Add GitHub coding agent network (orchestrator, code-review, issue-triage, KDE Plasma checker)

[Copilot]

Adds a self-contained, four-agent coding automation network that runs entirely within GitHub Actions using only GITHUB_TOKEN — no external services or extra secrets required.

Agents

• Orchestrator (agents/orchestrator.py + agent-orchestrator.yml)
  Runs daily at 06:00 UTC (or on-demand via workflow_dispatch). Discovers all open PRs and issues via the GitHub REST API and fans out to the specialist agents. The task input accepts: code-review | issue-triage | plasma | all

• Code-Review Agent (agents/code_reviewer.py + agent-code-review.yml)
  Triggers on every PR open/sync/reopen. Scans each added diff line for:

  • TODO / FIXME / HACK markers
  • Hard-coded credentials (password = "...", api_key = "...", etc.)
  • Unsafe C calls: gets(), strcpy(), printf(user_var) (format-string)
  • Posts a structured review comment summarising all findings.

• Issue-Triage Agent (agents/issue_triager.py + agent-issue-triage.yml)
  Triggers on issues.opened. Classifies issues by keyword matching against built-in rules (bug, enhancement, question, documentation, security, build, performance), creates any missing labels, applies them, and posts a triage comment.

• KDE Plasma Checker Agent (agents/plasma_checker.py + agent-plasma-checker.yml)
  Triggers on PRs that touch .cpp, .h, .qml, or .js files. Scans each added line for KDE Plasma / Qt antipatterns, including:

  • new QObject() with no parent argument (memory-leak risk)
  • Manual delete statements (prefer Qt parent-child ownership or smart pointers)
  • Removed Qt APIs (QString::fromAscii)
  • Old-style SIGNAL()/SLOT() macro connections → type-safe pointer-to-member syntax
  • QApplication::processEvents() re-entrancy hazard
  • Deprecated Plasma QML imports (org.kde.plasma.core 2.0)
  • Inline setStyleSheet() vs. proper KDE theming
  • Missing QVariant::canConvert checks
    Each finding links directly to the relevant Qt/KDE documentation.

Coordination

The orchestrator dispatches specialist agents via workflow_dispatch against the default branch, avoiding failures from deleted or short-lived head refs.

Orchestrator (daily / manual)
    ├── workflow_dispatch → agent-code-review.yml      (per open PR)
    ├── workflow_dispatch → agent-plasma-checker.yml   (per open PR)
    └── workflow_dispatch → agent-issue-triage.yml     (per open issue)

Other

• .gitignore added (Python cache, build artifacts, .vscode/)
• agents/README.md documents architecture and manual dispatch instructions for all four agents

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Joosibaeri]

@copilot auch plasma (by kde)

[Copilot]

@copilot auch plasma (by kde)

Done! Added a KDE Plasma / Qt checker agent (agents/plasma_checker.py + agent-plasma-checker.yml) in commit 169fb9b.

It scans PR diffs in Qt/QML source files for 12 antipatterns, including:

• new QObject() with no parent (memory-leak risk)
• Manual delete statements (prefer Qt parent-child ownership)
• Old-style SIGNAL()/SLOT() macro connections → type-safe syntax
• Removed Qt APIs (QString::fromAscii)
• QApplication::processEvents() re-entrancy hazard
• Deprecated Plasma QML imports (org.kde.plasma.core 2.0)
• Inline setStyleSheet() vs. proper KDE theming

Each finding links directly to the relevant Qt/KDE documentation. The orchestrator also dispatches it daily via the new plasma task option.

[github-actions]

🤖 Automated Code Review

Changed files

• .github/workflows/agent-code-review.yml (+45 lines)
• .github/workflows/agent-issue-triage.yml (+45 lines)
• .github/workflows/agent-orchestrator.yml (+39 lines)
• .github/workflows/agent-plasma-checker.yml (+53 lines)
• .gitignore (+12 lines)
• agents/README.md (+105 lines)
• agents/code_reviewer.py (+168 lines)
• agents/issue_triager.py (+158 lines)
• agents/orchestrator.py (+109 lines)
• agents/plasma_checker.py (+261 lines)

Findings

• - TODO/FIXME/HACK markers → ⚠️ Unresolved TODO comment found.
• - TODO/FIXME/HACK markers → 🔴 FIXME marker – please address before merging.
• - TODO/FIXME/HACK markers → 🟠 HACK marker – consider a cleaner approach.
• - Unsafe C calls (gets, strcpy, bare printf(var)) → 🛡️ Potential format-string vulnerability: user input passed as format string.
• (re.compile(r"\bTODO\b"), "⚠️ Unresolved TODO comment found."), → ⚠️ Unresolved TODO comment found.
• (re.compile(r"\bFIXME\b"), "🔴 FIXME marker – please address before merging."), → 🔴 FIXME marker – please address before merging.
• (re.compile(r"\bHACK\b"), "🟠 HACK marker – consider a cleaner approach."), → 🟠 HACK marker – consider a cleaner approach.
• (re.compile(r"gets\s*\("), "🛡️ Unsafe gets()call – usefgets() instead."), → 🛡️ Unsafe gets() call – use fgets() instead.
• (re.compile(r"strcpy\s*\("), "🛡️ Unsafe strcpy()– considerstrncpy()orstrlcpy()."), → 🛡️ Unsafe strcpy() – consider strncpy() or strlcpy().

---

Reviewed by the CloudPhone Code-Review Agent – PR #6