* feat(website): dedicated agent detail pages instead of modal
Replace the popup/modal viewer for agents with dedicated per-agent pages at /agent/<id>/ for real URLs and better deep linking.
- Build-time rendered docs (marked + gray-matter) with a details sidebar
- Sidebar Actions card: Install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub
- Cards now link natively via anchors (no modal); card-render gains optional href (backward compatible for other types)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* feat(website): dedicated instruction detail pages + shared detail layout
Extend the dedicated detail-page pattern (introduced for agents) to
instructions, and factor the shared behavior/styles out for reuse:
- Add instruction/[id].astro with build-time markdown render, breadcrumb,
install split-button (VS Code/Insiders/Download/Copy markdown), Share,
View on GitHub, and a details sidebar (Applies to / Source / Last updated)
plus collapsible frontmatter.
- Extract shared client behavior into resource-detail.ts (renamed from
agent-detail.ts) keyed on [data-resource-detail].
- Move detail-page CSS into global.css under .resource-detail-page.
- Point the agent detail page at the shared script/styles.
- Instruction cards now link to /instruction/<id>/ and the modal is removed
from the instructions listing.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* refactor(website): extract shared detail-page components
Break the agent and instruction detail pages down into reusable Astro
components under src/components/pages: Breadcrumb, Header, Main, Sidebar,
SidebarChips, InstallButtons, and RawMarkdown. Both detail pages now
compose these components instead of duplicating markup.
Fix RawMarkdown to read the `markdown` prop (matching both call sites) and
emit exact text via set:text, which restores the Copy markdown action that
had silently broken when the hidden textarea stopped rendering.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* refactor(website): share detail-page build logic in lib/detail-page
Both detail pages duplicated the install/GitHub URL builders, the
build-time markdown read+render, and the last-updated formatting. Move all
of it into a DOM-free build-time helper (src/lib/detail-page.ts) exposing
loadDetailPage(item, type), and reduce each [id].astro to a single call plus
its type-specific chip data.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated skill detail pages with multi-file browser
Migrate skills from the popup/modal viewer to dedicated per-item pages
(/skill/<id>/) matching the agent and instruction detail pages.
Skills need a few skill-specific mechanics:
- Install via `gh skills install github/awesome-copilot <id>` (copyable),
since skills have no VS Code install URL.
- Download ZIP for the multi-file skill contents.
- A file browser that defaults to SKILL.md and lets you inspect other
files, with Shiki syntax highlighting for code and marked-rendered
markdown. SKILL.md is embedded (rendered + raw) at build time; other
files are lazy-fetched on demand and cached. Deep links via #file=.
Also fixes a production build regression in the shared detail-page
helper: repoRoot now resolves via process.cwd() instead of import.meta
.url, which resolved incorrectly once bundled and silently returned
empty markdown (breaking rendered docs + copy-markdown for agents and
instructions too).
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Replace skill file list with a dropdown selector
The two-column file browser (side list + content pane) was cramped,
splitting the already-narrow main column in half. Replace the side list
with a dropdown in the file view header so the content pane spans the
full width.
- Multi-file skills get a <select> grouped by folder via <optgroup>,
SKILL.md first. Single-file skills keep a static filename label.
- Client script drives selection from the <select> change event instead
of the removed file buttons; deep links, copy-file, Download ZIP, and
Share all read the file list from the select options.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix skill sidebar card overflowing its column
The install command in the actions card used white-space: nowrap, which
gave the grid tracks a large min-content size. Grid items default to
min-width: auto (won't shrink below content), so the actions card grew
past the 352px sidebar, making it look wider than the agent/instruction
sidebars. Add min-width: 0 down the sidebar grid chain so the command
box stays within the column and scrolls horizontally instead.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Make skill file content pane grow to full page height
Remove the fixed max-height/overflow on .skill-file-content so file
content flows to natural height and the page scrolls, instead of a
nested inner scroll region. Shiki <pre> keeps its own horizontal scroll.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Center-align skill file picker label with the select
Reset the Starlight-injected margin-top on .skill-file-select so the
'File' label and the dropdown share a common vertical midline.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Render code files edge-to-edge in skill file viewer
For code files, drop the container padding and the pre border/radius so
the highlighted code fills the full column width. Markdown files keep
their padded, bordered layout. Toggled via an is-code class on the
content pane based on the selected file kind.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated detail pages for hooks with a reusable file browser
Hooks had no good install path (manual copy or ZIP), so mirror the
Skills dedicated-page pattern: a multi-file browser plus a Download ZIP
action, replacing the modal on the hooks listing.
