120 Commits

Author SHA1 Message Date
Aaron Powell bb4766e226 Fix external plugin gate manifest paths and diagnostics (#2261)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-10 14:31:25 +10:00
Aaron Powell e03696a5bf Replace resource modals with dedicated detail pages and richer install options (#2246)
* feat(website): dedicated agent detail pages instead of modal

Replace the popup/modal viewer for agents with dedicated per-agent pages at /agent/<id>/ for real URLs and better deep linking.

- Build-time rendered docs (marked + gray-matter) with a details sidebar
- Sidebar Actions card: Install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub
- Cards now link natively via anchors (no modal); card-render gains optional href (backward compatible for other types)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* feat(website): dedicated instruction detail pages + shared detail layout

Extend the dedicated detail-page pattern (introduced for agents) to
instructions, and factor the shared behavior/styles out for reuse:

- Add instruction/[id].astro with build-time markdown render, breadcrumb,
  install split-button (VS Code/Insiders/Download/Copy markdown), Share,
  View on GitHub, and a details sidebar (Applies to / Source / Last updated)
  plus collapsible frontmatter.
- Extract shared client behavior into resource-detail.ts (renamed from
  agent-detail.ts) keyed on [data-resource-detail].
- Move detail-page CSS into global.css under .resource-detail-page.
- Point the agent detail page at the shared script/styles.
- Instruction cards now link to /instruction/<id>/ and the modal is removed
  from the instructions listing.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* refactor(website): extract shared detail-page components

Break the agent and instruction detail pages down into reusable Astro
components under src/components/pages: Breadcrumb, Header, Main, Sidebar,
SidebarChips, InstallButtons, and RawMarkdown. Both detail pages now
compose these components instead of duplicating markup.

Fix RawMarkdown to read the `markdown` prop (matching both call sites) and
emit exact text via set:text, which restores the Copy markdown action that
had silently broken when the hidden textarea stopped rendering.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* refactor(website): share detail-page build logic in lib/detail-page

Both detail pages duplicated the install/GitHub URL builders, the
build-time markdown read+render, and the last-updated formatting. Move all
of it into a DOM-free build-time helper (src/lib/detail-page.ts) exposing
loadDetailPage(item, type), and reduce each [id].astro to a single call plus
its type-specific chip data.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated skill detail pages with multi-file browser

Migrate skills from the popup/modal viewer to dedicated per-item pages
(/skill/<id>/) matching the agent and instruction detail pages.

Skills need a few skill-specific mechanics:
- Install via `gh skills install github/awesome-copilot <id>` (copyable),
  since skills have no VS Code install URL.
- Download ZIP for the multi-file skill contents.
- A file browser that defaults to SKILL.md and lets you inspect other
  files, with Shiki syntax highlighting for code and marked-rendered
  markdown. SKILL.md is embedded (rendered + raw) at build time; other
  files are lazy-fetched on demand and cached. Deep links via #file=.

Also fixes a production build regression in the shared detail-page
helper: repoRoot now resolves via process.cwd() instead of import.meta
.url, which resolved incorrectly once bundled and silently returned
empty markdown (breaking rendered docs + copy-markdown for agents and
instructions too).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Replace skill file list with a dropdown selector

The two-column file browser (side list + content pane) was cramped,
splitting the already-narrow main column in half. Replace the side list
with a dropdown in the file view header so the content pane spans the
full width.

- Multi-file skills get a <select> grouped by folder via <optgroup>,
  SKILL.md first. Single-file skills keep a static filename label.
- Client script drives selection from the <select> change event instead
  of the removed file buttons; deep links, copy-file, Download ZIP, and
  Share all read the file list from the select options.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix skill sidebar card overflowing its column

The install command in the actions card used white-space: nowrap, which
gave the grid tracks a large min-content size. Grid items default to
min-width: auto (won't shrink below content), so the actions card grew
past the 352px sidebar, making it look wider than the agent/instruction
sidebars. Add min-width: 0 down the sidebar grid chain so the command
box stays within the column and scrolls horizontally instead.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Make skill file content pane grow to full page height

Remove the fixed max-height/overflow on .skill-file-content so file
content flows to natural height and the page scrolls, instead of a
nested inner scroll region. Shiki <pre> keeps its own horizontal scroll.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Center-align skill file picker label with the select

Reset the Starlight-injected margin-top on .skill-file-select so the
'File' label and the dropdown share a common vertical midline.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Render code files edge-to-edge in skill file viewer

For code files, drop the container padding and the pre border/radius so
the highlighted code fills the full column width. Markdown files keep
their padded, bordered layout. Toggled via an is-code class on the
content pane based on the selected file kind.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated detail pages for hooks with a reusable file browser

Hooks had no good install path (manual copy or ZIP), so mirror the
Skills dedicated-page pattern: a multi-file browser plus a Download ZIP
action, replacing the modal on the hooks listing.

Generalise the Skills-specific file browser so both resource types share
one implementation:
- Rename SkillFileBrowser.astro -> FileBrowser.astro with neutral props.
- Rename skill-detail.ts -> file-browser.ts with neutral data attributes
  (data-file-browser-page, data-bundle-id, data-primary-file).
- Rescope install-slot styles under a shared .bundle-detail-page class.
- generate-website-data: rename getSkillFiles -> getFolderFiles and emit a
  files[] + readmeFileName for each hook.

