Commit Graph

1944 Commits

Author SHA1 Message Date
Gijs Reijn b6a84a833b Refine Pester migration skill by removing release candidate (#2278)
* Refine Pester migration skill descriptions and remove release candidate notes

* Take Copilot remark
2026-07-13 09:56:54 +10:00
Andrea Liliana Griffiths 0916fe444d Add APNG Studio canvas extension (#2272)
* Add APNG Studio canvas extension

APNG Studio is an interactive GitHub Copilot canvas extension for building
Animated PNG (APNG) files from frames: draw or upload frames, tune per-frame
timing and compositing, preview live, send the result to a phone by QR, and
export an animated .png.

Adds extensions/apng-studio/ with the required .github/plugin/plugin.json and
assets/preview.png, and regenerates .github/plugin/marketplace.json.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback for APNG Studio

Security and robustness (extension.mjs):
- Reject "." and ".." project ids so canvas/action input cannot resolve
  outside artifacts/.
- Bound request bodies (1 MiB JSON, 40 MiB frame upload); return 413 when
  exceeded.
- Reject malformed JSON with 400 instead of coercing to {}, so a truncated
  body cannot trigger destructive routes such as /frames/clear.
- Scope shares per project so one canvas cannot rotate or stop another's
  share; the LAN server is shared and torn down once no shares remain.
- get_state treats hiddenFirst as active only with >=2 frames, matching the
  encoder, so a single-frame project reports the correct duration.

Accessibility (web/):
- Expose Pen/Eraser state with aria-pressed and keep it in sync in setTool.
- Mark the toast as an aria-live status region.

Packaging:
- Add extensions/apng-studio/.gitignore with artifacts/ so the documented
  runtime-data exclusion holds for this extension.
- Update the README install section to reference the committed awesome-copilot
  extension path.

Regenerated .github/plugin/marketplace.json.

* Use "GitHub Copilot app" wording

Update the plugin description (and regenerated marketplace entry) to refer to
the host as the GitHub Copilot app.

* Address deeper review for APNG Studio

Security:
- Require a per-server access token on every loopback data/mutation request
  (minted per canvas server, carried in the iframe URL, attached to every
  renderer request). Static assets stay public. Blocks a local process or
  cross-origin page from reading state or driving mutations.

Concurrency and durability:
- Serialize the load-mutate-save cycle per project; dedupe concurrent first
  loads; write project.json via temp file + rename.

Lifecycle:
- Track SSE clients per instance and end them before server.close().
- Stop a project's LAN share only when no other panel references it.

Correctness:
- Report exact numerator/denominator total duration; handle pointercancel.

QR and accessibility:
- Place QR version bits least-significant-bit first (versions 7-10).
- Associate delay/fps/dispose/blend labels with their inputs via for=.

* Address deeper concurrency and validation review for APNG Studio

- Run assemble() under the project lock; add_color_frame renders and appends
  within one lock.
- Validate uploaded frames (PNG chunk scan, size + dimension checks) before
  writing; first frame stores real dimensions; CanvasError maps to 400.
- Validate move delta; clear frames in memory before deleting files.
- Route the open-handler rename through applySettings.
- Deduplicate LAN share startup; clean up if the canvas closes mid-start.
- End SSE streams before server.close(); skip dead streams in broadcast.
- Exact fractional duration; drawing surface stays >= 1px; refresh state before
  re-seeding "start from last frame".

* Address review: PNG format validation, share bind, limits, a11y

- Validate uploaded frames are 8-bit RGBA non-interlaced PNGs (standard
  compression/filter); reject formats the codec can't encode.
- Cap projects at 600 frames (add + duplicate).
- Bind the LAN share server to the private address, not 0.0.0.0; require a
  private address and rebind when it changes while idle; build the URL from the
  bound address.
- Align width/height inputs and clampSize to the 2048 maximum.
- Size the drawing surface by width + aspect ratio for narrow panels.
- set_frame with an unknown frameId returns a validation error.

* Address review: encoded-byte budget, timing modes, id keys, load errors

- 256 MiB aggregate encoded-byte budget (add + duplicate); per-frame size
  tracked and backfilled on load, so a frame count alone no longer bounds
  assembly memory.
- Frame timing is one exclusive mode (delayMs | fps | delayNum/delayDen);
  combinations are rejected instead of producing hybrid delays.
- Collision-resistant project storage keys: safe ids are used verbatim (existing
  projects still load) and only unsafe ids get a hash suffix, so "foo/bar" and
  "foo?bar" can't share a directory.
- Load only treats a missing file as a new project; other read/parse errors
  surface instead of silently overwriting real data.
- Share server binds to a real LAN interface (skips virtual/VPN/container,
  prefers physical NICs and common ranges).
- Generated export names get millisecond + random suffix to avoid same-second
  overwrite.
- PNG validator accepts the encoder's Uint8Array so agent solid-color frames
  aren't rejected.

* Address review: crash-safe frame writes, server startup, APNG first frame

- Write the PNG before mutating project metadata on add/duplicate, and delete
  after persisting, so an interrupted disk op can't dangle a reference or
  advance unsaved state.
- Evict a project from the in-memory cache if its save fails, so a transient
  write error can't desync the live session from disk.
- Reject on the loopback server's listen error and drop a half-initialized
  instance so startup failures clean up and can retry.
- Normalize APNG dispose_op PREVIOUS to BACKGROUND on the first animated frame
  (spec requirement).
- Release decoded ImageBitmaps after use so a large upload batch doesn't retain
  native image memory.
- Surface otherwise-silent async UI failures via a toast; check the state
  response is ok before parsing it.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-13 09:53:55 +10:00
github-actions[bot] f8d98b41d1 [bot] Add GPT-5.6, /refine command, plugin dashboard, and v1.0.70 features to Learning Hub (#2258)
* docs: update Learning Hub with v1.0.69-v1.0.70 Copilot features

- Add GPT-5.6 model to building-custom-agents.md model table (v1.0.70+)
- Add /refine command documentation to copilot-configuration-basics.md (v1.0.70+)
- Add --sandbox/--no-sandbox startup flags to copilot-configuration-basics.md (v1.0.70+)
- Add .github/copilot/settings.json trusted repo model pinning (v1.0.70+)
- Add SHA pinning for marketplace registrations to installing-and-using-plugins.md (v1.0.70+)
- Add /plugins interactive dashboard to installing-and-using-plugins.md (v1.0.69+)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update website/src/content/docs/learning-hub/installing-and-using-plugins.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-13 09:51:47 +10:00
Aaron Powell 30472ecf0f Harden external plugin gate comment output safety (#2265)
* Harden external plugin gate comment rendering

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix gate output truncation after HTML escaping

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-07-10 16:20:01 +10:00
Aaron Powell 1af733e9df Removing the / from the plugin as it's not required (#2260) 2026-07-10 14:37:07 +10:00
Aaron Powell bb4766e226 Fix external plugin gate manifest paths and diagnostics (#2261)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-10 14:31:25 +10:00
Aaron Powell e03696a5bf Replace resource modals with dedicated detail pages and richer install options (#2246)
* feat(website): dedicated agent detail pages instead of modal

Replace the popup/modal viewer for agents with dedicated per-agent pages at /agent/<id>/ for real URLs and better deep linking.

