.ps1 — Creates the 5 demo-app repositories, pushes content, and configures GitHub secrets and environments

Attempting to deploy before running these scripts results in authentication failures. The bootstrap script output confirms the initial setup:

VS Code terminal showing bootstrap-demo-apps.ps1 execution — creating demo-app repositories and configuring GitHub secrets for Azure deployment

Bootstrap Script Failures and Fixes

The first run of bootstrap-demo-apps.ps1 encountered errors. The script created the first two demo-app repositories successfully but failed midway through the third:

VS Code terminal showing bootstrap-demo-apps.ps1 error output — script failed after creating code-quality-demo-app-001 and demo-app-002, error on demo-app-003

The GitHub organization confirms that only two of the five expected repositories were created before the script halted:

GitHub organization page for devopsabcs-engineering showing code-quality-demo-app-001 and demo-app-002 repositories created, but demo-app-003 through demo-app-005 missing

The fix was applied directly in VS Code by editing the bootstrap script to handle the error condition:

VS Code editor open on bootstrap-demo-apps.ps1 showing the code fix being applied to resolve the repository creation failure

OIDC Setup and Iterative Debugging

Copilot can assist with identifying the next step when the bootstrap process stalls. Asking Copilot for guidance surfaces that setup-oidc.ps1 must run before the deployment workflows can authenticate:

VS Code Copilot Chat recommending the next step — run setup-oidc.ps1 to configure Azure AD workload identity federation before attempting deployment

Running setup-oidc.ps1 creates the Azure AD app registrations and configures federated credentials for each demo-app repository:

VS Code terminal showing setup-oidc.ps1 execution — creating Azure AD app registrations and configuring federated credentials for workload identity

Additional issues surface during the OIDC setup — typically around permissions, subscription scoping, or pre-existing registrations. Each issue is resolved iteratively:

VS Code terminal showing setup-oidc.ps1 error output with Azure CLI permission or configuration issue requiring manual fix

Script Idempotency

After several iterations of fixing and re-running, both bootstrap scripts stabilize. A critical design principle emerged: both scripts must be idempotent — safe to re-run without duplicating resources or failing on already-existing artifacts:

VS Code terminal showing successful re-run of bootstrap-demo-apps.ps1 — all 5 demo-app repositories confirmed without errors, demonstrating idempotent execution

The idempotency pattern uses az ad app list --filter and gh repo view --json checks before creating resources, ensuring safe re-execution:

VS Code editor showing idempotent guard logic in bootstrap script — checking for existing Azure AD app registrations and GitHub repos before creating new ones

Subscription Scope and Resource Group Chicken-or-Egg Problem

A notable finding: the OIDC app registration required subscription-level scope because the target resource group did not yet exist. The deployment workflow itself creates the resource group, creating a circular dependency. For this proof of concept, subscription-level scope was used, though a production deployment should use a more restrictive RBAC approach:

Azure portal or VS Code showing the app registration with subscription-level Contributor role assignment — broader than ideal but necessary because the resource group does not yet exist

Security note: Subscription-level Contributor is acceptable for a POC but should be scoped to a dedicated resource group in production. Consider pre-creating the resource group in a separate Bicep module or using a two-stage deployment (resource group first, then app deployment with scoped RBAC).

Deploy-All Workflow Execution

With OIDC configured and bootstrap complete, the deploy-all.yml workflow can finally run. The first attempt surfaces deployment-specific issues that need resolution:

GitHub Actions tab showing deploy-all workflow run with initial deployment errors — Azure authentication or resource provisioning failures visible in the job logs

The workflow presents multiple configuration options for resolving the deployment issue. The error details and proposed solutions are visible in the Actions log:

GitHub Actions workflow run log showing deployment error details with proposed resolution options — Option A, Option B approaches for fixing the Azure deployment configuration

Azure App Registration and Client Secret Setup

Option A requires creating a client secret for the Azure AD app registration. The following steps walk through the Azure portal configuration:

Navigate to Azure AD → App registrations → Certificates & secrets and create a new client secret:

Azure portal App registrations page showing the code-quality app registration selected, navigating to Certificates and secrets blade

Configure the secret description and expiration period:

Azure portal Certificates and secrets blade showing the Add a client secret dialog with description field and expiration dropdown Azure portal showing client secret configuration — setting expiration period and description for the new secret

After clicking Add, copy the generated secret value immediately (it is shown only once) and set it as a GitHub repository secret:

Azure portal showing newly generated client secret value — must be copied immediately as it cannot be retrieved later GitHub repository Settings — Secrets and variables page showing the AZURE_CLIENT_SECRET being configured with the value from the Azure portal

Missing Deploy Workflows in Sample App Repos

A key learning from the first iteration: the individual sample app repositories (code-quality-demo-app-001 through demo-app-005) were scaffolded without their own deploy.yml workflow files. The deploy-all.yml in the parent repository expects each sample app to have a callable deployment workflow:

GitHub repository file listing for a code-quality-demo-app showing .github/workflows directory empty or missing deploy.yml — workflow file was not generated during scaffolding VS Code editor showing the deploy.yml workflow file being created for the sample app repositories — defines the Azure App Service deployment steps

After adding the missing deploy workflows, the bootstrap script is re-run (leveraging its idempotent design) to push the updated content to all repositories:

VS Code terminal showing bootstrap-demo-apps.ps1 successful re-run after adding deploy.yml workflows — all 5 repositories updated with deployment pipelines

Deploy-All Results and Observations

With all fixes in place, the deploy-all.yml workflow runs successfully. However, the current implementation deploys all 5 apps sequentially rather than in parallel, resulting in longer execution times:

GitHub Actions deploy-all workflow run showing all 5 demo app deployments completing sequentially — each job runs after the previous one finishes instead of in parallel

Critical observations from the first iteration deploy-all:

  1. Sequential deployment — All 5 app deployments run sequentially. These should execute in parallel using a matrix strategy or separate concurrent jobs to reduce total deployment time.
  2. Silent failure masking — The workflow reports overall success even when individual app deployments fail. It should fail the entire run if any single deployment fails.
  3. Missing workflow summary — The completed workflow does not publish the deployed application URLs to the GitHub Actions job summary. The Accessibility and FinOps domains include summary links — Code Quality should match.
  4. Missing per-app documentation — Each demo-app repository should include a wiki page and screenshots showing the running application, matching the pattern established by the Accessibility and FinOps domains.

continue hands on fixes and learnings

now deploy yields:

image

Clone this wiki locally