Hooks list cards now deep-link to /hook/<id>/ instead of opening a modal.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated detail pages for workflows

Migrate agentic workflows from the popup/modal viewer to dedicated per-item pages (/workflow/<id>/) with deep linking, matching the pattern used for agents, instructions, skills, and hooks.

Workflows are single .md files, so they reuse the single-file detail components (Main, Sidebar, Header, Breadcrumb, RawMarkdown) and the resource-detail client script. Since workflows have no VS Code install, the install slot instead documents the gh aw CLI flow and offers Download + Copy markdown actions.

Also rescope the shared install-slot CSS from .bundle-detail-page to .detail-actions-card so skill, hook, and workflow pages share it without a page-specific class, and drop the now-unused bundle-detail-page class from the skill and hook pages.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Format workflow install note

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated plugin detail pages

Replace the plugins modal with dedicated /plugin/<id>/ pages that deep link, render the bundled README, and surface an Included items section linking each constituent agent/skill/instruction/hook to its own detail page (falling back to GitHub for items without a page, e.g. extensions).

- generate-website-data: resolve plugin items to detail URLs + titles, add readmeFile for local and extension-derived plugins
- new IncludedItems component groups bundled resources by kind
- plugin/[id].astro handles local, extension-derived, and external plugins with VS Code + CLI install actions
- resource-detail: copy-install handler shared with detail pages
- plugins list cards now deep link; modal wiring removed

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Show plugin version, ref, and commit in detail sidebar

Capture version from plugin.json (local + extension-derived) and external.json, and surface it in the plugin detail Details card. For external plugins, also show the pinned source ref and short commit SHA when present.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated canvas extension detail pages with preview gallery

Replace the extensions modal with per-extension pages at /extension/<id>/,
mirroring the skill/plugin detail layout. Each page shows a preview image
gallery, README docs (or an About fallback), and a sidebar with install
actions and details (version, canvas ID, keywords, author, commit).

- generate-website-data.mjs: emit readmeFile for extensions
- extensions-render.ts: deep-link cards to detail pages
- extensions.ts: strip modal/gallery wiring, keep filter/sort/copy actions
- resource-detail.ts: add copy-install-url action
- extension-gallery.ts: thumbnail switching for multi-image previews

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add VS Code Insiders and GitHub Copilot app install links

Introduce a shared PluginInstall component used by both plugin and canvas
extension detail pages. It renders a split-button dropdown deep-linking into
VS Code, VS Code Insiders, and the GitHub Copilot app (ghapp://), plus the
CLI command for internal items.

- Internal plugins/extensions: ghapp://plugins/install?source=<id>@awesome-copilot
- External plugins: ghapp://plugins/marketplace/add?source=<owner/repo>
- ghapp source values are URL-encoded per the app's deep-link contract

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Make GitHub Copilot app the default install option

Promote the ghapp:// deep link to the primary split-button action and list
it first in the dropdown, ahead of VS Code and VS Code Insiders.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Ignoring impeccable files

* Make Extensions grid Copy Install a direct Copilot app install

Replace the CLI-command copy button on extension cards with an
'Install in Copilot app' deep link (ghapp://plugins/install) for internal
extensions, matching the detail page. External extensions keep the Copy URL
fallback since they have no Copilot app install path.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on detail pages

- Remove DOM innerHTML read/write round trip in file browser cache
  (CodeQL js/xss-through-dom); seed primary file from raw text and
  render lazily.
- Use Shiki dual light/dark themes in the file browser and add dark
  mode CSS overrides.
- Guard decodeURIComponent for #file= deep links against malformed
  percent-encoding.
- Slugify SidebarChips title before using it in the tag class name.
- Use a neutral aria-label on the shared detail Sidebar.
- URL-encode the external plugin source in VS Code and Insiders
  install links.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Prevent client-side path traversal in file deep links

Addresses the CSPT-to-XSS class reported in github/open-source#1739.
A '#file=' hash value containing '../' sequences could resolve outside
the awesome-copilot repo prefix once normalized by fetch, loading
attacker-controlled content that was then rendered into the page.

- Add isSafeRepoFilePath() and enforce it at the raw-URL choke point
  (getRawGitHubUrl, fetchFileContent, downloadFile, getVSCodeInstallUrl),
  so no consumer can escape the repo prefix.
- Validate the decoded '#file=' path in the modal hash handler and guard
  its decodeURIComponent against malformed input.