- Build-time rendered docs (marked + gray-matter) with a details sidebar
- Sidebar Actions card: Install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub
- Cards now link natively via anchors (no modal); card-render gains optional href (backward compatible for other types)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* feat(website): dedicated instruction detail pages + shared detail layout

Extend the dedicated detail-page pattern (introduced for agents) to
instructions, and factor the shared behavior/styles out for reuse:

- Add instruction/[id].astro with build-time markdown render, breadcrumb,
  install split-button (VS Code/Insiders/Download/Copy markdown), Share,
  View on GitHub, and a details sidebar (Applies to / Source / Last updated)
  plus collapsible frontmatter.
- Extract shared client behavior into resource-detail.ts (renamed from
  agent-detail.ts) keyed on [data-resource-detail].
- Move detail-page CSS into global.css under .resource-detail-page.
- Point the agent detail page at the shared script/styles.
- Instruction cards now link to /instruction/<id>/ and the modal is removed
  from the instructions listing.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* refactor(website): extract shared detail-page components

Break the agent and instruction detail pages down into reusable Astro
components under src/components/pages: Breadcrumb, Header, Main, Sidebar,
SidebarChips, InstallButtons, and RawMarkdown. Both detail pages now
compose these components instead of duplicating markup.

Fix RawMarkdown to read the `markdown` prop (matching both call sites) and
emit exact text via set:text, which restores the Copy markdown action that
had silently broken when the hidden textarea stopped rendering.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* refactor(website): share detail-page build logic in lib/detail-page

Both detail pages duplicated the install/GitHub URL builders, the
build-time markdown read+render, and the last-updated formatting. Move all
of it into a DOM-free build-time helper (src/lib/detail-page.ts) exposing
loadDetailPage(item, type), and reduce each [id].astro to a single call plus
its type-specific chip data.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated skill detail pages with multi-file browser

Migrate skills from the popup/modal viewer to dedicated per-item pages
(/skill/<id>/) matching the agent and instruction detail pages.

Skills need a few skill-specific mechanics:
- Install via `gh skills install github/awesome-copilot <id>` (copyable),
  since skills have no VS Code install URL.
- Download ZIP for the multi-file skill contents.
- A file browser that defaults to SKILL.md and lets you inspect other
  files, with Shiki syntax highlighting for code and marked-rendered
  markdown. SKILL.md is embedded (rendered + raw) at build time; other
  files are lazy-fetched on demand and cached. Deep links via #file=.

Also fixes a production build regression in the shared detail-page
helper: repoRoot now resolves via process.cwd() instead of import.meta
.url, which resolved incorrectly once bundled and silently returned
empty markdown (breaking rendered docs + copy-markdown for agents and
instructions too).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Replace skill file list with a dropdown selector

The two-column file browser (side list + content pane) was cramped,
splitting the already-narrow main column in half. Replace the side list
with a dropdown in the file view header so the content pane spans the
full width.

- Multi-file skills get a <select> grouped by folder via <optgroup>,
  SKILL.md first. Single-file skills keep a static filename label.
- Client script drives selection from the <select> change event instead
  of the removed file buttons; deep links, copy-file, Download ZIP, and
  Share all read the file list from the select options.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix skill sidebar card overflowing its column

The install command in the actions card used white-space: nowrap, which
gave the grid tracks a large min-content size. Grid items default to
min-width: auto (won't shrink below content), so the actions card grew
past the 352px sidebar, making it look wider than the agent/instruction
sidebars. Add min-width: 0 down the sidebar grid chain so the command
box stays within the column and scrolls horizontally instead.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Make skill file content pane grow to full page height

Remove the fixed max-height/overflow on .skill-file-content so file
content flows to natural height and the page scrolls, instead of a
nested inner scroll region. Shiki <pre> keeps its own horizontal scroll.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Center-align skill file picker label with the select

Reset the Starlight-injected margin-top on .skill-file-select so the
'File' label and the dropdown share a common vertical midline.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Render code files edge-to-edge in skill file viewer

For code files, drop the container padding and the pre border/radius so
the highlighted code fills the full column width. Markdown files keep
their padded, bordered layout. Toggled via an is-code class on the
content pane based on the selected file kind.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated detail pages for hooks with a reusable file browser

Hooks had no good install path (manual copy or ZIP), so mirror the
Skills dedicated-page pattern: a multi-file browser plus a Download ZIP
action, replacing the modal on the hooks listing.

Generalise the Skills-specific file browser so both resource types share
one implementation:
- Rename SkillFileBrowser.astro -> FileBrowser.astro with neutral props.
- Rename skill-detail.ts -> file-browser.ts with neutral data attributes
  (data-file-browser-page, data-bundle-id, data-primary-file).
- Rescope install-slot styles under a shared .bundle-detail-page class.
- generate-website-data: rename getSkillFiles -> getFolderFiles and emit a
  files[] + readmeFileName for each hook.

Hooks list cards now deep-link to /hook/<id>/ instead of opening a modal.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated detail pages for workflows

Migrate agentic workflows from the popup/modal viewer to dedicated per-item pages (/workflow/<id>/) with deep linking, matching the pattern used for agents, instructions, skills, and hooks.

Workflows are single .md files, so they reuse the single-file detail components (Main, Sidebar, Header, Breadcrumb, RawMarkdown) and the resource-detail client script. Since workflows have no VS Code install, the install slot instead documents the gh aw CLI flow and offers Download + Copy markdown actions.

Also rescope the shared install-slot CSS from .bundle-detail-page to .detail-actions-card so skill, hook, and workflow pages share it without a page-specific class, and drop the now-unused bundle-detail-page class from the skill and hook pages.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Format workflow install note

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated plugin detail pages

Replace the plugins modal with dedicated /plugin/<id>/ pages that deep link, render the bundled README, and surface an Included items section linking each constituent agent/skill/instruction/hook to its own detail page (falling back to GitHub for items without a page, e.g. extensions).

