mirror of
https://github.com/github/awesome-copilot.git
synced 2026-07-14 01:51:02 +00:00
bb4766e22666d271e11dcd26c61173b9829f576a
1939 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
bb4766e226 |
Fix external plugin gate manifest paths and diagnostics (#2261)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
e03696a5bf |
Replace resource modals with dedicated detail pages and richer install options (#2246)
* feat(website): dedicated agent detail pages instead of modal Replace the popup/modal viewer for agents with dedicated per-agent pages at /agent/<id>/ for real URLs and better deep linking. - Build-time rendered docs (marked + gray-matter) with a details sidebar - Sidebar Actions card: Install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub - Cards now link natively via anchors (no modal); card-render gains optional href (backward compatible for other types) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * feat(website): dedicated instruction detail pages + shared detail layout Extend the dedicated detail-page pattern (introduced for agents) to instructions, and factor the shared behavior/styles out for reuse: - Add instruction/[id].astro with build-time markdown render, breadcrumb, install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub, and a details sidebar (Applies to / Source / Last updated) plus collapsible frontmatter. - Extract shared client behavior into resource-detail.ts (renamed from agent-detail.ts) keyed on [data-resource-detail]. - Move detail-page CSS into global.css under .resource-detail-page. - Point the agent detail page at the shared script/styles. - Instruction cards now link to /instruction/<id>/ and the modal is removed from the instructions listing. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * refactor(website): extract shared detail-page components Break the agent and instruction detail pages down into reusable Astro components under src/components/pages: Breadcrumb, Header, Main, Sidebar, SidebarChips, InstallButtons, and RawMarkdown. Both detail pages now compose these components instead of duplicating markup. Fix RawMarkdown to read the `markdown` prop (matching both call sites) and emit exact text via set:text, which restores the Copy markdown action that had silently broken when the hidden textarea stopped rendering. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * refactor(website): share detail-page build logic in lib/detail-page Both detail pages duplicated the install/GitHub URL builders, the build-time markdown read+render, and the last-updated formatting. Move all of it into a DOM-free build-time helper (src/lib/detail-page.ts) exposing loadDetailPage(item, type), and reduce each [id].astro to a single call plus its type-specific chip data. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add dedicated skill detail pages with multi-file browser Migrate skills from the popup/modal viewer to dedicated per-item pages (/skill/<id>/) matching the agent and instruction detail pages. Skills need a few skill-specific mechanics: - Install via `gh skills install github/awesome-copilot <id>` (copyable), since skills have no VS Code install URL. - Download ZIP for the multi-file skill contents. - A file browser that defaults to SKILL.md and lets you inspect other files, with Shiki syntax highlighting for code and marked-rendered markdown. SKILL.md is embedded (rendered + raw) at build time; other files are lazy-fetched on demand and cached. Deep links via #file=. Also fixes a production build regression in the shared detail-page helper: repoRoot now resolves via process.cwd() instead of import.meta .url, which resolved incorrectly once bundled and silently returned empty markdown (breaking rendered docs + copy-markdown for agents and instructions too). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Replace skill file list with a dropdown selector The two-column file browser (side list + content pane) was cramped, splitting the already-narrow main column in half. Replace the side list with a dropdown in the file view header so the content pane spans the full width. - Multi-file skills get a <select> grouped by folder via <optgroup>, SKILL.md first. Single-file skills keep a static filename label. - Client script drives selection from the <select> change event instead of the removed file buttons; deep links, copy-file, Download ZIP, and Share all read the file list from the select options. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Fix skill sidebar card overflowing its column The install command in the actions card used white-space: nowrap, which gave the grid tracks a large min-content size. Grid items default to min-width: auto (won't shrink below content), so the actions card grew past the 352px sidebar, making it look wider than the agent/instruction sidebars. Add min-width: 0 down the sidebar grid chain so the command box stays within the column and scrolls horizontally instead. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Make skill file content pane grow to full page height Remove the fixed max-height/overflow on .skill-file-content so file content flows to natural height and the page scrolls, instead of a nested inner scroll region. Shiki <pre> keeps its own horizontal scroll. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Center-align skill file picker label with the select Reset the Starlight-injected margin-top on .skill-file-select so the 'File' label and the dropdown share a common vertical midline. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Render code files edge-to-edge in skill file viewer For code files, drop the container padding and the pre border/radius so the highlighted code fills the full column width. Markdown files keep their padded, bordered layout. Toggled via an is-code class on the content pane based on the selected file kind. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add dedicated detail pages for hooks with a reusable file browser Hooks had no good install path (manual copy or ZIP), so mirror the Skills dedicated-page pattern: a multi-file browser plus a Download ZIP action, replacing the modal on the hooks listing. Generalise the Skills-specific file browser so both resource types share one implementation: - Rename SkillFileBrowser.astro -> FileBrowser.astro with neutral props. - Rename skill-detail.ts -> file-browser.ts with neutral data attributes (data-file-browser-page, data-bundle-id, data-primary-file). - Rescope install-slot styles under a shared .bundle-detail-page class. - generate-website-data: rename getSkillFiles -> getFolderFiles and emit a files[] + readmeFileName for each hook. Hooks list cards now deep-link to /hook/<id>/ instead of opening a modal. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add dedicated detail pages for workflows Migrate agentic workflows from the popup/modal viewer to dedicated per-item pages (/workflow/<id>/) with deep linking, matching the pattern used for agents, instructions, skills, and hooks. Workflows are single .md files, so they reuse the single-file detail components (Main, Sidebar, Header, Breadcrumb, RawMarkdown) and the resource-detail client script. Since workflows have no VS Code install, the install slot instead documents the gh aw CLI flow and offers Download + Copy markdown actions. Also rescope the shared install-slot CSS from .bundle-detail-page to .detail-actions-card so skill, hook, and workflow pages share it without a page-specific class, and drop the now-unused bundle-detail-page class from the skill and hook pages. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Format workflow install note Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add dedicated plugin detail pages Replace the plugins modal with dedicated /plugin/<id>/ pages that deep link, render the bundled README, and surface an Included items section linking each constituent agent/skill/instruction/hook to its own detail page (falling back to GitHub for items without a page, e.g. extensions). - generate-website-data: resolve plugin items to detail URLs + titles, add readmeFile for local and extension-derived plugins - new IncludedItems component groups bundled resources by kind - plugin/[id].astro handles local, extension-derived, and external plugins with VS Code + CLI install actions - resource-detail: copy-install handler shared with detail pages - plugins list cards now deep link; modal wiring removed Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Show plugin version, ref, and commit in detail sidebar Capture version from plugin.json (local + extension-derived) and external.json, and surface it in the plugin detail Details card. For external plugins, also show the pinned source ref and short commit SHA when present. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add dedicated canvas extension detail pages with preview gallery Replace the extensions modal with per-extension pages at /extension/<id>/, mirroring the skill/plugin detail layout. Each page shows a preview image gallery, README docs (or an About fallback), and a sidebar with install actions and details (version, canvas ID, keywords, author, commit). - generate-website-data.mjs: emit readmeFile for extensions - extensions-render.ts: deep-link cards to detail pages - extensions.ts: strip modal/gallery wiring, keep filter/sort/copy actions - resource-detail.ts: add copy-install-url action - extension-gallery.ts: thumbnail switching for multi-image previews Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add VS Code Insiders and GitHub Copilot app install links Introduce a shared PluginInstall component used by both plugin and canvas extension detail pages. It renders a split-button dropdown deep-linking into VS Code, VS Code Insiders, and the GitHub Copilot app (ghapp://), plus the CLI command for internal items. - Internal plugins/extensions: ghapp://plugins/install?source=<id>@awesome-copilot - External plugins: ghapp://plugins/marketplace/add?source=<owner/repo> - ghapp source values are URL-encoded per the app's deep-link contract Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Make GitHub Copilot app the default install option Promote the ghapp:// deep link to the primary split-button action and list it first in the dropdown, ahead of VS Code and VS Code Insiders. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Ignoring impeccable files * Make Extensions grid Copy Install a direct Copilot app install Replace the CLI-command copy button on extension cards with an 'Install in Copilot app' deep link (ghapp://plugins/install) for internal extensions, matching the detail page. External extensions keep the Copy URL fallback since they have no Copilot app install path. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address PR review feedback on detail pages - Remove DOM innerHTML read/write round trip in file browser cache (CodeQL js/xss-through-dom); seed primary file from raw text and render lazily. - Use Shiki dual light/dark themes in the file browser and add dark mode CSS overrides. - Guard decodeURIComponent for #file= deep links against malformed percent-encoding. - Slugify SidebarChips title before using it in the tag class name. - Use a neutral aria-label on the shared detail Sidebar. - URL-encode the external plugin source in VS Code and Insiders install links. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Prevent client-side path traversal in file deep links Addresses the CSPT-to-XSS class reported in github/open-source#1739. A '#file=' hash value containing '../' sequences could resolve outside the awesome-copilot repo prefix once normalized by fetch, loading attacker-controlled content that was then rendered into the page. - Add isSafeRepoFilePath() and enforce it at the raw-URL choke point (getRawGitHubUrl, fetchFileContent, downloadFile, getVSCodeInstallUrl), so no consumer can escape the repo prefix. - Validate the decoded '#file=' path in the modal hash handler and guard its decodeURIComponent against malformed input. The new hash-based file browser already restricts deep links to an allowlist of build-time file descriptors; the choke-point guard is an additional backstop. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Fix accessibility violations on resource detail pages Run the a11y audit against the new detail pages and resolve every critical/serious axe violation it surfaced: - Nest the detail column as a <div> instead of a second <main>, fixing the duplicate/non-top-level/non-unique landmark rules on every detail page. - Add a shared enhanceMarkdownA11y() helper that makes rendered <pre>/<table> blocks keyboard focusable and gives task-list checkboxes a state-based accessible name; apply it at build time and in the client file browser. - Make Shiki-highlighted code and install-command <code> blocks focusable. - Underline links inside rendered docs and install notes so they are distinguishable without color, overriding the global #main-content reset. - Extend the a11y audit to cover one representative page per detail type. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Fix file browser GitHub URL handling Encode selected file paths before assigning GitHub detail links and render load errors with DOM APIs so DOM-derived file names are not reinterpreted as markup. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address PR review feedback on detail pages and file browser - Deep-link plugin extension items to their /extension/<id>/ detail pages: generate canvas extensions before building the resource index, and index extensions (by id and folder basename) so resolvePluginItem can resolve them. - Render image files in the bundle file browser via an <img> tag built from the safe raw URL instead of decoding binary assets as UTF-8 text; skip the copy-file action for images. - Use a neutral 'Install' heading on internal plugin and extension pages so the split-button primary label accurately communicates the target. - Warn (with the file path) when readResourceMarkdown fails instead of swallowing the error silently, keeping the build unbroken. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address PR review feedback on install links, dropdown a11y, and ZIP downloads - externalRepoUrl (plugin detail pages) now builds the 'View on GitHub' tree URL from the pinned source.ref or source.sha, falling back to main only when neither is present, so the link matches the sidebar Ref/Commit chips. - Install split-button dropdown on resource detail pages is now keyboard accessible: opening focuses the first item, ArrowUp/ArrowDown wrap, Home/End jump, and Escape closes and restores focus to the toggle, mirroring modal.ts. - downloadZipBundle fetches each file as an ArrayBuffer and hands it to JSZip so binary assets (PNG/JPG/etc.) are preserved instead of corrupted by UTF-8 text decoding. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address PR review feedback on external repo links and workflow install note - externalRepoUrl now uses a pinned source.ref/sha even when the external plugin has no path, returning /tree/<ref> so "View on GitHub" points at the pinned revision and stays consistent with the sidebar Ref/Commit chips. - Reflow the workflow install note so each inline code and link element stays on a single line (using explicit whitespace expressions for word spacing), removing the split end-tag artifacts while preserving the exact rendered text and spacing. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Harden repo path validation and fix Included Items file links - isSafeRepoFilePath now fails closed on any "%" so percent-encoded dot-segments (%2e%2e and double-encoded %252e%252e) cannot be normalized back into path traversal by the browser URL parser during fetch, and also rejects "." and empty path segments. Legitimate repo paths never contain these. - IncludedItems githubHref now links file paths via /blob/ and directories via /tree/, detecting files by a trailing extension on the last path segment, so the fallback links for agent/instruction/command items no longer 404. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Harden detail pages: sanitize markdown, fix search deep-links and external URLs Addresses rubber-duck review items 1-5 for the detail-page migration: 1. Sanitize rendered markdown as untrusted HTML. Add isomorphic sanitize-html helper (isomorphic-dompurify) applied in the build-time pipeline (detail-page.ts) and the client file browser before a11y enhancement, so marked output can no longer inject scripts/handlers. 2. Point Pagefind search results at canonical /type/id/ detail pages instead of inert #file= listing hashes for types that have a detail page. 3. Sanitize external/generated URLs on plugin and extension detail pages and their render scripts so only http(s) links are emitted. 