The new hash-based file browser already restricts deep links to an
allowlist of build-time file descriptors; the choke-point guard is an
additional backstop.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix accessibility violations on resource detail pages

Run the a11y audit against the new detail pages and resolve every
critical/serious axe violation it surfaced:

- Nest the detail column as a <div> instead of a second <main>, fixing the
  duplicate/non-top-level/non-unique landmark rules on every detail page.
- Add a shared enhanceMarkdownA11y() helper that makes rendered <pre>/<table>
  blocks keyboard focusable and gives task-list checkboxes a state-based
  accessible name; apply it at build time and in the client file browser.
- Make Shiki-highlighted code and install-command <code> blocks focusable.
- Underline links inside rendered docs and install notes so they are
  distinguishable without color, overriding the global #main-content reset.
- Extend the a11y audit to cover one representative page per detail type.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix file browser GitHub URL handling

Encode selected file paths before assigning GitHub detail links and render load errors with DOM APIs so DOM-derived file names are not reinterpreted as markup.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on detail pages and file browser

- Deep-link plugin extension items to their /extension/<id>/ detail pages:
  generate canvas extensions before building the resource index, and index
  extensions (by id and folder basename) so resolvePluginItem can resolve them.
- Render image files in the bundle file browser via an <img> tag built from the
  safe raw URL instead of decoding binary assets as UTF-8 text; skip the
  copy-file action for images.
- Use a neutral 'Install' heading on internal plugin and extension pages so the
  split-button primary label accurately communicates the target.
- Warn (with the file path) when readResourceMarkdown fails instead of swallowing
  the error silently, keeping the build unbroken.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on install links, dropdown a11y, and ZIP downloads

- externalRepoUrl (plugin detail pages) now builds the 'View on GitHub' tree
  URL from the pinned source.ref or source.sha, falling back to main only when
  neither is present, so the link matches the sidebar Ref/Commit chips.
- Install split-button dropdown on resource detail pages is now keyboard
  accessible: opening focuses the first item, ArrowUp/ArrowDown wrap, Home/End
  jump, and Escape closes and restores focus to the toggle, mirroring modal.ts.
- downloadZipBundle fetches each file as an ArrayBuffer and hands it to JSZip so
  binary assets (PNG/JPG/etc.) are preserved instead of corrupted by UTF-8 text
  decoding.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on external repo links and workflow install note

- externalRepoUrl now uses a pinned source.ref/sha even when the external
  plugin has no path, returning /tree/<ref> so "View on GitHub" points at the
  pinned revision and stays consistent with the sidebar Ref/Commit chips.
- Reflow the workflow install note so each inline code and link element stays on
  a single line (using explicit whitespace expressions for word spacing),
  removing the split end-tag artifacts while preserving the exact rendered text
  and spacing.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Harden repo path validation and fix Included Items file links

- isSafeRepoFilePath now fails closed on any "%" so percent-encoded dot-segments
  (%2e%2e and double-encoded %252e%252e) cannot be normalized back into path
  traversal by the browser URL parser during fetch, and also rejects "." and
  empty path segments. Legitimate repo paths never contain these.
- IncludedItems githubHref now links file paths via /blob/ and directories via
  /tree/, detecting files by a trailing extension on the last path segment, so
  the fallback links for agent/instruction/command items no longer 404.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Harden detail pages: sanitize markdown, fix search deep-links and external URLs

Addresses rubber-duck review items 1-5 for the detail-page migration:

1. Sanitize rendered markdown as untrusted HTML. Add isomorphic
   sanitize-html helper (isomorphic-dompurify) applied in the build-time
   pipeline (detail-page.ts) and the client file browser before a11y
   enhancement, so marked output can no longer inject scripts/handlers.
2. Point Pagefind search results at canonical /type/id/ detail pages
   instead of inert #file= listing hashes for types that have a detail page.
3. Sanitize external/generated URLs on plugin and extension detail pages
   and their render scripts so only http(s) links are emitted.
4. Add a shared externalRepoUrl helper that pins GitHub links to the
   source ref/sha (preferring sha) with encoded path segments, replacing
   the duplicated always-main logic in the pages, modal, and renderers.
5. Handle #file= hash navigation after initial load in the file browser
   via a hashchange listener.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Detail pages: clickable filter chips + code-block copy buttons (#2255)

* Add clickable filter chips on detail pages

Turn read-only metadata chips into navigation: tags (hooks/plugins),
keywords (extensions), and extensions (instructions) now link to their
list page pre-filtered by that value (e.g. /hooks/?tag=testing).

SidebarChips gains optional filterBase/filterParam props; when both are
set each chip renders as an <a> with an aria-label and hover/focus
styling, otherwise it stays a plain <span>. Agent/skill/workflow chips
are unchanged. Filtering was verified end to end against each list
page's existing query-param handling.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add copy buttons to documentation code blocks

Detail-page markdown is rendered as plain <pre><code> with no syntax
highlighter, so code and config snippets had no copy affordance. Add a
hover-revealed copy button to every code block in the rendered docs:
copies to the clipboard, shows a toast, and swaps to a check icon for
confirmation. Buttons are keyboard-accessible, always visible on touch
devices, and respect reduced-motion. The sidebar frontmatter block is
left untouched.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix detail-page GitHub links, empty-state link contrast, and file cache

Addresses four PR review comments on the detail-page migration:

- skill/hook detail pages: build the sidebar "View on GitHub" link from a
  /tree/main base instead of /blob/main, since item.path is a directory and
  /blob/<dir> URLs 404. The FileBrowser githubBase stays on /blob for
  individual file links.
- global.css: include .detail-empty a in the underline override so links in
  empty-state notes stay distinguishable without relying on color alone
  (WCAG 1.4.1 / axe link-in-text-block).
- file-browser.ts: seed the primary file's cache with its already-rendered
  (frontmatter-stripped) HTML in addition to raw text, so re-selecting the
  primary file after navigating away no longer re-renders the raw source and
  surfaces frontmatter. Copy still uses the full raw text.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
2026-07-10 13:23:53 +10:00
Aaron Powell 2b8b7b2fd1 Narrow risk scan version matching (#2251)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-10 10:15:44 +10:00
Aaron Powell e986f49695 Migrate extension metadata to plugin.json and enforce conventions (#2177)
* Remove pluginRoots property from marketplace.json

The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Migrate java-modernization-studio to plugin.json and update validation workflow

- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add extensions field to all extension plugin.json files

Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Enforce convention-based extension metadata and remove x-awesome-copilot

- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation

All 12 extensions validated successfully.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Use standard plugin validation for extensions

Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-03 12:24:38 +10:00
Aaron Powell 79cda6bb19 Add canvas schema validation to extension submission workflow (#2161)
* Add canvas schema and extension submission checks

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: use namespace import for js-yaml

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Fix contributors page build markup

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Address PR feedback on canvas schema validation

- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Harden canvas extension workflow against injection attacks

Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.

Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.

Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.

Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Replace ajv-cli with in-repo schema validator

- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-01 10:40:40 +10:00
Aaron Powell 28c3a14af4 Switch skill CI validation workflows to vally lint (#2030)
* Switch skill CI checks to vally lint

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Adding Vally to allowed words

* case sensitivity

* Migrate external plugin quality gates from skill-validator to vally lint

Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:

- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() + 
unSkillValidatorGate() with
  uildVallyLintArgs() + 
unVallyLintGate() that run
px vally-cli lint
  per resolved skill directory (falling back to the full plugin root when no
  specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
  to ally_lint_status / ally_lint_output throughout both
  ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Use @microsoft/vally library directly instead of vally-cli subprocess

Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:

- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
  - runLint({ rootPath }) returns structured LintResults
  - LintConsoleReporter with a Writable capture stream collects
    text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
  runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
  plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
  summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows

This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-30 14:07:45 +10:00
Ashley Wolf e9c8e37041 Add contributor attribution to canvas extension cards (#2111)
Show "by @handle" on each canvas extension card and in the details
modal, linking to the contributor's GitHub profile. Author metadata
lives in each extension's canvas.json (and external.json for external
extensions), where the rest of the canvas metadata is stored.

- Store author {name, url} in canvas.json / external.json
- Read author from canvas.json in the website data generator and emit
  it to extensions.json
- Render the GitHub @handle, derived from the profile URL, as the link
  text, with the contributor's name as the link title
- Escape the sanitized author URL before interpolating it into href

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-25 14:52:58 +10:00
Aaron Powell 0eb6062f94 chore(phase2): retarget all automation and contributor guidance from staged to main (#2122)
* chore(phase2): retarget all automation from staged to main

- publish.yml: trigger on main, publish only to marketplace
- check-pr-target.yml: invert — now blocks PRs targeting staged, welcomes main
- 10 PR validation workflows: branches [staged] → [main]
- external-plugin-command-router.yml: --base staged → main (3×), message text
- external-plugin-rereview-command.yml: --base staged → main (2×), message text
- external-plugin-rereview.yml: staged reference in review comment text
- external-plugin-intake.yml: ref: staged checkout → main
- external-plugin-pr-quality-gates.yml: ref: staged checkout → main
- external-plugin-quality-gates.yml: ref: staged checkout → main
- check-plugin-structure.yml: error messages updated for new branch model
- contributors.yml: ref and base target → main
- setup-labels.yml: targets-main label description updated
- cli-for-beginners-sync.md + .lock.yml: base-branch staged → main
- codeowner-update.md + .lock.yml: base-branch staged → main
- learning-hub-updater.md + .lock.yml: base-branch staged → main

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs(phase2): update contributor guidance from staged to main

- CONTRIBUTING.md: branch from main, PR targets main; remove Phase 2 gate note
- AGENTS.md: PR target + external plugin PR automation references
- .github/pull_request_template.md: PR checklist targets main
- website/src/content/docs/learning-hub/agentic-workflows.md: PR target

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* aw updates

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-25 14:36:53 +10:00
James Montemagno fb1b124ed7 Fix canvas extension install links (#2109)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-06-24 12:08:25 +10:00
Aaron Powell ec8cb2a8ae fix: make SHA and Ref values links to tree in external plugin intake comments (#2100)
* fix: make SHA and Ref values links to tree in external plugin intake comments

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: use plain link labels for Ref/SHA to avoid backtick markdown issues

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: escape backticks in Ref/SHA link labels

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-23 15:50:08 +10:00
Aaron Powell b253270faa Phase 1: split source vs published refs and verify dual publish (#2085)
* chore: finalize phase 1 marketplace migration wiring

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: avoid hardcoded source branch in plugin docs links

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 15:04:40 +10:00
Aaron Powell 17b174fb0a Canvas manifest implementation for extensions (#2029)
* Add keyword display to extension cards on website

- Add .resource-keywords and .keyword-tag CSS styles for rendering keyword badges
- Update renderExtensionsHtml() to display keywords below extension description
- Keywords now visible on the website extensions page with styled badges
- Regenerate website data to include keyword metadata