- generate-website-data: resolve plugin items to detail URLs + titles, add readmeFile for local and extension-derived plugins
- new IncludedItems component groups bundled resources by kind
- plugin/[id].astro handles local, extension-derived, and external plugins with VS Code + CLI install actions
- resource-detail: copy-install handler shared with detail pages
- plugins list cards now deep link; modal wiring removed

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Show plugin version, ref, and commit in detail sidebar

Capture version from plugin.json (local + extension-derived) and external.json, and surface it in the plugin detail Details card. For external plugins, also show the pinned source ref and short commit SHA when present.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add dedicated canvas extension detail pages with preview gallery

Replace the extensions modal with per-extension pages at /extension/<id>/,
mirroring the skill/plugin detail layout. Each page shows a preview image
gallery, README docs (or an About fallback), and a sidebar with install
actions and details (version, canvas ID, keywords, author, commit).

- generate-website-data.mjs: emit readmeFile for extensions
- extensions-render.ts: deep-link cards to detail pages
- extensions.ts: strip modal/gallery wiring, keep filter/sort/copy actions
- resource-detail.ts: add copy-install-url action
- extension-gallery.ts: thumbnail switching for multi-image previews

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add VS Code Insiders and GitHub Copilot app install links

Introduce a shared PluginInstall component used by both plugin and canvas
extension detail pages. It renders a split-button dropdown deep-linking into
VS Code, VS Code Insiders, and the GitHub Copilot app (ghapp://), plus the
CLI command for internal items.

- Internal plugins/extensions: ghapp://plugins/install?source=<id>@awesome-copilot
- External plugins: ghapp://plugins/marketplace/add?source=<owner/repo>
- ghapp source values are URL-encoded per the app's deep-link contract

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Make GitHub Copilot app the default install option

Promote the ghapp:// deep link to the primary split-button action and list
it first in the dropdown, ahead of VS Code and VS Code Insiders.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Ignoring impeccable files

* Make Extensions grid Copy Install a direct Copilot app install

Replace the CLI-command copy button on extension cards with an
'Install in Copilot app' deep link (ghapp://plugins/install) for internal
extensions, matching the detail page. External extensions keep the Copy URL
fallback since they have no Copilot app install path.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on detail pages

- Remove DOM innerHTML read/write round trip in file browser cache
  (CodeQL js/xss-through-dom); seed primary file from raw text and
  render lazily.
- Use Shiki dual light/dark themes in the file browser and add dark
  mode CSS overrides.
- Guard decodeURIComponent for #file= deep links against malformed
  percent-encoding.
- Slugify SidebarChips title before using it in the tag class name.
- Use a neutral aria-label on the shared detail Sidebar.
- URL-encode the external plugin source in VS Code and Insiders
  install links.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Prevent client-side path traversal in file deep links

Addresses the CSPT-to-XSS class reported in github/open-source#1739.
A '#file=' hash value containing '../' sequences could resolve outside
the awesome-copilot repo prefix once normalized by fetch, loading
attacker-controlled content that was then rendered into the page.

- Add isSafeRepoFilePath() and enforce it at the raw-URL choke point
  (getRawGitHubUrl, fetchFileContent, downloadFile, getVSCodeInstallUrl),
  so no consumer can escape the repo prefix.
- Validate the decoded '#file=' path in the modal hash handler and guard
  its decodeURIComponent against malformed input.

The new hash-based file browser already restricts deep links to an
allowlist of build-time file descriptors; the choke-point guard is an
additional backstop.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix accessibility violations on resource detail pages

Run the a11y audit against the new detail pages and resolve every
critical/serious axe violation it surfaced:

- Nest the detail column as a <div> instead of a second <main>, fixing the
  duplicate/non-top-level/non-unique landmark rules on every detail page.
- Add a shared enhanceMarkdownA11y() helper that makes rendered <pre>/<table>
  blocks keyboard focusable and gives task-list checkboxes a state-based
  accessible name; apply it at build time and in the client file browser.
- Make Shiki-highlighted code and install-command <code> blocks focusable.
- Underline links inside rendered docs and install notes so they are
  distinguishable without color, overriding the global #main-content reset.
- Extend the a11y audit to cover one representative page per detail type.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix file browser GitHub URL handling

Encode selected file paths before assigning GitHub detail links and render load errors with DOM APIs so DOM-derived file names are not reinterpreted as markup.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on detail pages and file browser

- Deep-link plugin extension items to their /extension/<id>/ detail pages:
  generate canvas extensions before building the resource index, and index
  extensions (by id and folder basename) so resolvePluginItem can resolve them.
- Render image files in the bundle file browser via an <img> tag built from the
  safe raw URL instead of decoding binary assets as UTF-8 text; skip the
  copy-file action for images.
- Use a neutral 'Install' heading on internal plugin and extension pages so the
  split-button primary label accurately communicates the target.
- Warn (with the file path) when readResourceMarkdown fails instead of swallowing
  the error silently, keeping the build unbroken.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on install links, dropdown a11y, and ZIP downloads

- externalRepoUrl (plugin detail pages) now builds the 'View on GitHub' tree
  URL from the pinned source.ref or source.sha, falling back to main only when
  neither is present, so the link matches the sidebar Ref/Commit chips.
- Install split-button dropdown on resource detail pages is now keyboard
  accessible: opening focuses the first item, ArrowUp/ArrowDown wrap, Home/End
  jump, and Escape closes and restores focus to the toggle, mirroring modal.ts.
- downloadZipBundle fetches each file as an ArrayBuffer and hands it to JSZip so
  binary assets (PNG/JPG/etc.) are preserved instead of corrupted by UTF-8 text
  decoding.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback on external repo links and workflow install note

- externalRepoUrl now uses a pinned source.ref/sha even when the external
  plugin has no path, returning /tree/<ref> so "View on GitHub" points at the
  pinned revision and stays consistent with the sidebar Ref/Commit chips.
- Reflow the workflow install note so each inline code and link element stays on
  a single line (using explicit whitespace expressions for word spacing),
  removing the split end-tag artifacts while preserving the exact rendered text
  and spacing.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Harden repo path validation and fix Included Items file links

- isSafeRepoFilePath now fails closed on any "%" so percent-encoded dot-segments
  (%2e%2e and double-encoded %252e%252e) cannot be normalized back into path
  traversal by the browser URL parser during fetch, and also rejects "." and
  empty path segments. Legitimate repo paths never contain these.
- IncludedItems githubHref now links file paths via /blob/ and directories via
  /tree/, detecting files by a trailing extension on the last path segment, so
  the fallback links for agent/instruction/command items no longer 404.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Harden detail pages: sanitize markdown, fix search deep-links and external URLs

Addresses rubber-duck review items 1-5 for the detail-page migration:

1. Sanitize rendered markdown as untrusted HTML. Add isomorphic
   sanitize-html helper (isomorphic-dompurify) applied in the build-time
   pipeline (detail-page.ts) and the client file browser before a11y
   enhancement, so marked output can no longer inject scripts/handlers.
2. Point Pagefind search results at canonical /type/id/ detail pages
   instead of inert #file= listing hashes for types that have a detail page.
3. Sanitize external/generated URLs on plugin and extension detail pages
   and their render scripts so only http(s) links are emitted.
4. Add a shared externalRepoUrl helper that pins GitHub links to the
   source ref/sha (preferring sha) with encoded path segments, replacing
   the duplicated always-main logic in the pages, modal, and renderers.
5. Handle #file= hash navigation after initial load in the file browser
   via a hashchange listener.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Detail pages: clickable filter chips + code-block copy buttons (#2255)

* Add clickable filter chips on detail pages

Turn read-only metadata chips into navigation: tags (hooks/plugins),
keywords (extensions), and extensions (instructions) now link to their
list page pre-filtered by that value (e.g. /hooks/?tag=testing).