4. Add a shared externalRepoUrl helper that pins GitHub links to the source ref/sha (preferring sha) with encoded path segments, replacing the duplicated always-main logic in the pages, modal, and renderers. 5. Handle #file= hash navigation after initial load in the file browser via a hashchange listener. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Detail pages: clickable filter chips + code-block copy buttons (#2255) * Add clickable filter chips on detail pages Turn read-only metadata chips into navigation: tags (hooks/plugins), keywords (extensions), and extensions (instructions) now link to their list page pre-filtered by that value (e.g. /hooks/?tag=testing). SidebarChips gains optional filterBase/filterParam props; when both are set each chip renders as an <a> with an aria-label and hover/focus styling, otherwise it stays a plain <span>. Agent/skill/workflow chips are unchanged. Filtering was verified end to end against each list page's existing query-param handling. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add copy buttons to documentation code blocks Detail-page markdown is rendered as plain <pre><code> with no syntax highlighter, so code and config snippets had no copy affordance. Add a hover-revealed copy button to every code block in the rendered docs: copies to the clipboard, shows a toast, and swaps to a check icon for confirmation. Buttons are keyboard-accessible, always visible on touch devices, and respect reduced-motion. The sidebar frontmatter block is left untouched. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix detail-page GitHub links, empty-state link contrast, and file cache Addresses four PR review comments on the detail-page migration: - skill/hook detail pages: build the sidebar "View on GitHub" link from a /tree/main base instead of /blob/main, since item.path is a directory and /blob/<dir> URLs 404. The FileBrowser githubBase stays on /blob for individual file links. - global.css: include .detail-empty a in the underline override so links in empty-state notes stay distinguishable without relying on color alone (WCAG 1.4.1 / axe link-in-text-block). - file-browser.ts: seed the primary file's cache with its already-rendered (frontmatter-stripped) HTML in addition to raw text, so re-selecting the primary file after navigating away no longer re-renders the raw source and surfaces frontmatter. Copy still uses the full raw text. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> |
||
|
|
aa99d75baa |
Add arch plugin (architecture + modernization skills) (#2253)
* Add arch plugin (architecture + modernization skills) Add the `arch` plugin with two skills: - `arch:document` — produce a single, cited architecture document for a locally-cloned repo, reading files on disk only. - `arch:modernize` — generate a phased modernization plan, auto-running the document workflow first when no architecture doc exists. Skill sources live in top-level skills/ and are referenced declaratively from plugins/arch/.github/plugin/plugin.json, per the repo's plugin model. Regenerated docs/README.plugins.md, docs/README.skills.md and marketplace.json. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Merge arch skills into single doc-and-modernize skill Collapse the document and modernize skills into one standalone skill (doc-and-modernize) with Documentation and Modernization modes, keeping the plugin named arch. Modernization mode now runs the Documentation workflow inline instead of invoking a separate arch:document skill, fixing standalone-install cross-skill references. Reframe Documentation mode as local-first (remote/API lookups are a flagged last resort) rather than local-only. Regenerate docs and marketplace. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review: list skill by bare ID in arch README Use 'doc-and-modernize' (repo convention) instead of the namespaced 'arch:doc-and-modernize', noting it surfaces as arch:doc-and-modernize when installed via the plugin. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review: use non-HTML placeholder in instructions template Change plain-text <PROJECT NAME> to [PROJECT NAME] in the header and first paragraph so Markdown renderers don't parse it as an HTML tag and drop it. The code-span `<N>` on the phase line is unaffected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review + fix codespell CI failure - Fix codespell: pre-empts -> preempts in the instructions template - Consistent terminology: replace 'research step/workflow' with 'Documentation mode' in SKILL.md, README, and plugin.json description - Fix run-on: add 'that' before 'Modernization mode must surface' - Regenerate docs/marketplace for the updated plugin description Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review feedback - Instruct redacting credentials/tokens from git remote URLs before recording - CI enforcement: ask user or mark [UNVERIFIED]; remote lookup is flagged last resort Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: samqbush <samqbush@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
2b8b7b2fd1 |
Narrow risk scan version matching (#2251)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
d203b6ee69 |
Rename mcp-security-baseline -> mcp-implementation-security-review and sharpen description (#2257)