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Canvas manifest implementation for all extensions

Add per-extension canvas manifests with:
- Structured canvas metadata (name, description, version, keywords)
- Screenshot definitions (icon and gallery with path/type)
- Relative paths for images within each extension directory

Enhance extension metadata:
- Generate meaningful descriptions from source analysis
- Extract and assign keywords for discoverability
- Store metadata in package.json and extension source files

Update website rendering and data generation:
- Include keywords in extension cards and search index
- Add per-extension canvas.json files for independent evolution
- Support screenshot metadata in manifest structure
- Generate extensions.json with full canonical paths for website

All 9 local canvas extensions now have complete manifests with descriptions, keywords, and screenshot references.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Tweaking some descriptions

* Fix description priority to prefer package.json over in-source metadata

Reverse the priority in canvasDescription so that package.json descriptions
(which contain the enhanced, manually-curated descriptions) take precedence
over older in-source descriptions extracted from createCanvas(...) calls.

This prevents regression when npm run website:data regenerates outputs,
ensuring that committed canvas.json files maintain the current descriptions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix canvas validation to skip external.json file

The validation script was treating extensions/external.json as if it were
a directory, causing false validation failures. Added check to skip files
(identified by presence of dot in filename) and only validate actual
canvas extension directories.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-17 15:28:15 +10:00
Aaron Powell fae6a92c9d Centralize label management and fix permission issues (#2018)
* fix: Allow label operations on pull requests in external plugin approval workflow

The sync-merged-pr-labels job needs pull-requests: write permission to
add/remove labels on merged PRs. Previously it only had issues: write which
is for issues, not pull requests. This fixes the permission error when
workflows try to modify PR labels from a non-contributor account.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: Handle 403 permission errors when creating external plugin intake labels

When running on PRs from fork contributors, the GitHub token may not have
permission to create labels in the repository. This is expected and should
not cause the workflow to fail. Allow the ensureLabel function to gracefully
handle 403 Forbidden errors in addition to 422 (label already exists) errors.

This fixes the sync-pr-state job failure in external-plugin-pr-quality-gates.yml
when run on PRs from external contributors.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refactor: Centralize label management into a single workflow_dispatch workflow

Create a new 'setup-labels' workflow that is manually dispatched and handles
all label creation and updates. This workflow:
- Creates all labels used by the repository
- Updates descriptions if labels already exist
- Reports success/failure counts
- Fails if any labels cannot be created

All individual workflows now assume labels exist and will fail (loudly) if
they don't. This makes it clear to maintainers when the setup-labels workflow
needs to be dispatched:

- label-pr-intent.yml
- skill-check-comment.yml
- external-plugin-approval-command.yml
- external-plugin-command-router.yml
- external-plugin-rereview.yml
- external-plugin-rereview-command.yml
- eng/external-plugin-intake-state.mjs

This approach is better because:
- Single source of truth for label definitions
- Avoids permission issues with fork contributors
- Clear failure modes when labels are missing
- Easier to maintain consistent label configuration
- No more scattered label creation logic across workflows

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Remove unused ensureLabel methods and managedLabels constants

Labels are now centrally managed by the setup-labels workflow and
assumed to exist in all other workflows. Removed:

- ensureLabel() methods from all 6 workflows and 1 JS module
- managedLabels constants that were only used by ensureLabel
- Promise.all() calls that invoked ensureLabel for each label
- Updated syncManagedLabels in skill-check-comment.yml to remove ensureLabel call

All workflows now assume labels exist and will fail if they don't,
which is the desired behavior—it signals maintainers to dispatch the
setup-labels workflow when new labels need to be created.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-17 14:12:07 +10:00
James Montemagno ea5d3f4acb Add canvas previews, external extension links, and release notes showcase (#1987)
* Add extension thumbnails and preview assets

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add clickable extension image preview modal

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update website/src/styles/global.css

* Add preview assets for canvas extensions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update canvas extension preview images

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Delete extensions/backlog-swipe-triage/assets/swipe-canvas-triage.png

* Support external canvas extensions and add Coffilot

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add homepage link to GitHub repository

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add release notes showcase canvas extension

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Enhance release notes canvas sourcing and layout

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-06-17 09:18:49 +10:00
Aaron Powell a34c98bfbf Automate external plugin update PR quality checks (#2005)
* Add PR quality gates for external plugin updates

Automate external plugin update PR review by running skill-validator and install smoke checks against changed entries in plugins/external.json. Sync PR workflow-state labels and upsert a marker-based status comment with source tree links for each changed plugin.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Tighten external plugin PR workflow permissions

Scope write permissions to the PR synchronization job, keep the quality-gate job read-only, and handle no-op and detection-failure states explicitly. Also fix source tree link encoding for refs, SHAs, and plugin paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix external plugin workflow job steps

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-06-16 15:40:21 +10:00
Aaron Powell 3ae6b2007c Add soft-gate PR risk scan automation for agentic PRs (#1969)
* Add soft-gate PR risk scanning automation

Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Harden path checks and reduce scanner false positives

Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Harden soft-gate behavior and scanner coverage

Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-15 10:59:01 +10:00
Aaron Powell c4a0a3ef5a Route intake failures to submitter fixes (#1970)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-11 15:17:32 +10:00
Aaron Powell 50854076f2 The new lines weren't working properly as we'd filter them out, whoops (#1951) 2026-06-10 14:44:16 +10:00
Aaron Powell dbd45cf6f2 Fix external plugin intake rate limits (#1953)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-09 16:57:58 +10:00
Aaron Powell ecf170397b fix: respect all manifest locations in smoke-test post-install verification (#1952)
The install smoke gate was hardcoding .github/plugin/plugin.json as the
expected manifest path after copilot plugin install, which caused a false
ail for plugins whose manifests live at plugin.json (root) or
.plugins/plugin.json instead of the Copilot CLI convention.

Replace the hardcoded path with a call to the existing indPluginJson()
helper that already probes all three candidate locations in priority order.
Separate the 'install directory missing' check from 'no manifest found' so
error messages surface the actual root cause.

Also fix a .plugin/ → .plugins/ typo in EXTERNAL_PLUGIN_ROOT_MANIFEST_PATHS
(external-plugin-validation.mjs) which caused the error message shown to
submitters to reference a path that indPluginJson never actually checks.
Add cross-reference comments on both constants so they stay in sync.

Closes: reported in issue #1837

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-09 16:57:34 +10:00
Aaron Powell 0adac0dadd React to accepted rerun intake comments (#1948)
* React to rerun intake comments

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* some whitespace fixes

* more whitespace fixes

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-09 15:08:41 +10:00
Aaron Powell c66449b4fa fix: skill-validator invocation for .github/plugin/plugin.json convention (#1916)
* fix: skill-validator invocation for .github/plugin/plugin.json convention

The skill-validator --plugin mode looks for plugin.json at <dir>/plugin.json,
but external plugins (and the Copilot CLI) place it at .github/plugin/plugin.json.
This caused every external plugin with skills or agents to fail the skill-validator
gate with a misleading 'No plugin.json found' error, even when the install smoke
test passed correctly.

Extract buildSkillValidatorArgs() which reads plugin.json from
.github/plugin/plugin.json, resolves skills/agents paths relative to the plugin
root, and invokes skill-validator with --skills/--agents instead of --plugin.
Falls back to --plugin if the conventional path is not present.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: also check .plugins/plugin.json and root plugin.json locations

Extend buildSkillValidatorArgs to probe three candidate plugin.json locations
in priority order before falling back to --plugin:
  1. .github/plugin/plugin.json  (Copilot CLI convention)
  2. .plugins/plugin.json
  3. plugin.json  (root — also the skill-validator's native --plugin expectation)

Extract findPluginJson() and PLUGIN_JSON_CANDIDATES constant so the list is easy
to extend. Paths in plugin.json are always resolved relative to the plugin root
regardless of where the manifest lives.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-04 12:53:27 -07:00
Aaron Powell d11fb21f3a Add workflow run link to external plugin intake comments (#1915)
* Add workflow run link to external plugin intake comments

- Include a link to the GitHub Actions workflow run in intake comment
- Helps users trace which action run generated the intake report
- Works for both initial intake and re-run intake flows
- Link appears at bottom of comment for all intake states (passed/failed/quality gates)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on intake comment formatting

- Remove leading spaces from runLink construction to preserve markdown formatting
- Remove unnecessary newline prefix before runLink in quality gates section
- Move workflow run link to the very end of all comment types (after warnings)
- For merged intake comments, append link as final element
- Remove unused runId parameter from applyExternalPluginIntakeEvaluation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-04 12:30:39 -07:00
Aaron Powell 36cdc52037 Add Canvas Extensions website page (#1900)
Generate extensions data, add the extensions listing route/navigation, and include install URL copy actions pinned to the build commit SHA.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-02 11:17:56 -07:00
Aaron Powell 47701d25f4 Add external plugin quality gates and maintainer override flow (#1860)
* Add external plugin quality gates and override flow

Introduce a dedicated reusable quality-gates workflow for external plugin submissions and wire intake/rerun orchestration to consume its results. Add quality-aware intake state handling, including a submitter-fix blocker state and richer intake comments.

Also add a maintainer /mark-ready-for-review command workflow for explicit overrides, update related approval-label handling, and document the new external plugin review flow in CONTRIBUTING and AGENTS guidance.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: use specific auth/network patterns in classifySmokeFailure

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* refactor: hoist INFRA_ERROR_PATTERNS to module level, fix timeout regex

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* fix: install Copilot CLI in external-plugin-quality-gates workflow

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-05-28 15:50:13 +10:00
kimtth 78d62afc0c fix: stabilize generated instructions README ordering (#1846)
Pass an explicit 'en' locale to localeCompare for instruction title
sorting in update-readme.mjs. Previously the default OS locale was
used, causing String.prototype.localeCompare to produce different
orderings on Windows vs Ubuntu (affecting characters like Korean and
Japanese CJK titles), which made the validate-readme CI workflow
non-deterministic.