Generalise the Skills-specific file browser so both resource types share
one implementation:
- Rename SkillFileBrowser.astro -> FileBrowser.astro with neutral props.
- Rename skill-detail.ts -> file-browser.ts with neutral data attributes
(data-file-browser-page, data-bundle-id, data-primary-file).
- Rescope install-slot styles under a shared .bundle-detail-page class.
- generate-website-data: rename getSkillFiles -> getFolderFiles and emit a
files[] + readmeFileName for each hook.
Hooks list cards now deep-link to /hook/<id>/ instead of opening a modal.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated detail pages for workflows
Migrate agentic workflows from the popup/modal viewer to dedicated per-item pages (/workflow/<id>/) with deep linking, matching the pattern used for agents, instructions, skills, and hooks.
Workflows are single .md files, so they reuse the single-file detail components (Main, Sidebar, Header, Breadcrumb, RawMarkdown) and the resource-detail client script. Since workflows have no VS Code install, the install slot instead documents the gh aw CLI flow and offers Download + Copy markdown actions.
Also rescope the shared install-slot CSS from .bundle-detail-page to .detail-actions-card so skill, hook, and workflow pages share it without a page-specific class, and drop the now-unused bundle-detail-page class from the skill and hook pages.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Format workflow install note
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated plugin detail pages
Replace the plugins modal with dedicated /plugin/<id>/ pages that deep link, render the bundled README, and surface an Included items section linking each constituent agent/skill/instruction/hook to its own detail page (falling back to GitHub for items without a page, e.g. extensions).
- generate-website-data: resolve plugin items to detail URLs + titles, add readmeFile for local and extension-derived plugins
- new IncludedItems component groups bundled resources by kind
- plugin/[id].astro handles local, extension-derived, and external plugins with VS Code + CLI install actions
- resource-detail: copy-install handler shared with detail pages
- plugins list cards now deep link; modal wiring removed
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Show plugin version, ref, and commit in detail sidebar
Capture version from plugin.json (local + extension-derived) and external.json, and surface it in the plugin detail Details card. For external plugins, also show the pinned source ref and short commit SHA when present.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated canvas extension detail pages with preview gallery
Replace the extensions modal with per-extension pages at /extension/<id>/,
mirroring the skill/plugin detail layout. Each page shows a preview image
gallery, README docs (or an About fallback), and a sidebar with install
actions and details (version, canvas ID, keywords, author, commit).
- generate-website-data.mjs: emit readmeFile for extensions
- extensions-render.ts: deep-link cards to detail pages
- extensions.ts: strip modal/gallery wiring, keep filter/sort/copy actions
- resource-detail.ts: add copy-install-url action
- extension-gallery.ts: thumbnail switching for multi-image previews
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add VS Code Insiders and GitHub Copilot app install links
Introduce a shared PluginInstall component used by both plugin and canvas
extension detail pages. It renders a split-button dropdown deep-linking into
VS Code, VS Code Insiders, and the GitHub Copilot app (ghapp://), plus the
CLI command for internal items.
- Internal plugins/extensions: ghapp://plugins/install?source=<id>@awesome-copilot
- External plugins: ghapp://plugins/marketplace/add?source=<owner/repo>
- ghapp source values are URL-encoded per the app's deep-link contract
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Make GitHub Copilot app the default install option
Promote the ghapp:// deep link to the primary split-button action and list
it first in the dropdown, ahead of VS Code and VS Code Insiders.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Ignoring impeccable files
* Make Extensions grid Copy Install a direct Copilot app install
Replace the CLI-command copy button on extension cards with an
'Install in Copilot app' deep link (ghapp://plugins/install) for internal
extensions, matching the detail page. External extensions keep the Copy URL
fallback since they have no Copilot app install path.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on detail pages
- Remove DOM innerHTML read/write round trip in file browser cache
(CodeQL js/xss-through-dom); seed primary file from raw text and
render lazily.
