Implement agentic maintenance infrastructure for automated repository workflows

[Copilot]

What This PR Contributes

Implements hierarchical AI agent system to automate repository maintenance across six specialized domains.

Architecture (4-level hierarchy)

• Level 1: Issue templates (.github/ISSUE_TEMPLATE/*.yml) - workflow entry points
• Level 2: Agent definitions (.github/agents/*.md) - specialized AI personas with executable commands, code examples, clear boundaries
• Level 3: Instructions (.github/instructions/*.instructions.md) - file-scoped rules auto-applied via applyTo patterns
• Level 4: Prompts (.github/prompts/*.prompt.md) - detailed task guidance

Specialized Agents (6)

• CDS Extractor: TypeScript development, Jest testing, npm dependency management
• CAP Modeling: CodeQL queries/libraries for SAP CAP framework security patterns
• UI5 Modeling: CodeQL queries/libraries for SAPUI5 framework (XML views, binding expressions, XSS/path/formula injection)
• XSJS Modeling: CodeQL queries/libraries for SAP XSJS framework ($.request, SQL injection)
• Dependency Upgrade: Node.js packages, CodeQL/QLT CLI versions, GitHub Actions versions
• GitHub Maintenance: Agents, instructions, prompts, templates, workflows

Each agent follows GitHub's agents.md best practices: frontmatter metadata, commands section early, code examples, explicit boundaries, focused scope.

Documentation

• PROMPTS.md: Complete hierarchy with mermaid diagram showing relationships
• .github/instructions/README.md: Instructions directory guide with usage patterns
• Each agent/instruction/prompt cross-references related files

Structure

.github/
├── ISSUE_TEMPLATE/         # 6 templates (1 per agent)
├── agents/                 # 6 agent definitions
├── instructions/           # 7 files (6 + README)
├── prompts/                # 6 task guides
└── PULL_REQUEST_TEMPLATE/  # Moved from root
PROMPTS.md                  # Hierarchy documentation

Implementation Details

• All YAML syntax validated
• Instructions use applyTo glob patterns for automatic file-scoped application
• Agents reference historical issues/PRs (Improve precision CDS source model (FNs) #101, Fix FN cap sources #109, Separate cap from non-cap sinks #95, Separate CAP from non-CAP alerts #96, Verify the results of Code Scanning using sarif diff #57, Add sarif-diff to Code Scanning workflow #58, writeAttributeEscaped erroneously included in SinkModel #34, Track dataflow through event handlers and their parameters #40, UI5 support flow through event handlers #24) as pattern examples
• Mermaid diagram visualizes complete dependency graph

Future Works

• Validate issue template rendering in GitHub UI
• Create initial test issues per agent to validate system
• Expand prompts with domain-specific AST patterns and common pitfalls
• Add workflow automation for agent assignment based on file paths
• Integrate with CodeQL query-server2 for TDD optimization (per codeql-development-template pattern)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Agentic maintenance of advanced-security/codeql-sap-js repository</issue_title>
<issue_description>
This issue tracks the implementation and validation of agentic maintenance capabilities for this repository, where "maintenance" is intentionally vague for our use case and applies to any development, testing, or other repository-specific task that has been done before and could reasonably be repeated and validated via some complementary set of agentic AI agents, with each "agent" described by a .github/agents/*.md file and backed by the Copilot Coding Agent (CCA) issue-assignment-to-PR workflow.

Purpose

The overall of this "agentic maintenance" approach is to minimize the amount of human time required purely for the maintenance of this repository

Another way to rephrase this "purpose" would be: All good admins are lazy. And we want to be great admins.

Requirements

Requirements to prepare .github/** for agentic maintenance:

• Setup subdirectories and .github/** contents for Issue templates, PR templates, agents, instructions, and prompts by following the approach used in advanced-security/codeql-development-template/.github/;
• Implement a "hierarchy of prompts" similar to advanced-security/codeql-development-template/PROMPTS.md, where we want our .github/ISSUE_TEMPLATE/*.yml templates and our .github/agents/*.md agents to be at the top of the hierarchy of prompts and .github/prompts/*.prompt.md prompts to be at the bottom of the hierarchy and .github/instructions/*.instructions.md instructions to be the middle layer that links to the top and bottom layers of the prompts hierarchy.
• Ensure .github/agents/*.md agents are create using best practices from the how-to-write-a-great-agents-md-lessons-from-over-2500-repsitories guide. The CCA firewall should allow a fetch of that guide, which should form the basis of your understanding for how to implement a complementary set of .github/agents/*.md agents for:
  • CDS extractor development, testing, node dependency upgrades, etc -- this agent must extend/improve/include the existing .github/instructions/extractors_cds_tools_ts.instructions.md instructions;
  • Development of custom CodeQL .ql queries and .qll library modeling for CAP framework;
  • Development of custom CodeQL .ql queries and .qll library modeling for UI5 framework;
  • Development of custom CodeQL .ql queries and .qll library modeling for XSJS framework;
  • Regular upgrades of codeql and qlt CLI dependencies as well as other actions/software versions used in .github/workflows/*.yml actions workflows of this repository;
  • Maintenance of the .github/** implementation of agents, instructions, prompts, issue templates, PR templates, and actions workflows;

Related Issues and PRs

The following closed Issues and Pull Requests (PRs) from this repository should be fetched for context on the types of issues we expect to be able to assign to our agents and the types of changes required to submit and merge a given PR:

• Improve precision CDS source model (FNs) #101
• Fix FN cap sources #109
• Separate cap from non-cap sinks #95
• Separate CAP from non-CAP alerts #96
• Verify the results of Code Scanning using sarif diff #57
• Add sarif-diff to Code Scanning workflow #58
• writeAttributeEscaped erroneously included in SinkModel #34
• Track dataflow through event handlers and their parameters #40
• UI5 support flow through event handlers #24
• [https://github.com/Upgrade CodeQL CLI dependency to v2.23.3 #246](https://github.com/advance...

• Fixes Agentic maintenance of advanced-security/codeql-sap-js repository #259

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.