Fixes the root cause of the locale-dependent sort instability.
2026-05-28 10:09:14 +10:00
Aaron Powell 6fc05f480e Splitting ref and sha into two fields correctly for the intake form (#1788)
* Splitting ref and sha into two fields correctly for the intake form

* Enforce 40-character commit SHA in validateImmutableRef

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Add backward compatibility for legacy checklist text and field title

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Avoid unnecessary array spread when iterating checklist equivalents

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-05-22 10:54:34 +10:00
Aaron Powell 2ca49df9d4 Adding a new /rerun-intake command for when updates are required (#1786)
* Adding a new /rerun-intake command for when updates are required

Reruns the intake process if feedback is given that will require the submitter to update something about the submittion.

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Use rerun command constant in parser regex

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-05-22 10:53:15 +10:00
Aaron Powell a303e17975 Fix path for Chrome DevTools external plugin (#1784)
* Fixing path on chrome devtools external pluginPath is to the folder in the repo where the plugin structure starts, not where the plugin.json file lives.

* Updating validation scripts and guidance to avoid this mistake again
2026-05-21 15:51:17 +10:00
Aaron Powell e66aa80240 feat: add public external plugin workflows (#1723)
* feat: add external plugin submission workflows

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* minor adjustment to contributing guide

* fix: address external plugin review feedback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Reverting some changes to the readme.agents.md file

* fix: address follow-up review feedback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: tighten external plugin workflows

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-15 15:37:18 +10:00
Aaron Powell a1197525bd Enforce canonical plugin manifest ordering (#1601)
* Enforce canonical plugin manifest ordering

Sort existing plugin manifest spec arrays so plugin:clean no longer creates noisy diffs from out-of-order entries. Add validation to require alphabetical ordering and teach plugin:clean to normalize manifest arrays when cleaning materialized plugin content.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-05-04 12:00:50 +10:00
Aaron Powell 76ac13a9b8 Simplify website search and listing controls (#1553)
* Removing search from the home pageThis was a little confusing because there are two searches, but the overall site search is a lot more powerful

* Prefilter website search by resource page

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* small error handling and formatting

* Simplify website listing controls

Remove per-page text search, trim page-specific controls, and move remaining sort/filter controls into compact flyouts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-29 16:03:08 +10:00
Gordon Lam ae2c51d9cc fix: improve security-review skill discovery (#1515)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-29 12:15:27 +10:00
Aezan 8aa465d4d2 fix: agent files not loading from agents folder (#1473) 2026-04-28 17:30:42 +10:00
Aaron Powell 2f972ba80c Consolidate scripts and automate report management (#1540)
* removing old scripts

* consolidated folder

* Updating usage of scripts

* Adding script to generate an open PR report, rather than making AI gen it each time

* Adding step to close old quality report discussions
2026-04-28 17:29:40 +10:00
Aaron Powell 4b13306427 Fix gh skill command to gh skills and update README (#1531)
* Fixing gh skill to be gh skills and adding to the README

* Adding skills install instruction to readme

* Fixing escapes
2026-04-28 16:58:22 +10:00
Copilot dddab5e459 feat: add copy install command from skills list and modal (#1424)
* docs: reference gh skill install command for managing agent skills

Agent-Logs-Url: https://github.com/github/awesome-copilot/sessions/e8324f6a-26ee-4d2c-b86f-028cf78499d5

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* feat: add copy install command button to skills list and modal

Agent-Logs-Url: https://github.com/github/awesome-copilot/sessions/efbb7ae2-6ff7-40d2-a8fe-45253caea717

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* revert: undo changes to 05-skills.md as requested

Agent-Logs-Url: https://github.com/github/awesome-copilot/sessions/ba67c365-f36a-47de-af44-629305b9eb94

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-04-17 18:52:15 +10:00
Renee Noble 68bd143e37 Fix broken links beginners cli course sync (#1263)
* chore: publish from staged

* Update instructions for converting links from original repo

* Correct existing broken links

* chore: retrigger ci

* cleaning up marerialzed plugins

* Fixing clean script to sort out plugin.json file too

* Fixing readme

* Fixing plugin.json drift

* Fixing readme

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-04-09 10:22:38 +10:00
Aaron Powell f12b83cf1b skills readme was getting junk files (#967) 2026-03-11 10:44:46 +11:00
Aaron Powell 3efc4f3a5b feat: show external plugins on the website (#937)
* feat: show external plugins on the website

Read plugins/external.json during website data generation and include
external plugins alongside local ones in plugins.json. External plugins
are flagged with external:true and carry metadata (author, repository,
homepage, license, source).