Renames the skill so its name makes the source-code-review scope explicit and distinct from the existing config-focused `mcp-security-audit` skill (the duplicate-detection check flagged the shared `mcp-security-` prefix; it is advisory only). Also sharpens the description's first line to lead with "implementation source code of MCP servers, clients, and tool handlers". - Rename folder skills/mcp-security-baseline -> skills/mcp-implementation-security-review - Update name field and H1 heading to match - Regenerate docs/README.skills.md Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
44ffa65c50 |
docs(learning-hub): update auto allow-all mode to require experimental (#2239)
Per v1.0.69-3 (2026-07-07), the /allow-all auto mode now requires experimental features to be active (/experimental on or --experimental). The previous AUTO_APPROVAL env var approach has been removed. Update the auto allow-all mode note in Copilot Configuration Basics to document the experimental mode requirement and activation steps. Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
c7babcfa68 |
Add foundry-hosted-agent-copilotkit skill (#2226)
* Add foundry-hosted-agent-copilotkit skill (development-focused) Reworked from PR #2090 feedback: drops all scaffolding/sample-template content and focuses on ongoing development with CopilotKit + AG-UI + Azure AI Foundry hosted agents — adding/gating tools, human-in-the-loop approvals, generative UI and shared state, event-stream debugging, pre-1.0 dependency upgrades, and the hosted-agent deploy loop. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * Add HITL code examples to foundry-hosted-agent-copilotkit skill Address review feedback: the .NET approval paragraph was prose-only. Add a .NET snippet from the official Step04_HumanInLoop sample and correct the type/behavior (ToolApprovalRequestContent; convert—not remove—the request_approval call/result). Also add live-verified Python snippets for hosted-agent approval-forwarding (#6652) and the previous_response_id #6851 guard. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
|
72fae201df |
Add mcp-security-baseline skill (#2212)
* Add mcp-security-baseline skill An Agent Skill that reviews MCP server and client source code against a security baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance report with file/line evidence. Complements mcp-security-audit, which checks .mcp.json configuration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: remove ignored keywords field, link MCP spec - Remove the top-level `keywords` field: it is not a recognized skill front-matter field and is ignored (skills are indexed for search by name + description only). The keyword terms are already present in the description, so discovery is unaffected. - Link the MCP 2025-03-26 specification at the protocol-version check so the agent has it for quick reference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: fix unsafe-deserialization example, link current MCP spec - Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)` to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage. - Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26 baseline on the protocol-version check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
836ca8e4e5 | fix: update package.json main field to update-readme.mjs (#2244) | ||
|
|
93372200cb | chore: standardize agent documentation markdown, fix formatting, add MANDATORY clauses, and update output formats across agents (#2247) | ||
|
|
fb2922519f | Update assertion-map.md for Should-Not-Throw syntax (#2248) | ||
|
|
49d020f31a |
Fix kanban refresh error exposure (#2242)
Stop the accessibility kanban extension from persisting raw refresh failure details to browser-visible state. Use a generic safe error message for clients, clear any previously persisted detailed refresh errors during state normalization, and keep detailed diagnostics server-side via console logging. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
0e208f59fc |
Add Tiny Tool Town submission canvas (#2240)
* Add Tiny Tool Town submission canvas Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add generated description choices Resolve picker opens from the active session working directory so linked worktrees work without an explicit repository path. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address Tiny Tool review comments Detect root .csproj files as build signals and hide canvas access tokens from the visible URL after first load. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address latest Tiny Tool review comments Handle root-relative README images, preserve drafts during refresh, and suppress GitHub mentions before public issue creation. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address canvas shutdown and CSP review Close all canvas servers during shutdown, use nonce-based CSP, make theme optional, and hide decorative preview dots from assistive tech. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
49e83892cb |
Add Work Hub canvas extension (#2238)
* Add Work Hub canvas extension Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address Work Hub review feedback Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
314cf968ab |
Add Repo Actions Hub canvas extension (#2237)
* Add repo actions hub extension Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Fix repo actions hub review feedback Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
2b777b3933 |
Update Ember agent to claude-opus-4.7 (#2236)
Bump default model to latest Claude Opus release. Co-authored-by: Jenny Ferries <jennyf19@users.noreply.github.com> |
||
|
|
58024e5bde |
Update Datadog plugin repository to datadog-labs/copilot-plugin (#2231)
Datadog renamed their repo from vscode-plugin to copilot-plugin. |