- Use Shiki dual light/dark themes in the file browser and add dark
mode CSS overrides.
- Guard decodeURIComponent for #file= deep links against malformed
percent-encoding.
- Slugify SidebarChips title before using it in the tag class name.
- Use a neutral aria-label on the shared detail Sidebar.
- URL-encode the external plugin source in VS Code and Insiders
install links.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Prevent client-side path traversal in file deep links
Addresses the CSPT-to-XSS class reported in github/open-source#1739.
A '#file=' hash value containing '../' sequences could resolve outside
the awesome-copilot repo prefix once normalized by fetch, loading
attacker-controlled content that was then rendered into the page.
- Add isSafeRepoFilePath() and enforce it at the raw-URL choke point
(getRawGitHubUrl, fetchFileContent, downloadFile, getVSCodeInstallUrl),
so no consumer can escape the repo prefix.
- Validate the decoded '#file=' path in the modal hash handler and guard
its decodeURIComponent against malformed input.
The new hash-based file browser already restricts deep links to an
allowlist of build-time file descriptors; the choke-point guard is an
additional backstop.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix accessibility violations on resource detail pages
Run the a11y audit against the new detail pages and resolve every
critical/serious axe violation it surfaced:
- Nest the detail column as a <div> instead of a second <main>, fixing the
duplicate/non-top-level/non-unique landmark rules on every detail page.
- Add a shared enhanceMarkdownA11y() helper that makes rendered <pre>/<table>
blocks keyboard focusable and gives task-list checkboxes a state-based
accessible name; apply it at build time and in the client file browser.
- Make Shiki-highlighted code and install-command <code> blocks focusable.
- Underline links inside rendered docs and install notes so they are
distinguishable without color, overriding the global #main-content reset.
- Extend the a11y audit to cover one representative page per detail type.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix file browser GitHub URL handling
Encode selected file paths before assigning GitHub detail links and render load errors with DOM APIs so DOM-derived file names are not reinterpreted as markup.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on detail pages and file browser
- Deep-link plugin extension items to their /extension/<id>/ detail pages:
generate canvas extensions before building the resource index, and index
extensions (by id and folder basename) so resolvePluginItem can resolve them.
- Render image files in the bundle file browser via an <img> tag built from the
safe raw URL instead of decoding binary assets as UTF-8 text; skip the
copy-file action for images.
- Use a neutral 'Install' heading on internal plugin and extension pages so the
split-button primary label accurately communicates the target.
- Warn (with the file path) when readResourceMarkdown fails instead of swallowing
the error silently, keeping the build unbroken.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on install links, dropdown a11y, and ZIP downloads
- externalRepoUrl (plugin detail pages) now builds the 'View on GitHub' tree
URL from the pinned source.ref or source.sha, falling back to main only when
neither is present, so the link matches the sidebar Ref/Commit chips.
- Install split-button dropdown on resource detail pages is now keyboard
accessible: opening focuses the first item, ArrowUp/ArrowDown wrap, Home/End
jump, and Escape closes and restores focus to the toggle, mirroring modal.ts.
- downloadZipBundle fetches each file as an ArrayBuffer and hands it to JSZip so
binary assets (PNG/JPG/etc.) are preserved instead of corrupted by UTF-8 text
decoding.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on external repo links and workflow install note
- externalRepoUrl now uses a pinned source.ref/sha even when the external
plugin has no path, returning /tree/<ref> so "View on GitHub" points at the
pinned revision and stays consistent with the sidebar Ref/Commit chips.
- Reflow the workflow install note so each inline code and link element stays on
a single line (using explicit whitespace expressions for word spacing),
removing the split end-tag artifacts while preserving the exact rendered text
and spacing.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden repo path validation and fix Included Items file links
- isSafeRepoFilePath now fails closed on any "%" so percent-encoded dot-segments
(%2e%2e and double-encoded %252e%252e) cannot be normalized back into path
traversal by the browser URL parser during fetch, and also rejects "." and
empty path segments. Legitimate repo paths never contain these.