SidebarChips gains optional filterBase/filterParam props; when both are
set each chip renders as an <a> with an aria-label and hover/focus
styling, otherwise it stays a plain <span>. Agent/skill/workflow chips
are unchanged. Filtering was verified end to end against each list
page's existing query-param handling.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add copy buttons to documentation code blocks

Detail-page markdown is rendered as plain <pre><code> with no syntax
highlighter, so code and config snippets had no copy affordance. Add a
hover-revealed copy button to every code block in the rendered docs:
copies to the clipboard, shows a toast, and swaps to a check icon for
confirmation. Buttons are keyboard-accessible, always visible on touch
devices, and respect reduced-motion. The sidebar frontmatter block is
left untouched.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix detail-page GitHub links, empty-state link contrast, and file cache

Addresses four PR review comments on the detail-page migration:

- skill/hook detail pages: build the sidebar "View on GitHub" link from a
  /tree/main base instead of /blob/main, since item.path is a directory and
  /blob/<dir> URLs 404. The FileBrowser githubBase stays on /blob for
  individual file links.
- global.css: include .detail-empty a in the underline override so links in
  empty-state notes stay distinguishable without relying on color alone
  (WCAG 1.4.1 / axe link-in-text-block).
- file-browser.ts: seed the primary file's cache with its already-rendered
  (frontmatter-stripped) HTML in addition to raw text, so re-selecting the
  primary file after navigating away no longer re-renders the raw source and
  surfaces frontmatter. Copy still uses the full raw text.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
2026-07-10 13:23:53 +10:00
samqbush aa99d75baa Add arch plugin (architecture + modernization skills) (#2253)
* Add arch plugin (architecture + modernization skills)

Add the `arch` plugin with two skills:
- `arch:document` — produce a single, cited architecture document for a
  locally-cloned repo, reading files on disk only.
- `arch:modernize` — generate a phased modernization plan, auto-running the
  document workflow first when no architecture doc exists.

Skill sources live in top-level skills/ and are referenced declaratively
from plugins/arch/.github/plugin/plugin.json, per the repo's plugin model.
Regenerated docs/README.plugins.md, docs/README.skills.md and marketplace.json.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Merge arch skills into single doc-and-modernize skill

Collapse the document and modernize skills into one standalone skill
(doc-and-modernize) with Documentation and Modernization modes, keeping
the plugin named arch. Modernization mode now runs the Documentation
workflow inline instead of invoking a separate arch:document skill,
fixing standalone-install cross-skill references. Reframe Documentation
mode as local-first (remote/API lookups are a flagged last resort)
rather than local-only. Regenerate docs and marketplace.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review: list skill by bare ID in arch README

Use 'doc-and-modernize' (repo convention) instead of the namespaced
'arch:doc-and-modernize', noting it surfaces as arch:doc-and-modernize
when installed via the plugin.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review: use non-HTML placeholder in instructions template

Change plain-text <PROJECT NAME> to [PROJECT NAME] in the header and
first paragraph so Markdown renderers don't parse it as an HTML tag and
drop it. The code-span `<N>` on the phase line is unaffected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review + fix codespell CI failure

- Fix codespell: pre-empts -> preempts in the instructions template
- Consistent terminology: replace 'research step/workflow' with
  'Documentation mode' in SKILL.md, README, and plugin.json description
- Fix run-on: add 'that' before 'Modernization mode must surface'
- Regenerate docs/marketplace for the updated plugin description

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review feedback

- Instruct redacting credentials/tokens from git remote URLs before recording
- CI enforcement: ask user or mark [UNVERIFIED]; remote lookup is flagged last resort

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: samqbush <samqbush@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-10 10:30:32 +10:00
Aaron Powell 2b8b7b2fd1 Narrow risk scan version matching (#2251)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-10 10:15:44 +10:00
Swetha Kumar d203b6ee69 Rename mcp-security-baseline -> mcp-implementation-security-review and sharpen description (#2257)
Renames the skill so its name makes the source-code-review scope explicit and
distinct from the existing config-focused `mcp-security-audit` skill (the
duplicate-detection check flagged the shared `mcp-security-` prefix; it is
advisory only). Also sharpens the description's first line to lead with
"implementation source code of MCP servers, clients, and tool handlers".

- Rename folder skills/mcp-security-baseline -> skills/mcp-implementation-security-review
- Update name field and H1 heading to match
- Regenerate docs/README.skills.md

Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-10 07:43:32 +10:00
github-actions[bot] 44ffa65c50 docs(learning-hub): update auto allow-all mode to require experimental (#2239)
Per v1.0.69-3 (2026-07-07), the /allow-all auto mode now requires
experimental features to be active (/experimental on or --experimental).
The previous AUTO_APPROVAL env var approach has been removed.

Update the auto allow-all mode note in Copilot Configuration Basics
to document the experimental mode requirement and activation steps.

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-09 00:56:21 +00:00
Sunil Sattiraju c7babcfa68 Add foundry-hosted-agent-copilotkit skill (#2226)
* Add foundry-hosted-agent-copilotkit skill (development-focused)

Reworked from PR #2090 feedback: drops all scaffolding/sample-template
content and focuses on ongoing development with CopilotKit + AG-UI +
Azure AI Foundry hosted agents — adding/gating tools, human-in-the-loop
approvals, generative UI and shared state, event-stream debugging,
pre-1.0 dependency upgrades, and the hosted-agent deploy loop.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Add HITL code examples to foundry-hosted-agent-copilotkit skill

Address review feedback: the .NET approval paragraph was prose-only.
Add a .NET snippet from the official Step04_HumanInLoop sample and
correct the type/behavior (ToolApprovalRequestContent; convert—not
remove—the request_approval call/result). Also add live-verified
Python snippets for hosted-agent approval-forwarding (#6652) and the
previous_response_id #6851 guard.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-09 10:50:35 +10:00
Swetha Kumar 72fae201df Add mcp-security-baseline skill (#2212)
* Add mcp-security-baseline skill