||
|
|
34f0e35050 |
Fix duplicate PR check role gating (#2241)
Remove the read-only role override from the PR duplicate check so gh-aw pre-activation gates unsupported actors before the PR checkout step runs. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
cb2a6022d7 |
Fix installed canvas repo scope follow-up (#2230)
* Address canvas review feedback Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Optimize arcade sprite sheet Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Shrink arcade extension package files Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address backlog canvas API review Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Compress arcade defender sounds Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
1f92908fa8 |
learning-hub: update docs for v1.0.67–v1.0.69 CLI releases (#2229)
- Add /mcp list command (shows attached servers mid-turn) to understanding-mcp-servers - Add stayInAutopilot setting to CLI settings table in copilot-configuration-basics - Add auto allow-all mode (LLM judge-based approval) to copilot-configuration-basics - Add kimi-k2.7-code model to the model selection table in building-custom-agents - Update lastUpdated dates on all three modified pages Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
d61dfdcddc |
fix(website): remediate WCAG accessibility issues and add axe regression guardrail (#2180)
* fix(website): remediate WCAG accessibility issues and add axe regression guardrail Fixes accessibility violations found by an axe-core sweep of every website page in both light and dark themes: - aria-allowed-role (WCAG 1.3.1, 4.1.2): the shared resource card rendered an <article> with role="listitem", which is not an allowed role for that element. Switched the wrapper to a <div role="listitem"> so the listitem role is valid (affected every card, e.g. #arcade-canvas on /extensions/). - aria-required-children (WCAG 1.3.1): removed role="list" from the tools, contributors, and cookbook containers whose children are not list items. - nested-interactive (WCAG 4.1.2): removed tabIndex=0 from extension cards and rendered the author as a non-interactive span so no interactive control is nested inside another (the author link remains in the modal). - color-contrast (WCAG 1.4.3): gave .btn-primary explicit white text with an AA-compliant hover (#7326d6), and bumped the dark-theme secondary text gray (--sl-color-gray-3) to #84849c (5.32:1) so ToC / meta / footer text passes. Adds a checked-in regression guardrail: - website/scripts/a11y-audit.mjs runs axe-core over all routes in both themes against the production build and fails on critical/serious violations only (moderate/minor are reported but non-blocking). Transitions/animations are disabled before sampling so axe measures settled, steady-state colors instead of mid-theme-transition frames. - Adds npm scripts (website:a11y at the root, a11y in website/) and README docs. The matching Build Website CI step is proposed in the PR description (omitted from this commit because the authoring token lacks workflow scope). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(website): harden a11y audit per PR review - Fail fast when a route navigation returns a non-2xx response, so the guardrail can't silently pass against a broken/missing route (page.goto resolves even for 4xx/5xx). - Launch the Astro preview server via `node <astro-bin>` instead of `spawn(..., { shell: true })`. Removing the shell layer keeps signal delivery / detached-PGID shutdown predictable; resolving Astro's bin and running it with process.execPath also avoids the EINVAL that modern Node raises when spawning the npx.cmd shim without a shell on Windows. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: David Pine <7679720+IEvangelist@users.noreply.github.com> Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
96f3275a66 |
sync: update cli-for-beginners ch03 and ch05 from upstream (#2203)
Chapter 03 (Development Workflows): - Add /branch and /fork session-branching section to Workflow 5 - Update /diff description to note it works in non-git folders - Update Workflow 5 summary to include /branch Chapter 05 (Skills): - Add argument-hint SKILL.md frontmatter property to properties table - Expand Managing Skills section with copilot skill terminal command (Option 1) - Document /skill as shortcut alias for /skills (Option 2) - Update Key Takeaways to reflect argument-hint and copilot skill Synced from upstream commits: - db287eefea68 (docs: add copilot skill CLI command, /branch alias) - aec96cfd6175 (Update README for clarity on branching commands) - 296db3e76acf (Rephrase skills management instructions for clarity) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
2ac83c7a46 |
Update Datadog plugin to v0.7.21 (#2193)
* Update Datadog plugin to v0.7.21 * Update Datadog plugin to v0.7.21 Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com> |
||
|
|
e370b97107 |
Fix canvas repo detection and shrink oversized preview images (#2227)
Canvas extensions (accessibility-kanban, where-was-i) resolved git state
against the extension's install directory or the session-state folder
instead of the repo the session was opened in. This broke repo/branch
detection for user-scoped installs and worktrees ("unknown/unknown",
"detached HEAD"). Both now read the active session's working directory
from the canvas request context on open and on each action, so they
follow whichever project/worktree opened them.
where-was-i also re-gathers context on open when the saved branch is
blank, so it never opens stuck on stale data.