- IncludedItems githubHref now links file paths via /blob/ and directories via
/tree/, detecting files by a trailing extension on the last path segment, so
the fallback links for agent/instruction/command items no longer 404.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden detail pages: sanitize markdown, fix search deep-links and external URLs
Addresses rubber-duck review items 1-5 for the detail-page migration:
1. Sanitize rendered markdown as untrusted HTML. Add isomorphic
sanitize-html helper (isomorphic-dompurify) applied in the build-time
pipeline (detail-page.ts) and the client file browser before a11y
enhancement, so marked output can no longer inject scripts/handlers.
2. Point Pagefind search results at canonical /type/id/ detail pages
instead of inert #file= listing hashes for types that have a detail page.
3. Sanitize external/generated URLs on plugin and extension detail pages
and their render scripts so only http(s) links are emitted.
4. Add a shared externalRepoUrl helper that pins GitHub links to the
source ref/sha (preferring sha) with encoded path segments, replacing
the duplicated always-main logic in the pages, modal, and renderers.
5. Handle #file= hash navigation after initial load in the file browser
via a hashchange listener.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Detail pages: clickable filter chips + code-block copy buttons (#2255)
* Add clickable filter chips on detail pages
Turn read-only metadata chips into navigation: tags (hooks/plugins),
keywords (extensions), and extensions (instructions) now link to their
list page pre-filtered by that value (e.g. /hooks/?tag=testing).
SidebarChips gains optional filterBase/filterParam props; when both are
set each chip renders as an <a> with an aria-label and hover/focus
styling, otherwise it stays a plain <span>. Agent/skill/workflow chips
are unchanged. Filtering was verified end to end against each list
page's existing query-param handling.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add copy buttons to documentation code blocks
Detail-page markdown is rendered as plain <pre><code> with no syntax
highlighter, so code and config snippets had no copy affordance. Add a
hover-revealed copy button to every code block in the rendered docs:
copies to the clipboard, shows a toast, and swaps to a check icon for
confirmation. Buttons are keyboard-accessible, always visible on touch
devices, and respect reduced-motion. The sidebar frontmatter block is
left untouched.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Fix detail-page GitHub links, empty-state link contrast, and file cache
Addresses four PR review comments on the detail-page migration:
- skill/hook detail pages: build the sidebar "View on GitHub" link from a
/tree/main base instead of /blob/main, since item.path is a directory and
/blob/<dir> URLs 404. The FileBrowser githubBase stays on /blob for
individual file links.
- global.css: include .detail-empty a in the underline override so links in
empty-state notes stay distinguishable without relying on color alone
(WCAG 1.4.1 / axe link-in-text-block).
- file-browser.ts: seed the primary file's cache with its already-rendered
(frontmatter-stripped) HTML in addition to raw text, so re-selecting the
primary file after navigating away no longer re-renders the raw source and
surfaces frontmatter. Copy still uses the full raw text.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
* Remove pluginRoots property from marketplace.json
The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Migrate java-modernization-studio to plugin.json and update validation workflow
- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add extensions field to all extension plugin.json files
Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Enforce convention-based extension metadata and remove x-awesome-copilot
- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation
All 12 extensions validated successfully.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Use standard plugin validation for extensions
Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add canvas schema and extension submission checks
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix: use namespace import for js-yaml
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Fix contributors page build markup
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Address PR feedback on canvas schema validation
- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden canvas extension workflow against injection attacks
Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.
Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.
Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.
Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Replace ajv-cli with in-repo schema validator
- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Switch skill CI checks to vally lint
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Adding Vally to allowed words
* case sensitivity
* Migrate external plugin quality gates from skill-validator to vally lint
Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:
- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() +
unSkillValidatorGate() with
uildVallyLintArgs() +
unVallyLintGate() that run
px vally-cli lint
per resolved skill directory (falling back to the full plugin root when no
specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
to ally_lint_status / ally_lint_output throughout both
ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Use @microsoft/vally library directly instead of vally-cli subprocess
Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:
- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
- runLint({ rootPath }) returns structured LintResults
- LintConsoleReporter with a Writable capture stream collects
text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows
This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Show "by @handle" on each canvas extension card and in the details
modal, linking to the contributor's GitHub profile. Author metadata
lives in each extension's canvas.json (and external.json for external
extensions), where the rest of the canvas metadata is stored.