An Agent Skill that reviews MCP server and client source code against a security
baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance
report with file/line evidence. Complements mcp-security-audit, which checks
.mcp.json configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback: remove ignored keywords field, link MCP spec

- Remove the top-level `keywords` field: it is not a recognized skill
  front-matter field and is ignored (skills are indexed for search by
  name + description only). The keyword terms are already present in the
  description, so discovery is unaffected.
- Link the MCP 2025-03-26 specification at the protocol-version check so
  the agent has it for quick reference.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback: fix unsafe-deserialization example, link current MCP spec

- Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)`
  to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage.
- Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26
  baseline on the protocol-version check.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-09 00:49:40 +00:00
Ather 836ca8e4e5 fix: update package.json main field to update-readme.mjs (#2244) 2026-07-09 10:46:04 +10:00
Muhammad Ubaid Raza 93372200cb chore: standardize agent documentation markdown, fix formatting, add MANDATORY clauses, and update output formats across agents (#2247) 2026-07-09 10:06:44 +10:00
Jakub Jareš fb2922519f Update assertion-map.md for Should-Not-Throw syntax (#2248) 2026-07-09 09:35:10 +10:00
Aaron Powell 49d020f31a Fix kanban refresh error exposure (#2242)
Stop the accessibility kanban extension from persisting raw refresh failure details to browser-visible state. Use a generic safe error message for clients, clear any previously persisted detailed refresh errors during state normalization, and keep detailed diagnostics server-side via console logging.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-08 12:34:05 +10:00
James Montemagno 0e208f59fc Add Tiny Tool Town submission canvas (#2240)
* Add Tiny Tool Town submission canvas

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add generated description choices

Resolve picker opens from the active session working directory so linked worktrees work without an explicit repository path.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address Tiny Tool review comments

Detect root .csproj files as build signals and hide canvas access tokens from the visible URL after first load.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address latest Tiny Tool review comments

Handle root-relative README images, preserve drafts during refresh, and suppress GitHub mentions before public issue creation.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address canvas shutdown and CSP review

Close all canvas servers during shutdown, use nonce-based CSP, make theme optional, and hide decorative preview dots from assistive tech.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-08 12:06:39 +10:00
James Montemagno 49e83892cb Add Work Hub canvas extension (#2238)
* Add Work Hub canvas extension

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address Work Hub review feedback

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-08 12:05:10 +10:00
James Montemagno 314cf968ab Add Repo Actions Hub canvas extension (#2237)
* Add repo actions hub extension

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Fix repo actions hub review feedback

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-08 12:04:09 +10:00
jennyf19 2b777b3933 Update Ember agent to claude-opus-4.7 (#2236)
Bump default model to latest Claude Opus release.

Co-authored-by: Jenny Ferries <jennyf19@users.noreply.github.com>
2026-07-08 12:02:07 +10:00
David Gilbert 58024e5bde Update Datadog plugin repository to datadog-labs/copilot-plugin (#2231)
Datadog renamed their repo from vscode-plugin to copilot-plugin.
2026-07-08 11:55:16 +10:00
James Montemagno 34f0e35050 Fix duplicate PR check role gating (#2241)
Remove the read-only role override from the PR duplicate check so gh-aw pre-activation gates unsupported actors before the PR checkout step runs.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-08 11:23:01 +10:00
James Montemagno cb2a6022d7 Fix installed canvas repo scope follow-up (#2230)
* Address canvas review feedback

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Optimize arcade sprite sheet

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Shrink arcade extension package files

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address backlog canvas API review

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Compress arcade defender sounds

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-07 13:45:13 +10:00
github-actions[bot] 1f92908fa8 learning-hub: update docs for v1.0.67–v1.0.69 CLI releases (#2229)
- Add /mcp list command (shows attached servers mid-turn) to understanding-mcp-servers
- Add stayInAutopilot setting to CLI settings table in copilot-configuration-basics
- Add auto allow-all mode (LLM judge-based approval) to copilot-configuration-basics
- Add kimi-k2.7-code model to the model selection table in building-custom-agents
- Update lastUpdated dates on all three modified pages

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-07 12:06:15 +10:00
David Pine d61dfdcddc fix(website): remediate WCAG accessibility issues and add axe regression guardrail (#2180)
* fix(website): remediate WCAG accessibility issues and add axe regression guardrail

Fixes accessibility violations found by an axe-core sweep of every website
page in both light and dark themes:

- aria-allowed-role (WCAG 1.3.1, 4.1.2): the shared resource card rendered
  an <article> with role="listitem", which is not an allowed role for that
  element. Switched the wrapper to a <div role="listitem"> so the listitem
  role is valid (affected every card, e.g. #arcade-canvas on /extensions/).
- aria-required-children (WCAG 1.3.1): removed role="list" from the tools,
  contributors, and cookbook containers whose children are not list items.
- nested-interactive (WCAG 4.1.2): removed tabIndex=0 from extension cards
  and rendered the author as a non-interactive span so no interactive
  control is nested inside another (the author link remains in the modal).
- color-contrast (WCAG 1.4.3): gave .btn-primary explicit white text with an
  AA-compliant hover (#7326d6), and bumped the dark-theme secondary text gray
  (--sl-color-gray-3) to #84849c (5.32:1) so ToC / meta / footer text passes.

Adds a checked-in regression guardrail:

- website/scripts/a11y-audit.mjs runs axe-core over all routes in both themes
  against the production build and fails on critical/serious violations only
  (moderate/minor are reported but non-blocking). Transitions/animations are
  disabled before sampling so axe measures settled, steady-state colors
  instead of mid-theme-transition frames.
- Adds npm scripts (website:a11y at the root, a11y in website/) and README
  docs. The matching Build Website CI step is proposed in the PR description
  (omitted from this commit because the authoring token lacks workflow scope).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix(website): harden a11y audit per PR review

- Fail fast when a route navigation returns a non-2xx response, so the
  guardrail can't silently pass against a broken/missing route (page.goto
  resolves even for 4xx/5xx).
- Launch the Astro preview server via `node <astro-bin>` instead of
  `spawn(..., { shell: true })`. Removing the shell layer keeps signal
  delivery / detached-PGID shutdown predictable; resolving Astro's bin and
  running it with process.execPath also avoids the EINVAL that modern Node
  raises when spawning the npx.cmd shim without a shell on Windows.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: David Pine <7679720+IEvangelist@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-07 11:11:17 +10:00
github-actions[bot] 96f3275a66 sync: update cli-for-beginners ch03 and ch05 from upstream (#2203)
Chapter 03 (Development Workflows):
- Add /branch and /fork session-branching section to Workflow 5
- Update /diff description to note it works in non-git folders
- Update Workflow 5 summary to include /branch