Also compress oversized extension preview images (pngquant, with a mild
resize for the photographic arcade-canvas art) so every preview.png is
comfortably under the installer's inline-byte cap that was blocking
release-notes-showcase from installing.
Update release-notes-showcase author to Kayla Cinnamon.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
||
|
|
969d814f7e |
Update gh-skills-builder to v1.0.3 (#2228)
* chore: update gh-skills-builder to v1.0.2 Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com> * Update gh-skills-builder to v1.0.3 with new commit sha Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com> |
||
|
|
e986f49695 |
Migrate extension metadata to plugin.json and enforce conventions (#2177)
* Remove pluginRoots property from marketplace.json The pluginRoots property is not used by install tooling and was only informational about the extension/plugin source directories. Removing it simplifies the marketplace.json structure while maintaining all functionality. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Migrate java-modernization-studio to plugin.json and update validation workflow - Create .github/plugin/plugin.json for java-modernization-studio extension - Remove legacy canvas.json from java-modernization-studio - Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json - Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json) - Remove schema validation logic that relied on canvas.schema.json - All 12 extensions now use plugin.json for metadata Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Add extensions field to all extension plugin.json files Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship extensions need to include an extensions field specifying where the extension code is located. All 12 extensions now have extensions set to '.' to reference the current directory where extension.mjs is located. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Enforce convention-based extension metadata and remove x-awesome-copilot - Remove x-awesome-copilot.screenshots from all extension plugin.json files - Enforce logo=assets/preview.png convention for all extensions - Enforce extensions=. per copilot-agent-runtime#9929 - Update validate-plugins.mjs to enforce conventions - Update validate-canvas-extensions.yml workflow with convention checks - Update AGENTS.md and CONTRIBUTING.md documentation All 12 extensions validated successfully. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Use standard plugin validation for extensions Remove the custom extension schema and schema validation helper, and validate extension plugin.json files through the existing plugin validator instead. Update workflows to stop depending on the removed schema. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
|
da3855ab20 | add windows arm64 python gha wheel builder agent (#1940) | ||
|
|
071ddc82ec |
Add external plugin cockroachdb (#2187)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> |
||
|
|
4642e471ea |
Add pester-should-migration skill (experimental) (#2164)
* Add pester-should-migration skill (experimental) Companion to the pester-migration skill. Focuses on the optional move from the classic v5 `Should -Be` assertion syntax to the new v6 `Should-*` assertions (e.g. `Should -Be` -> `Should-Be`). Includes a full operator-by-operator mapping and the behavioral gotchas (negation as a separate command, BeExactly -> Should-BeString -CaseSensitive, truthy/falsy vs strict bool, BeNullOrEmpty split, collections, pipeline unwrapping). Marked experimental/preview: verified against Pester 6.0.0-rc2; the new Should-* assertions may still change before the 6.0 release. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Trim experimental status callout in pester-should-migration Address review feedback: drop the time-based, human-oriented preview guidance (release-candidate timing, "as of mid-2026", release-notes link) from the status callout, keeping a lean experimental marker. The agent has no concept of time, so that prose is just extra tokens. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Awesome Copilot Community <awesome-copilot-community@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
3bd22bc0f4 |
Fix PR duplicate check not running on external contributor submissions (#2188)
* Initial plan * Fix PR duplicate check not running on external contributor submissions Add forks: [\"*\"] and roles: all to pr-duplicate-check.md so the agentic workflow runs for all PR authors, including external contributors submitting from forks. Previously, the generated lock.yml contained: - A fork repository check blocking all fork PRs from running - A team membership check (admin/maintainer/write) blocking external contributors Recompiled with gh aw compile to regenerate pr-duplicate-check.lock.yml. The pre_activation job (which held the membership gate) is now removed, and the activation job runs unconditionally for all pull_request events. Closes #2121 Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fixing a bunch of warnings on all the agentic workflows --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
