--- name: github-ai-features-2025 description: GitHub AI-powered security and automation features for 2025 --- ## 🚨 CRITICAL GUIDELINES ### Windows File Path Requirements **MANDATORY: Always Use Backslashes on Windows for File Paths** When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`). **Examples:** - ❌ WRONG: `D:/repos/project/file.tsx` - ✅ CORRECT: `D:\repos\project\file.tsx` This applies to: - Edit tool file_path parameter - Write tool file_path parameter - All file operations on Windows systems ### Documentation Guidelines **NEVER create new documentation files unless explicitly requested by the user.** - **Priority**: Update existing README.md files rather than creating new documentation - **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise - **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone - **User preference**: Only create additional .md files when user specifically asks for documentation --- # GitHub AI Features 2025 ## Trunk-Based Development (TBD) Modern workflow used by largest tech companies (Google: 35,000+ developers): ### Principles 1. **Short-lived branches:** Hours to 1 day maximum 2. **Small, frequent commits:** Reduce merge conflicts 3. **Continuous integration:** Always deployable main branch 4. **Feature flags:** Hide incomplete features ### Implementation ```bash # Create task branch from main git checkout main git pull origin main git checkout -b task/add-login-button # Make small changes git add src/components/LoginButton.tsx git commit -m "feat: add login button component" # Push and create PR (same day) git push origin task/add-login-button gh pr create --title "Add login button" --body "Implements login UI" # Merge within hours, delete branch gh pr merge --squash --delete-branch ``` ### Benefits - Reduced merge conflicts (75% decrease) - Faster feedback cycles - Easier code reviews (smaller changes) - Always releasable main branch - Simplified CI/CD pipelines ## GitHub Secret Protection (AI-Powered) AI detects secrets before they reach repository: ### Push Protection ```bash # Attempt to commit secret git add config.py git commit -m "Add config" git push # GitHub AI detects secret: """ ⛔ Push blocked by secret scanning Found: AWS Access Key Pattern: AKIA[0-9A-Z]{16} File: config.py:12 Options: 1. Remove secret and try again 2. Mark as false positive (requires justification) 3. Request review from admin """ # Fix: Use environment variables # config.py import os aws_key = os.environ.get('AWS_ACCESS_KEY') git add config.py git commit -m "Use env vars for secrets" git push # ✅ Success ``` ### Supported Secret Types (AI-Enhanced) - AWS credentials - Azure service principals - Google Cloud keys - GitHub tokens - Database connection strings - API keys (OpenAI, Stripe, etc.) - Private keys (SSH, TLS) - OAuth tokens - Custom patterns (regex-based) ## GitHub Code Security ### CodeQL Code Scanning AI-powered static analysis: ```yaml # .github/workflows/codeql.yml name: "CodeQL" on: push: branches: [ main ] pull_request: branches: [ main ] jobs: analyze: runs-on: ubuntu-latest permissions: security-events: write steps: - name: Checkout uses: actions/checkout@v3 - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: javascript, python, java - name: Autobuild uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 ``` **Detects:** - SQL injection - XSS vulnerabilities - Path traversal - Command injection - Insecure deserialization - Authentication bypass - Logic errors ### Copilot Autofix AI automatically fixes security vulnerabilities: ```python # Vulnerable code detected by CodeQL def get_user(user_id): query = f"SELECT * FROM users WHERE id = {user_id}" # ❌ SQL injection return db.execute(query) # Copilot Autofix suggests: def get_user(user_id): query = "SELECT * FROM users WHERE id = ?" return db.execute(query, (user_id,)) # ✅ Parameterized query # One-click to apply fix ``` ## GitHub Agents (Automated Workflows) AI agents for automated bug fixes and PR generation: ### Bug Fix Agent ```yaml # .github/workflows/ai-bugfix.yml name: AI Bug Fixer on: issues: types: [labeled] jobs: autofix: if: contains(github.event.issue.labels.*.name, 'bug') runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Analyze Bug uses: github/ai-agent@v1 with: task: 'analyze-bug' issue-number: ${{ github.event.issue.number }} - name: Generate Fix uses: github/ai-agent@v1 with: task: 'generate-fix' create-pr: true pr-title: "Fix: ${{ github.event.issue.title }}" ``` ### Automated PR Generation ```bash # GitHub Agent creates PR automatically # When issue is labeled "enhancement": # 1. Analyzes issue description # 2. Generates implementation code # 3. Creates tests # 4. Opens PR with explanation # Example: Issue #42 "Add dark mode toggle" # Agent creates PR with: # - DarkModeToggle.tsx component # - ThemeContext.tsx provider # - Tests for theme switching # - Documentation update ``` ## Dependency Review (AI-Enhanced) AI analyzes dependency changes in PRs: ```yaml # .github/workflows/dependency-review.yml name: Dependency Review on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 - name: Dependency Review uses: actions/dependency-review-action@v3 with: fail-on-severity: high fail-on-scopes: runtime ``` **AI Insights:** - Known vulnerabilities in new dependencies - License compliance issues - Breaking changes in updates - Alternative safer packages - Dependency freshness score ## Trunk-Based Development Workflow ### Daily Workflow ```bash # Morning: Sync with main git checkout main git pull origin main # Create task branch git checkout -b task/user-profile-api # Work in small iterations (2-4 hours) # First iteration: API endpoint git add src/api/profile.ts git commit -m "feat: add profile API endpoint" git push origin task/user-profile-api gh pr create --title "Add user profile API" --draft # Continue work: Add tests git add tests/profile.test.ts git commit -m "test: add profile API tests" git push # Mark ready for review gh pr ready # Get review (should happen within hours) # Merge same day gh pr merge --squash --delete-branch # Next task: Start fresh from main git checkout main git pull origin main git checkout -b task/profile-ui ``` ### Small, Frequent Commits Pattern ```bash # ❌ Bad: Large infrequent commit git add . git commit -m "Add complete user profile feature with API, UI, tests, docs" # 50 files changed, 2000 lines # ✅ Good: Small frequent commits git add src/api/profile.ts git commit -m "feat: add profile API endpoint" git push git add src/components/ProfileCard.tsx git commit -m "feat: add profile card component" git push git add tests/profile.test.ts git commit -m "test: add profile tests" git push git add docs/profile.md git commit -m "docs: document profile API" git push # Each commit: 1-3 files, 50-200 lines # Easier reviews, faster merges, less conflicts ``` ## Security Best Practices (2025) 1. **Enable Secret Scanning:** ```bash # Repository Settings → Security → Secret scanning # Enable: Push protection + AI detection ``` 2. **Configure CodeQL:** ```bash # Add .github/workflows/codeql.yml # Enable for all languages in project ``` 3. **Use Copilot Autofix:** ```bash # Review security alerts weekly # Apply Copilot-suggested fixes # Test before merging ``` 4. **Implement Trunk-Based Development:** ```bash # Branch lifespan: <1 day # Commit frequency: Every 2-4 hours # Main branch: Always deployable ``` 5. **Leverage GitHub Agents:** ```bash # Automate: Bug triage, PR creation, dependency updates # Review: All AI-generated code before merging ``` ## Resources - [Trunk-Based Development](https://trunkbaseddevelopment.com) - [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) - [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) - [GitHub Copilot for Security](https://github.com/features/security)