- Store author {name, url} in canvas.json / external.json
- Read author from canvas.json in the website data generator and emit
it to extensions.json
- Render the GitHub @handle, derived from the profile URL, as the link
text, with the contributor's name as the link title
- Escape the sanitized author URL before interpolating it into href
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add keyword display to extension cards on website
- Add .resource-keywords and .keyword-tag CSS styles for rendering keyword badges
- Update renderExtensionsHtml() to display keywords below extension description
- Keywords now visible on the website extensions page with styled badges
- Regenerate website data to include keyword metadata
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Canvas manifest implementation for all extensions
Add per-extension canvas manifests with:
- Structured canvas metadata (name, description, version, keywords)
- Screenshot definitions (icon and gallery with path/type)
- Relative paths for images within each extension directory
Enhance extension metadata:
- Generate meaningful descriptions from source analysis
- Extract and assign keywords for discoverability
- Store metadata in package.json and extension source files
Update website rendering and data generation:
- Include keywords in extension cards and search index
- Add per-extension canvas.json files for independent evolution
- Support screenshot metadata in manifest structure
- Generate extensions.json with full canonical paths for website
All 9 local canvas extensions now have complete manifests with descriptions, keywords, and screenshot references.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Tweaking some descriptions
* Fix description priority to prefer package.json over in-source metadata
Reverse the priority in canvasDescription so that package.json descriptions
(which contain the enhanced, manually-curated descriptions) take precedence
over older in-source descriptions extracted from createCanvas(...) calls.
This prevents regression when npm run website:data regenerates outputs,
ensuring that committed canvas.json files maintain the current descriptions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix canvas validation to skip external.json file
The validation script was treating extensions/external.json as if it were
a directory, causing false validation failures. Added check to skip files
(identified by presence of dot in filename) and only validate actual
canvas extension directories.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Allow label operations on pull requests in external plugin approval workflow
The sync-merged-pr-labels job needs pull-requests: write permission to
add/remove labels on merged PRs. Previously it only had issues: write which
is for issues, not pull requests. This fixes the permission error when
workflows try to modify PR labels from a non-contributor account.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Handle 403 permission errors when creating external plugin intake labels
When running on PRs from fork contributors, the GitHub token may not have
permission to create labels in the repository. This is expected and should
not cause the workflow to fail. Allow the ensureLabel function to gracefully
handle 403 Forbidden errors in addition to 422 (label already exists) errors.
This fixes the sync-pr-state job failure in external-plugin-pr-quality-gates.yml
when run on PRs from external contributors.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: Centralize label management into a single workflow_dispatch workflow
Create a new 'setup-labels' workflow that is manually dispatched and handles
all label creation and updates. This workflow:
- Creates all labels used by the repository
- Updates descriptions if labels already exist
- Reports success/failure counts
- Fails if any labels cannot be created
All individual workflows now assume labels exist and will fail (loudly) if
they don't. This makes it clear to maintainers when the setup-labels workflow
needs to be dispatched:
- label-pr-intent.yml
- skill-check-comment.yml
- external-plugin-approval-command.yml
- external-plugin-command-router.yml
- external-plugin-rereview.yml
- external-plugin-rereview-command.yml
- eng/external-plugin-intake-state.mjs
This approach is better because:
- Single source of truth for label definitions
- Avoids permission issues with fork contributors
- Clear failure modes when labels are missing
- Easier to maintain consistent label configuration
- No more scattered label creation logic across workflows
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Remove unused ensureLabel methods and managedLabels constants
Labels are now centrally managed by the setup-labels workflow and
assumed to exist in all other workflows. Removed:
- ensureLabel() methods from all 6 workflows and 1 JS module
- managedLabels constants that were only used by ensureLabel
- Promise.all() calls that invoked ensureLabel for each label
- Updated syncManagedLabels in skill-check-comment.yml to remove ensureLabel call
All workflows now assume labels exist and will fail if they don't,
which is the desired behavior—it signals maintainers to dispatch the
setup-labels workflow when new labels need to be created.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add soft-gate PR risk scanning automation
Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Harden path checks and reduce scanner false positives
Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden soft-gate behavior and scanner coverage
Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The install smoke gate was hardcoding .github/plugin/plugin.json as the
expected manifest path after copilot plugin install, which caused a false
ail for plugins whose manifests live at plugin.json (root) or
.plugins/plugin.json instead of the Copilot CLI convention.