Chapter 05 (Skills):
- Add argument-hint SKILL.md frontmatter property to properties table
- Expand Managing Skills section with copilot skill terminal command (Option 1)
- Document /skill as shortcut alias for /skills (Option 2)
- Update Key Takeaways to reflect argument-hint and copilot skill

Synced from upstream commits:
- db287eefea68 (docs: add copilot skill CLI command, /branch alias)
- aec96cfd6175 (Update README for clarity on branching commands)
- 296db3e76acf (Rephrase skills management instructions for clarity)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-07 11:10:43 +10:00
David Gilbert 2ac83c7a46 Update Datadog plugin to v0.7.21 (#2193)
* Update Datadog plugin to v0.7.21

* Update Datadog plugin to v0.7.21

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-07 10:56:40 +10:00
James Montemagno e370b97107 Fix canvas repo detection and shrink oversized preview images (#2227)
Canvas extensions (accessibility-kanban, where-was-i) resolved git state
against the extension's install directory or the session-state folder
instead of the repo the session was opened in. This broke repo/branch
detection for user-scoped installs and worktrees ("unknown/unknown",
"detached HEAD"). Both now read the active session's working directory
from the canvas request context on open and on each action, so they
follow whichever project/worktree opened them.

where-was-i also re-gathers context on open when the saved branch is
blank, so it never opens stuck on stale data.

Also compress oversized extension preview images (pngquant, with a mild
resize for the photographic arcade-canvas art) so every preview.png is
comfortably under the installer's inline-byte cap that was blocking
release-notes-showcase from installing.

Update release-notes-showcase author to Kayla Cinnamon.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-07 10:54:51 +10:00
Ari LiVigni ContinuousG33k 969d814f7e Update gh-skills-builder to v1.0.3 (#2228)
* chore: update gh-skills-builder to v1.0.2

Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com>

* Update gh-skills-builder to v1.0.3 with new commit sha

Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com>
2026-07-07 10:52:57 +10:00
Aaron Powell e986f49695 Migrate extension metadata to plugin.json and enforce conventions (#2177)
* Remove pluginRoots property from marketplace.json

The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Migrate java-modernization-studio to plugin.json and update validation workflow

- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Add extensions field to all extension plugin.json files

Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Enforce convention-based extension metadata and remove x-awesome-copilot

- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation

All 12 extensions validated successfully.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Use standard plugin validation for extensions

Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-03 12:24:38 +10:00
Finn Womack da3855ab20 add windows arm64 python gha wheel builder agent (#1940) 2026-07-03 10:32:53 +10:00
github-actions[bot] 071ddc82ec Add external plugin cockroachdb (#2187)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-07-03 10:11:26 +10:00
Jakub Jareš 4642e471ea Add pester-should-migration skill (experimental) (#2164)
* Add pester-should-migration skill (experimental)

Companion to the pester-migration skill. Focuses on the optional move from
the classic v5 `Should -Be` assertion syntax to the new v6 `Should-*`
assertions (e.g. `Should -Be` -> `Should-Be`). Includes a full
operator-by-operator mapping and the behavioral gotchas (negation as a
separate command, BeExactly -> Should-BeString -CaseSensitive, truthy/falsy
vs strict bool, BeNullOrEmpty split, collections, pipeline unwrapping).

Marked experimental/preview: verified against Pester 6.0.0-rc2; the new
Should-* assertions may still change before the 6.0 release.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Trim experimental status callout in pester-should-migration

Address review feedback: drop the time-based, human-oriented preview guidance (release-candidate timing, "as of mid-2026", release-notes link) from the status callout, keeping a lean experimental marker. The agent has no concept of time, so that prose is just extra tokens.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Awesome Copilot Community <awesome-copilot-community@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-03 10:10:37 +10:00
Copilot 3bd22bc0f4 Fix PR duplicate check not running on external contributor submissions (#2188)
* Initial plan

* Fix PR duplicate check not running on external contributor submissions

Add forks: [\"*\"] and roles: all to pr-duplicate-check.md so the
agentic workflow runs for all PR authors, including external contributors
submitting from forks. Previously, the generated lock.yml contained:
- A fork repository check blocking all fork PRs from running
- A team membership check (admin/maintainer/write) blocking external contributors

Recompiled with gh aw compile to regenerate pr-duplicate-check.lock.yml.
The pre_activation job (which held the membership gate) is now removed,
and the activation job runs unconditionally for all pull_request events.

Closes #2121

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fixing a bunch of warnings on all the agentic workflows

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-03 10:08:42 +10:00
Petr Pokorny 8c68eba690 dotnet-test: polyglot description and keywords, mirror 0.2.0 (#2178)
Reframe the external catalog entry to reflect the plugin's polyglot
test-generation pipeline (.NET/C#, Python, TypeScript/JavaScript, Java, Go,
Ruby, Rust, C++, Kotlin, Swift, PowerShell) and add polyglot keywords so
non-.NET developers can discover it. Mirrors the dotnet/skills 0.2.0 bump.

Edits the source (plugins/external.json) and regenerates the generated
.github/plugin/marketplace.json via npm run build. source stays unpinned
(tracks main), so no behavior change.
2026-07-02 12:01:04 +10:00
dependabot[bot] 893df3fb7a chore(deps-dev): bump lodash (#2176)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash).


Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-02 12:00:09 +10:00
github-actions[bot] f6fc97747f [bot] docs(learning-hub): update for Copilot CLI v1.0.65–v1.0.67 (#2185)
* docs(learning-hub): update with Copilot CLI v1.0.65–v1.0.67 changes

- Add Claude Sonnet 5 to model table in building-custom-agents.md (v1.0.67)
- Document --allow-all-mcp-server-instructions flag in understanding-mcp-servers.md (v1.0.66)
- Add @-style imports for instruction files in defining-custom-instructions.md (v1.0.66)
- Add sessionLimits setting to configuration table in copilot-configuration-basics.md (v1.0.66)
- Document subagent concurrency and depth limits in agents-and-subagents.md (v1.0.66)

Sources:
- https://github.com/github/copilot-cli/releases/tag/v1.0.67 (2026-06-30)
- https://github.com/github/copilot-cli/releases/tag/v1.0.66 (2026-06-30)
- https://github.com/github/copilot-cli/releases/tag/v1.0.65 (2026-06-24)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update website/src/content/docs/learning-hub/building-custom-agents.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-02 11:55:52 +10:00
James Montemagno 3169734bc2 Add Token Pac-Man canvas extension (#2175)
* Add Token Pac-Man canvas extension

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Address Token Pac-Man review feedback

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
2026-07-02 10:51:57 +10:00
Ari LiVigni ContinuousG33k 388e0ed368 chore: update gh-skills-builder to v1.0.2 (#2183)
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com>
2026-07-02 10:30:26 +10:00
Jakub Jareš fb0fae173f Add pester-migration skill (experimental) (#2163)
* Add pester-migration skill

