Add integrations workflow with SAST and best practices checks

[Copilot]

Implements GitHub Actions workflow for platform integration validation, security scanning, and code quality checks. All jobs use graceful degradation for missing dependencies/secrets.

Workflow Structure

Platform Integrations (integrations job)

• Detects 10 secrets (OpenAI, ManyChat, BotBuilders, MoltBook, MoltBot, OpenClaw, GitHub PAT, webhook URLs) without exposing values
• Dry-run connectivity tests with conditional execution via if: guards
• Skips services when secrets unavailable

Security SAST (security job)

• Semgrep (p/ci ruleset) with optional install fallback
• ShellCheck for shell scripts
• Basic style checks (trailing whitespace, large files)
• Non-blocking - continues on tool absence or findings

Best Practices (ai-coding-best-practices job)

• Semgrep, ShellCheck, markdownlint-cli2
• Detects Python/JS projects and references existing CI
• All checks optional and informational

Configuration

Created config/services.example.json documenting:

• 8 platform integrations with env var patterns
• SERVICE_BASE_URL_* pattern for custom endpoints
• Security best practices and setup instructions
• Clarifies interchangeable env var names (e.g., BOTBUILDERS_API_KEY vs BOTBUILDERS_API_TOKEN)

Implementation Notes

• Jobs are independent (intentional duplication) for selective execution
• Uses bash/curl, avoids heavy dependencies
• Tools installed on-demand with pip/apt-get fallbacks
• Secrets referenced exclusively via ${{ secrets.* }}
• Added config/services.json to .gitignore

Triggers

• Push to main
• workflow_dispatch (manual)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.openai.com
  • Triggering command: /usr/bin/curl curl -s -o /dev/null -w HTTP Status: %{http_code}\n -H Content-Type: application/json REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Add a Full Stack AI Toolkit + AI Full Stack Security + AI Coding/Best-Practices workflow to lippytm/Web3AI.

Deliverables:

1. GitHub Actions workflow: .github/workflows/integrations.yml

   • Triggers: push to main and workflow_dispatch.
   • Jobs (all dependency-light, bash/curl; skip gracefully if tools/targets absent):
     a) Integrations: checkout; detect presence of secrets (mask values); placeholder connectivity steps for OpenAI, ManyChat, BotBuilders, Moltbook, Moltbot, OpenClaw, GitHub. If a secret is missing, skip that service.
     b) Security: minimal lint/style + basic SAST with safe fallbacks. Example: run semgrep --config=p/ci if available/installed; otherwise echo skipped. Run shellcheck if available/installed; otherwise skip. Do not fail when tools/lockfiles are absent.
     c) AI Coding / Best Practices: portable best-practice checks. Attempt semgrep (OSS p/ci), shellcheck for shell scripts, markdownlint (markdownlint-cli2) if available/installed; optional language-specific lint if lockfiles present (guarded). All steps must skip gracefully when tooling or files are missing.
   • Logging: only report which secrets are present/missing; never print values. Use if: guards so missing secrets/tools don’t fail the workflow.
   • Keep the job dependency-light (pure bash/curl; any installs should be minimal and optional).

2. Config stub: config/services.example.json

   • Documents expected env vars and placeholders; no secrets committed.

Secrets to reference (names only, no values):

• OPENAI_API_KEY
• MANYCHAT_API_KEY
• BOTBUILDERS_API_KEY
• MOLTBOOK_API_KEY
• MOLTBOT_API_KEY
• OPENCLAW_API_KEY
• GITHUB_PAT (only if cross-repo GitHub API calls are needed)
• WEBHOOK_URL
• Optional base URLs: SERVICE_BASE_URL_OPENCLAW (pattern SERVICE_BASE_URL_* for others)

Constraints:

• Missing secrets/tools should skip related steps, not fail the run.
• No secrets or sensitive data committed.
• Keep it safe and dry-run oriented for integrations.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.