Replace the hardcoded path with a call to the existing indPluginJson()
helper that already probes all three candidate locations in priority order.
Separate the 'install directory missing' check from 'no manifest found' so
error messages surface the actual root cause.
Also fix a .plugin/ → .plugins/ typo in EXTERNAL_PLUGIN_ROOT_MANIFEST_PATHS
(external-plugin-validation.mjs) which caused the error message shown to
submitters to reference a path that indPluginJson never actually checks.
Add cross-reference comments on both constants so they stay in sync.
Closes: reported in issue #1837
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: skill-validator invocation for .github/plugin/plugin.json convention
The skill-validator --plugin mode looks for plugin.json at <dir>/plugin.json,
but external plugins (and the Copilot CLI) place it at .github/plugin/plugin.json.
This caused every external plugin with skills or agents to fail the skill-validator
gate with a misleading 'No plugin.json found' error, even when the install smoke
test passed correctly.
Extract buildSkillValidatorArgs() which reads plugin.json from
.github/plugin/plugin.json, resolves skills/agents paths relative to the plugin
root, and invokes skill-validator with --skills/--agents instead of --plugin.
Falls back to --plugin if the conventional path is not present.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: also check .plugins/plugin.json and root plugin.json locations
Extend buildSkillValidatorArgs to probe three candidate plugin.json locations
in priority order before falling back to --plugin:
1. .github/plugin/plugin.json (Copilot CLI convention)
2. .plugins/plugin.json
3. plugin.json (root — also the skill-validator's native --plugin expectation)
Extract findPluginJson() and PLUGIN_JSON_CANDIDATES constant so the list is easy
to extend. Paths in plugin.json are always resolved relative to the plugin root
regardless of where the manifest lives.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add workflow run link to external plugin intake comments
- Include a link to the GitHub Actions workflow run in intake comment
- Helps users trace which action run generated the intake report
- Works for both initial intake and re-run intake flows
- Link appears at bottom of comment for all intake states (passed/failed/quality gates)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on intake comment formatting
- Remove leading spaces from runLink construction to preserve markdown formatting
- Remove unnecessary newline prefix before runLink in quality gates section
- Move workflow run link to the very end of all comment types (after warnings)
- For merged intake comments, append link as final element
- Remove unused runId parameter from applyExternalPluginIntakeEvaluation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Generate extensions data, add the extensions listing route/navigation, and include install URL copy actions pinned to the build commit SHA.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pass an explicit 'en' locale to localeCompare for instruction title
sorting in update-readme.mjs. Previously the default OS locale was
used, causing String.prototype.localeCompare to produce different
orderings on Windows vs Ubuntu (affecting characters like Korean and
Japanese CJK titles), which made the validate-readme CI workflow
non-deterministic.
Fixes the root cause of the locale-dependent sort instability.
* Fixing path on chrome devtools external pluginPath is to the folder in the repo where the plugin structure starts, not where the plugin.json file lives.
* Updating validation scripts and guidance to avoid this mistake again
* Removing search from the home pageThis was a little confusing because there are two searches, but the overall site search is a lot more powerful
* Prefilter website search by resource page
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* small error handling and formatting
* Simplify website listing controls
Remove per-page text search, trim page-specific controls, and move remaining sort/filter controls into compact flyouts.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* removing old scripts
* consolidated folder
* Updating usage of scripts
* Adding script to generate an open PR report, rather than making AI gen it each time
* Adding step to close old quality report discussions
* feat: show external plugins on the website
Read plugins/external.json during website data generation and include
external plugins alongside local ones in plugins.json. External plugins
are flagged with external:true and carry metadata (author, repository,
homepage, license, source).