A self-contained, experimental skill that helps upgrade PowerShell Pester
test suites across major versions (v3->v4, v4->v5, v5->v6). One router
SKILL.md plus per-jump references. The v5->v6 guidance tracks Pester 6,
which is still a release candidate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Regenerate skills index for pester-migration

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback on pester-migration skill

- Pin the stable-v5 install to -MaximumVersion 5.99.99 so it keeps
  installing v5 after Pester 6 goes GA (SKILL.md).
- Make the baseline run command version-agnostic (bare Invoke-Pester)
  and note that parameters differ across majors (SKILL.md).
- Replace the '->' mapping arrows inside powershell fences with
  comment + valid replacement lines so snippets are copy/paste-safe
  (SKILL.md v5->v6 cheat sheet, v5-to-v6.md, and v3-to-v4.md).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review: scope -SkipPublisherCheck, trim status callout, order references

- Drop -SkipPublisherCheck from the default install commands; scope it to
  Windows PowerShell 5.1 (installing over the OS's Microsoft-signed built-in
  Pester 3) per pester.dev install docs, instead of an unconditional default.
- Trim the experimental status callout: keep the preview marker, drop the
  date-based, human-oriented wording.
- Reorder the References table into version progression order (v3->v4, v4->v5,
  v5->v6).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: nohwnd <jakub@jares.cz>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-02 10:29:37 +10:00
github-actions[bot] a4aebcd4bd docs(learning-hub): add /pr auto, /pr automerge, and /chronicle skills review (#2168)
Document three new CLI commands from Copilot CLI v1.0.66 (2026-06-30):

- /pr auto: self-paced loop that fixes one failing item per run and
  paces around CI to drive a PR to green
- /pr automerge: extends /pr auto to continue until the PR is fully
  merged (CI passes, reviews approved, PR merged)
- /chronicle skills review: interactive review flow for agent-proposed
  draft skill changes (accept, reject, or defer each draft)

Changes:
- copilot-configuration-basics.md: add /pr auto + /pr automerge section
  in CLI Session Commands, extend /chronicle section with skills review
  subcommand
- creating-effective-skills.md: add Q&A entry for /chronicle skills review
  in the Common Questions section

Sources:
- https://github.com/github/copilot-cli/commit/c802cc3f06ffd2a57968cf8efabd3d550650ac5e
  (changelog for v1.0.66)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
2026-07-01 12:07:28 +10:00
Ayan Gupta b7f2e084eb Add author attribution to Site Studio canvas (#2166)
Adds the author block to extensions/site-studio/canvas.json so the canvas
gallery shows attribution (by @ayangupt), matching other extensions.

Co-authored-by: Ayan Gupta <ayangupt@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-01 12:03:22 +10:00
Aaron Powell 235bdb1872 Fixing git sha's (#2170) 2026-07-01 11:25:14 +10:00
Ayan Gupta 65ba0b3922 Add Java Modernization Studio canvas extension (#2156)
* Add Java Modernization Studio canvas extension

A canvas extension that drives the GitHub Copilot App Modernization for Java workflow from an interactive dashboard: environment readiness checks, repo assessment, prioritized plan/progress, validation gates (CVE scan, test generation), and one-click predefined-task runs — all grounded in the repo's real artifacts (.appmod/assessment.json, plan.md, progress.md). Includes a node:test suite (109 tests) for the grounding logic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>

* Secure cockpit loopback server with a per-instance token

Address Copilot review feedback on the Java Modernization Studio canvas:

- Mint a per-instance secret in createInstanceServer, embed it in the
  iframe URL, and validate it on every loopback request (/, /state,
  /events, /action). Other local processes can no longer read repo
  state or dispatch agent actions just by guessing the random port.
  Mirrors the existing diagram-viewer token pattern; the client echoes
  the token from its boot payload. The guard is a no-op when no token is
  set, so direct makeHandler unit tests are unaffected.
- Handle async request-handler rejections in createServer with a .catch
  that returns 500 and logs, instead of leaking an unhandled rejection
  that could destabilize the extension process.
- Tests: token guard 403s unauthenticated /, /state, /events and
  /action and allows valid-token requests; the end-to-end test asserts
  the tokenized URL and a tokenless 403.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix CI: add preview screenshot and clear codespell hits

Add the required assets/preview.png screenshot for the canvas-extension
validator, and resolve two codespell findings in the cockpit:
rename the planSim helper's `nd` variable to `notDone` and reword a
catalog comment to avoid the `invokable`/`invocable` flag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Harden cockpit loopback server per Copilot review

Address the second-round Copilot review comments on the loopback server:

- broadcast(): drop an SSE client whose write() throws instead of keeping
  it in the Set, so a uncleanly-disconnected client can't cause repeated
  exceptions or leak dead entries on every subsequent broadcast.
- POST /action: treat a malformed JSON body or a missing/invalid "kind"
  as a 400 client error (with an application/json body) instead of a 200
  carrying { ok:false, error:"Unknown action: undefined" }.
- Handler catch: set Content-Type: application/json on the 500 error
  response so it is consistent with the other JSON routes.

Adds four tests covering dead-client eviction, the two 400 paths, and the
JSON-typed 500. Full suite: 115 passing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>

* Add canvas.json gallery metadata for Java Modernization Studio

Aaron requested a canvas.json so the awesome-copilot website/gallery can
list this extension. Generated via `npm run website:data`
(writePerExtensionCanvasManifests), which derives id/name/description/
version/keywords/screenshots from package.json + the createCanvas source +
assets, and carries the author through. Output committed verbatim so a CI
regeneration produces no diff.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>

* Add author tag to package.json

Declare the author in the package manifest (object form, matching the
author already carried in canvas.json so it includes the profile URL).
The published gallery sources author from canvas.json; this adds the
conventional npm author tag to package.json for completeness. Verified
`npm run website:data` still emits the author on the extensions record
and leaves canvas.json byte-identical.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>

---------

Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-01 11:10:53 +10:00
Gordon Lam d47a6c93b7 Add copilot-pr-autopilot skill (#1944)
* Add copilot-pr-autopilot skill

Skill that drives any GitHub pull request through repeated rounds of
Copilot Code Review until the agent has either resolved every thread
or explicitly escalated it to the human. Triggered via GraphQL (no
@copilot mention needed), triages every open thread with a fix /
decline / escalate rubric, replies and resolves each thread citing
the pushed SHA, then re-triggers until HEAD is reviewed with zero
threads awaiting the agent's reply.

Includes step scripts (01 request-review, 02 check-review-status,
03 list-open-threads, 08 reply-and-resolve, 10 cleanup-outdated),
shared library (_lib.ps1) with gh-CLI wrappers (Invoke-Gh,
Invoke-GhGraphQL, ConvertFrom-GhJson, Assert-GhReady), reply
templates, and reference docs for each step.

