Run contributor checks from AGT scripts (#1617)

* Run contributor checks from AGT scripts

Fetch the pinned AGT contributor check scripts directly and execute them with Python so the workflow no longer depends on missing console entrypoints from the published package.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Log contributor check JSON outputs

Dump the raw AGT JSON outputs and stderr logs in the contributor check workflow to make future debugging easier.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: aaronpowell

.github/workflows/contributor-check.yml

@@ -29,8 +29,15 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: Install AGT CLI
-        run: pip install --quiet 'agent-governance-toolkit==3.3.0'
+      - name: Fetch AGT check scripts
+        env:
+          AGT_REF: v3.3.0
+        run: |
+          mkdir -p /tmp/agt
+          curl -fsSL "https://raw.githubusercontent.com/microsoft/agent-governance-toolkit/${AGT_REF}/scripts/contributor_check.py" \
+            -o /tmp/agt/contributor_check.py
+          curl -fsSL "https://raw.githubusercontent.com/microsoft/agent-governance-toolkit/${AGT_REF}/scripts/credential_audit.py" \
+            -o /tmp/agt/credential_audit.py
 
       - name: Determine author
         id: author
@@ -50,21 +57,66 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set +e
-          agt-contributor-check \
+          python3 /tmp/agt/contributor_check.py \
             --username "${{ steps.author.outputs.username }}" \
+            --repo "${{ github.repository }}" \
             --json > /tmp/profile.json 2>/tmp/profile.log
+          status=$?
           set -e
+          if [ "$status" -ne 0 ] && [ ! -s /tmp/profile.json ]; then
+            echo "::warning::Profile check failed"
+            if [ -s /tmp/profile.log ]; then
+              sed -n '1,120p' /tmp/profile.log
+            fi
+          fi
 
       - name: Run credential audit
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set +e
-          agt-credential-audit \
+          python3 /tmp/agt/credential_audit.py \
             --username "${{ steps.author.outputs.username }}" \
             --repo "${{ github.repository }}" \
             --json > /tmp/cred.json 2>/tmp/cred.log
+          status=$?
           set -e
+          if [ "$status" -ne 0 ] && [ ! -s /tmp/cred.json ]; then
+            echo "::warning::Credential audit failed"
+            if [ -s /tmp/cred.log ]; then
+              sed -n '1,120p' /tmp/cred.log
+            fi
+          fi
+
+      - name: Dump check outputs
+        if: always()
+        run: |
+          dump_json() {
+            label="$1"
+            file="$2"
+            log_file="$3"
+
+            echo "::group::${label} JSON"
+            if [ -s "$file" ]; then
+              if jq . "$file"; then
+                :
+              else
+                cat "$file"
+              fi
+            else
+              echo "<missing>"
+            fi
+            echo "::endgroup::"
+
+            if [ -s "$log_file" ]; then
+              echo "::group::${label} stderr"
+              sed -n '1,120p' "$log_file"
+              echo "::endgroup::"
+            fi
+          }
+
+          dump_json "Profile check" /tmp/profile.json /tmp/profile.log
+          dump_json "Credential audit" /tmp/cred.json /tmp/cred.log
 
       - name: Resolve check risks
         id: results