Turns prompts into PRs. Delegates to Copilot. Refuses to auto-merge. The coding-agent workflow, but with adult supervision.
Look, we all know the dream: write a prompt, get a PR, merge it, ship it. But in reality? You probably want a human to glance at the code before it goes to prod. That's what this action does β it uses GitHub Copilot CLI to generate changes, opens a PR, assigns you as the reviewer, and then gets out of the way.
No auto-merging. No surprises. Just automation with a safety net.
- AI-Powered Code Generation: Uses the new
@github/copilotnpm package (not the deprecatedgh copilotextension) - Secure by Default: Real input validation with
sanitize-filenameandvalidator(no homemade regex disasters) - Real Logging: Structured JSON logs via
pino(becauseconsole.logis for debugging, not production) - Pre-commit Hooks: Lefthook runs format β lint β test before every commit (you can thank me later)
- Responsible AI Compliance: Enforces RAI attribution in commits via
@checkmarkdevtools/commitlint-plugin-rai - Security Scanning: CodeQL + Gitleaks on every push (catching secrets before they become incidents)
- Quality Gate: CI won't pass unless format, lint, build, and test all succeed
- Automated PRs: Creates a branch, commits changes, opens a PR, and assigns the workflow actor
- Production-Ready: Concurrency control, permissions scoping, and timeouts built-in
name: Delegate Task
on:
workflow_dispatch:
inputs:
filename:
description: 'Optional file to process'
required: false
branch:
description: 'Target branch'
required: false
default: 'main'
concurrency:
group: delegate-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write
pull-requests: write
jobs:
delegate:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- uses: ChecKMarKDevTools/delegate-action@v0
with:
PRIVATE_TOKEN: ${{ secrets.GH_PAT }}
filename: ${{ github.event.inputs.filename }}
branch: ${{ github.event.inputs.branch }}| Input | Description | Required | Default |
|---|---|---|---|
PRIVATE_TOKEN |
Personal Access Token for GitHub Copilot CLI | Yes | - |
filename |
Optional filename in the repository to process | No | '' |
branch |
Target branch to base changes on | No | main |
| Output | Description |
|---|---|
pr_number |
The number of the created pull request |
branch |
The name of the branch containing the changes |
- Validate File: Uses
sanitize-filenameandvalidatorto ensure input safety (no path traversal, no funny business) - Run Copilot: Executes
@github/copilotnpm package with instructions - Create Branch: Generates a timestamped branch (e.g.,
copilot/delegate-2026-01-17T05-30-00-000Z) - Commit & Push: Commits changes with a Conventional Commit message
- Review & Docs: Runs Copilot again for review, documentation, and test suggestions
- Create PR: Opens a pull request with a clear description
- Assign Actor: Assigns the PR to the workflow actor (you)
Then you review, approve, and merge. Or don't. That's the point.
- Node.js: v22+ (managed via Volta)
- npm: v10+
npm installThis will:
- Install all dependencies
- Set up Lefthook pre-commit hooks (format β lint β test)
- Configure Volta to pin Node.js 22.13.1
npm run buildCompiles the action into dist/ using @vercel/ncc. The dist/ folder is committed to the repo because GitHub Actions requires it.
npm run lintRuns ESLint with the flat config (eslint.config.mjs). Targets ECMAScript 2024 (Node.js 22 LTS).
npm run format # Auto-fix
npm run format:check # Check onlyUses Prettier to enforce consistent code style.
npm testCurrently just a placeholder. Add real tests, you coward.
This action takes security seriously:
- Input Validation: All filenames are sanitized with
sanitize-filenameand validated withvalidator - Path Traversal Protection: Absolute paths and
..sequences are rejected - File Size Limits: Files larger than 1MB are rejected to prevent memory exhaustion
- Secret Scanning: Gitleaks runs on every push and PR to catch leaked credentials
- CodeQL Analysis: Weekly SAST scans to detect security vulnerabilities
- Dependency Auditing: Automated dependency updates and security advisories
See SECURITY.md for more details.
- AGENTS.md: Detailed breakdown of all CI/CD agents (security, quality, release)
- CONTRIBUTING.md: How to contribute (spoiler: follow Conventional Commits or get rejected)
- SECURITY.md: Security policy and vulnerability reporting
- Fork the repo
- Create a feature branch (
git checkout -b feat/amazing-feature) - Follow Conventional Commits
- Include RAI attribution in your commits (enforced by
@checkmarkdevtools/commitlint-plugin-rai) - Pre-commit hooks will run format β lint β test
- Push your branch and open a PR
See CONTRIBUTING.md for details.
MIT License - see LICENSE for details.
Because sometimes you want AI to write code for you, but you're not quite ready to let it deploy to production unsupervised. This action is the middle ground: automation without the anxiety.
If you want full autonomy, there are other tools for that. This one is for the rest of us who still like to know what's going into main.
Built with questionable life choices and excessive caffeine by ChecKMarK DevTools.