Repo-agnostic. Requires gh CLI on PATH and repo Triage/Write for
full autopilot; external PR authors get single-iteration mode with
manual re-trigger via the UI re-request button or a substantive
push.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review: split per-step references + add recap-gate circuit breaker

- Fix #1: give steps 1/7/10 their own reference files
  (01-request-review.md, 07-commit-push.md, 10-cleanup.md); trim the
  inline bodies out of orchestration.md so it stays cross-cutting only.
- Fix #3: add a recurring round-cap & recap gate to 09-convergence.md —
  default STOP every 10th round, recap all prior rounds, detect drift
  (out-of-scope / over-engineering / wrong-direction / belongs-in-separate-PR)
  with CONTINUE / REVERT-AND-SHIP / HAND-OFF verdicts. Agent reasoning,
  no new script.
- Surface the gate from SKILL.md and orchestration.md; regenerate
  docs/README.skills.md. Markdown-only change; scripts unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs(copilot-pr-autopilot): surface recap gate in decision pseudo-code; clarify Copilot+human convergence and round definition

- Inject the round-cap recap gate into the '## Decision: loop back or exit'
  pseudo-code else-branch so an agent following the code block (not just the
  prose) runs the STOP-every-10th-round check before looping.
- Broaden the 'never terminal' paragraph: non-convergence is driven by a
  Copilot finding OR a human review comment (this skill handles both); the
  loop ends only when there are no new comments from either source AND every
  open thread (Copilot or human) has an agent reply/escalation.
- Define a 'round' explicitly as one execution of step 1 (01-request-review),
  i.e. one Copilot-review trigger — the cap counts review rounds, not tool
  calls or fix edits.

Markdown-only; no script changes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* copilot-pr-autopilot: make recap-gate round count deterministic

Add 09-review-round.ps1: counts Copilot Code Review submissions straight
from the PR's API history (full GraphQL pagination), so the recap-gate
trigger is a derived number, not a fallible agent mental tally. This
removes the exact failure mode the skill exists to survive — a count
drifting across a long run (the real 156-round case).

The script reports Round + RecapDue (Round % RecapInterval == 0) only;
it never stops the loop or picks the verdict. CONTINUE / REVERT-AND-SHIP
/ HAND-OFF stays agent reasoning. 09-convergence.md updated to reference
the deterministic count while preserving 'no script stops the loop' and
'non-convergence = Copilot finding OR human comment'.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Regenerate docs/README.skills.md for copilot-pr-autopilot (add 09-review-round.ps1)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-01 11:09:58 +10:00
Aaron Powell 79cda6bb19 Add canvas schema validation to extension submission workflow (#2161)
* Add canvas schema and extension submission checks

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: use namespace import for js-yaml

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Fix contributors page build markup

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Address PR feedback on canvas schema validation

- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Harden canvas extension workflow against injection attacks

Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.

Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.

Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.

Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Replace ajv-cli with in-repo schema validator

- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-01 10:40:40 +10:00
Aaron Powell 28c3a14af4 Switch skill CI validation workflows to vally lint (#2030)
* Switch skill CI checks to vally lint

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Adding Vally to allowed words

* case sensitivity

* Migrate external plugin quality gates from skill-validator to vally lint

Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:

- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() + 
unSkillValidatorGate() with
  uildVallyLintArgs() + 
unVallyLintGate() that run
px vally-cli lint
  per resolved skill directory (falling back to the full plugin root when no
  specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
  to ally_lint_status / ally_lint_output throughout both
  ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Use @microsoft/vally library directly instead of vally-cli subprocess

Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:

- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
  - runLint({ rootPath }) returns structured LintResults
  - LintConsoleReporter with a Writable capture stream collects
    text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
  runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
  plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
  summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows

This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-30 14:07:45 +10:00
Komal Vardhan Lolugu df58232729 create-implementation-plan: require unique identifiers (#1989) (#2142)
* create-implementation-plan: require unique identifiers (#1989)

The skill template tells the agent to use REQ-, TASK-, GOAL-, and
similar prefixed identifiers, but never says they have to be unique
or how to check. @basilevs reported plans coming back with duplicate
TASK IDs and proposed three POSIX one-liners that catch the two real
collision modes (table rows and bullet declarations) plus a broad
diagnostic scan.

Document the uniqueness rule under the existing Template Validation
Rules, then add a new "Identifier Uniqueness Check" section with all
three bash commands and instructions on which must come back empty
before the plan is finalized.

DEP-* references intentionally allowed in multiple sections per the
reporter's note.

Closes #1989.

* codespell: ignore GUD identifier prefix (#1989)

Upstream skills/create-implementation-plan/SKILL.md already uses
GUD-001 in the template body. Codespell currently slips past it on
word-boundary, but the regex alternation (GUD|RISK|...) added in the
previous commit on this branch makes codespell flag it as a misspelling
of GOOD.

GUD is the documented "Guideline" identifier prefix alongside REQ,
SEC, CON, PAT, etc. Add it to the ignore-words-list, matching the
pattern every other technical-token exemption in .codespellrc uses.

* create-implementation-plan: clarify declaration vs reference (#1989 review)

basilevs flagged that calling out DEP-* specifically was misleading,
because any identifier can appear as a reference. A TASK body can
cite a REQ, one TASK can cite another, and so on. The original
phrasing made it sound like DEP-* was the only prefix allowed to
recur.

Rewrite the rule to lead with "uniquely declared":
- Define declaration as the leading bullet/cell ID (e.g., the table
  row in Implementation Phase N, or '- **REQ-001**:').
- Say explicitly that references elsewhere in the plan are expected
  and not collisions, with concrete examples (TASK citing REQ,
  TASK citing TASK, Dependencies pointing at a DEP declared upstream).
- Tighten the check intro to call (1) and (2) declaration-targeted
  gates and (3) a broad informational scan that will see references.

Bash checks unchanged; they already encode the declaration-vs-reference
distinction via the table-cell and bullet-prefix anchors.
2026-06-30 10:36:03 +10:00
dependabot[bot] db80f8c2d4 chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates (#2160)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash).
Bumps the npm_and_yarn group with 2 updates in the /website directory: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) and [esbuild](https://github.com/evanw/esbuild).


Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.18.1)

Updates `astro` from 6.1.9 to 6.4.8
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro)

Updates `devalue` from 5.7.1 to 5.8.1
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/devalue/compare/v5.7.1...v5.8.1)

Updates `esbuild` from 0.27.7 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.27.7...v0.28.1)

Updates `vite` from 7.3.2 to 8.1.0
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: astro
  dependency-version: 6.4.8
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-30 10:16:44 +10:00