On the website:
- Plugin cards show a '🔗 External' badge and author attribution
- The 'Repository' button links to the source path within the repo
- The modal shows metadata (author, repo, homepage, license) and a
'View Repository' CTA instead of an items list
- External plugins are searchable and filterable by tags
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address PR #937 security and UX review comments
- Add sanitizeUrl() function to validate URLs and prevent XSS via javascript:/data: schemes
- Add rel="noopener noreferrer" to all target="_blank" links to prevent reverse-tabnabbing
- Change external plugin path from external/<name> to plugins/<name> for proper deep-linking
- Track actual count of external plugins added (after filtering/deduplication) in build logs
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Initial plan
* feat: add contributors page to website
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* feat: add footer with contributors link and fix emoji-only display
- Add custom Starlight Footer component with 'Made with ❤️ by our
amazing contributors' linking to /contributors/
- Filter out contribution types without emoji mappings in the
contributor data generation so only emojis (🎭🎁🧭⌨️🧰) are
shown on the contributors page, not text labels like 'code' or 'doc'
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: use all-contributors HTML output for contributors page
- Restyle all-contributors generated table as a responsive card grid
using CSS grid on tbody with card-styled td cells
- Remove old custom JS search/filter UI and contributors.ts script
- Remove generateContributorsData from data pipeline (no longer needed)
- Keep all-contributors markers for bot regeneration
- Include updated contributor data from .all-contributorsrc
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: CSS fixes for contributors page Starlight compatibility
- Override Starlight table width/overflow to prevent clipping
- Force td width: 100% to counteract HTML width="14.28%" attribute
- Set emoji links to display: inline to prevent vertical stacking
- Improve border visibility with lighter gray color
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The marketplace currently only includes plugins that live as local
directories in plugins/. This makes it impossible to list plugins
hosted in external GitHub repos, npm packages, or other git URLs.
Add plugins/external.json as a hand-curated list of external plugin
entries following the Claude Code plugin marketplace spec. The
generate-marketplace script now reads this file and merges external
entries as-is into the generated marketplace.json, sorted by name.
Changes:
- Add plugins/external.json (empty array, ready for entries)
- Update eng/generate-marketplace.mjs to load, merge, and sort
external plugins; warn on duplicate names; log counts
- Document the external plugin workflow in CONTRIBUTING.md and
AGENTS.md
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(schema): add external recipe fields to cookbook schema
Add optional external, url, and author fields to the recipe schema
in cookbook.schema.json. When external is true, url is required via
conditional validation. Author supports name (required) and url
(optional) for attribution.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(data): support external recipes in data generator
- External recipes (external: true) skip local file validation
- Validate URL format for external recipes
- Pass through external, url, and author fields to output JSON
- Add per-recipe languages array: derived from resolved variant keys
for local recipes, and from tags matching known language IDs for
external recipes
- Collect language IDs in a first pass before processing recipes
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(website): render external recipe cards on cookbook page
- Extend Recipe interface with external, url, author, and languages
- Render external recipes with Community badge, author attribution,
and View on GitHub link instead of View Recipe/View Example buttons
- Language filter uses per-recipe languages array uniformly
- Remove Nerd Font icons from select dropdown options (native selects
cannot render custom web fonts)
- Add CSS for external recipe cards (dashed border, badge, author)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(cookbook): add community samples section with first external recipe
Add a Community Samples cookbook section to cookbook.yml with the
Node.js Agentic Issue Resolver as the first external recipe entry,
linking to https://github.com/Impesud/nodejs-copilot-issue-resolver.
Resolves the use case from PR #613 for supporting external samples.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(cookbook): add Copilot SDK Web App to community samples
Add aaronpowell/copilot-sdk-web-app — a full-stack chat app built with
the GitHub Copilot SDK, .NET Aspire, and React.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Update parseWorkflowMetadata to extract triggers from the 'on'
property keys (e.g. schedule, issue_comment) instead of a separate
'triggers' field. Remove tags support from workflows since workflows
don't use tags.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
During the staged→main publish, after materializing files into plugin
directories, rewrite each plugin.json to replace individual file paths
with folder references so consumers on main get directory-level entries.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>