On the website:
- Plugin cards show a '🔗 External' badge and author attribution
- The 'Repository' button links to the source path within the repo
- The modal shows metadata (author, repo, homepage, license) and a
  'View Repository' CTA instead of an items list
- External plugins are searchable and filterable by tags

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR #937 security and UX review comments

- Add sanitizeUrl() function to validate URLs and prevent XSS via javascript:/data: schemes
- Add rel="noopener noreferrer" to all target="_blank" links to prevent reverse-tabnabbing
- Change external plugin path from external/<name> to plugins/<name> for proper deep-linking
- Track actual count of external plugins added (after filtering/deduplication) in build logs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-10 10:13:16 +11:00
Copilot cf2a5470a2 feat: add contributors page to website (#928)
* Initial plan

* feat: add contributors page to website

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* feat: add footer with contributors link and fix emoji-only display

- Add custom Starlight Footer component with 'Made with ❤️ by our
  amazing contributors' linking to /contributors/
- Filter out contribution types without emoji mappings in the
  contributor data generation so only emojis (🎭🎁🧭⌨️🧰) are
  shown on the contributors page, not text labels like 'code' or 'doc'

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: use all-contributors HTML output for contributors page

- Restyle all-contributors generated table as a responsive card grid
  using CSS grid on tbody with card-styled td cells
- Remove old custom JS search/filter UI and contributors.ts script
- Remove generateContributorsData from data pipeline (no longer needed)
- Keep all-contributors markers for bot regeneration
- Include updated contributor data from .all-contributorsrc

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: CSS fixes for contributors page Starlight compatibility

- Override Starlight table width/overflow to prevent clipping
- Force td width: 100% to counteract HTML width="14.28%" attribute
- Set emoji links to display: inline to prevent vertical stacking
- Improve border visibility with lighter gray color

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-09 14:47:20 +11:00
Copilot 1b15663c46 Update docs to reflect awesome-copilot as default plugin marketplace in CLI and VS Code (#901)
* Initial plan

* docs: update plugin discovery for default marketplace in CLI and VS Code

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* docs: revert README.md changes (covered by #900), update README.plugins.md

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* fix: update plugin template in constants.mjs so README.plugins.md survives rebuilds

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-03-06 16:26:26 +11:00
Tom Meschter d4dcc676e4 Support external plugins in marketplace.json generation (#876)
The marketplace currently only includes plugins that live as local
directories in plugins/. This makes it impossible to list plugins
hosted in external GitHub repos, npm packages, or other git URLs.

Add plugins/external.json as a hand-curated list of external plugin
entries following the Claude Code plugin marketplace spec. The
generate-marketplace script now reads this file and merges external
entries as-is into the generated marketplace.json, sorted by name.

Changes:
- Add plugins/external.json (empty array, ready for entries)
- Update eng/generate-marketplace.mjs to load, merge, and sort
  external plugins; warn on duplicate names; log counts
- Document the external plugin workflow in CONTRIBUTING.md and
  AGENTS.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-05 10:08:54 +11:00
Aaron Powell a998c2d38c feat: support external recipes in cookbook (#831)
* feat(schema): add external recipe fields to cookbook schema

Add optional external, url, and author fields to the recipe schema
in cookbook.schema.json. When external is true, url is required via
conditional validation. Author supports name (required) and url
(optional) for attribution.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(data): support external recipes in data generator

- External recipes (external: true) skip local file validation
- Validate URL format for external recipes
- Pass through external, url, and author fields to output JSON
- Add per-recipe languages array: derived from resolved variant keys
  for local recipes, and from tags matching known language IDs for
  external recipes
- Collect language IDs in a first pass before processing recipes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(website): render external recipe cards on cookbook page

- Extend Recipe interface with external, url, author, and languages
- Render external recipes with Community badge, author attribution,
  and View on GitHub link instead of View Recipe/View Example buttons
- Language filter uses per-recipe languages array uniformly
- Remove Nerd Font icons from select dropdown options (native selects
  cannot render custom web fonts)
- Add CSS for external recipe cards (dashed border, badge, author)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(cookbook): add community samples section with first external recipe

Add a Community Samples cookbook section to cookbook.yml with the
Node.js Agentic Issue Resolver as the first external recipe entry,
linking to https://github.com/Impesud/nodejs-copilot-issue-resolver.

Resolves the use case from PR #613 for supporting external samples.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(cookbook): add Copilot SDK Web App to community samples

Add aaronpowell/copilot-sdk-web-app — a full-stack chat app built with
the GitHub Copilot SDK, .NET Aspire, and React.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-03-02 19:36:10 +11:00
Aaron Powell 83aed9e974 Extract workflow triggers from 'on' frontmatter field, drop tags
Update parseWorkflowMetadata to extract triggers from the 'on'
property keys (e.g. schedule, issue_comment) instead of a separate
'triggers' field. Remove tags support from workflows since workflows
don't use tags.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-25 16:23:49 +11:00
Aaron Powell d144ab626a fix: copilot comments 2026-02-25 15:27:36 +11:00
Aaron Powell 1c67e92cd2 Merge branch 'staged' into copilot/combine-prompts-and-skills 2026-02-25 15:01:00 +11:00
Aaron Powell 0a0f387abd Merge pull request #805 from brunoborges/fix-aw-readme
docs: improve CONTRIBUTING.md and add "How to Contribute" links across docs
2026-02-25 14:37:42 +11:00
Aaron Powell 3145f777d2 fix: rewrite plugin.json paths to folders during publish
During the staged→main publish, after materializing files into plugin
directories, rewrite each plugin.json to replace individual file paths
with folder references so consumers on main get directory-level entries.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-25 10:22:04 +11:00
Bruno Borges 6103b17ba2 chore: update documentation and add contribution guidelines for agents, hooks, instructions, plugins, skills, and workflows; enhance actions-lock.json with additional actions 2026-02-24 12:53:43 -05:00