|
8c68eba690 |
dotnet-test: polyglot description and keywords, mirror 0.2.0 (#2178)
Reframe the external catalog entry to reflect the plugin's polyglot test-generation pipeline (.NET/C#, Python, TypeScript/JavaScript, Java, Go, Ruby, Rust, C++, Kotlin, Swift, PowerShell) and add polyglot keywords so non-.NET developers can discover it. Mirrors the dotnet/skills 0.2.0 bump. Edits the source (plugins/external.json) and regenerates the generated .github/plugin/marketplace.json via npm run build. source stays unpinned (tracks main), so no behavior change. |
||
|
|
893df3fb7a |
chore(deps-dev): bump lodash (#2176)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash). Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
f6fc97747f |
[bot] docs(learning-hub): update for Copilot CLI v1.0.65–v1.0.67 (#2185)
* docs(learning-hub): update with Copilot CLI v1.0.65–v1.0.67 changes - Add Claude Sonnet 5 to model table in building-custom-agents.md (v1.0.67) - Document --allow-all-mcp-server-instructions flag in understanding-mcp-servers.md (v1.0.66) - Add @-style imports for instruction files in defining-custom-instructions.md (v1.0.66) - Add sessionLimits setting to configuration table in copilot-configuration-basics.md (v1.0.66) - Document subagent concurrency and depth limits in agents-and-subagents.md (v1.0.66) Sources: - https://github.com/github/copilot-cli/releases/tag/v1.0.67 (2026-06-30) - https://github.com/github/copilot-cli/releases/tag/v1.0.66 (2026-06-30) - https://github.com/github/copilot-cli/releases/tag/v1.0.65 (2026-06-24) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update website/src/content/docs/learning-hub/building-custom-agents.md --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
3169734bc2 |
Add Token Pac-Man canvas extension (#2175)
* Add Token Pac-Man canvas extension Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Address Token Pac-Man review feedback Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> |
||
|
|
388e0ed368 |
chore: update gh-skills-builder to v1.0.2 (#2183)
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: arilivigni <4140343+arilivigni@users.noreply.github.com> |
||
|
|
fb0fae173f |
Add pester-migration skill (experimental) (#2163)
* Add pester-migration skill A self-contained, experimental skill that helps upgrade PowerShell Pester test suites across major versions (v3->v4, v4->v5, v5->v6). One router SKILL.md plus per-jump references. The v5->v6 guidance tracks Pester 6, which is still a release candidate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Regenerate skills index for pester-migration Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback on pester-migration skill - Pin the stable-v5 install to -MaximumVersion 5.99.99 so it keeps installing v5 after Pester 6 goes GA (SKILL.md). - Make the baseline run command version-agnostic (bare Invoke-Pester) and note that parameters differ across majors (SKILL.md). - Replace the '->' mapping arrows inside powershell fences with comment + valid replacement lines so snippets are copy/paste-safe (SKILL.md v5->v6 cheat sheet, v5-to-v6.md, and v3-to-v4.md). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review: scope -SkipPublisherCheck, trim status callout, order references - Drop -SkipPublisherCheck from the default install commands; scope it to Windows PowerShell 5.1 (installing over the OS's Microsoft-signed built-in Pester 3) per pester.dev install docs, instead of an unconditional default. - Trim the experimental status callout: keep the preview marker, drop the date-based, human-oriented wording. - Reorder the References table into version progression order (v3->v4, v4->v5, v5->v6). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: nohwnd <jakub@jares.cz> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
a4aebcd4bd |
docs(learning-hub): add /pr auto, /pr automerge, and /chronicle skills review (#2168)
Document three new CLI commands from Copilot CLI v1.0.66 (2026-06-30): - /pr auto: self-paced loop that fixes one failing item per run and paces around CI to drive a PR to green - /pr automerge: extends /pr auto to continue until the PR is fully merged (CI passes, reviews approved, PR merged) - /chronicle skills review: interactive review flow for agent-proposed draft skill changes (accept, reject, or defer each draft) Changes: - copilot-configuration-basics.md: add /pr auto + /pr automerge section in CLI Session Commands, extend /chronicle section with skills review subcommand - creating-effective-skills.md: add Q&A entry for /chronicle skills review in the Common Questions section Sources: - https://github.com/github/copilot-cli/commit/c802cc3f06ffd2a57968cf8efabd3d550650ac5e (changelog for v1.0.66) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
b7f2e084eb |
Add author attribution to Site Studio canvas (#2166)
Adds the author block to extensions/site-studio/canvas.json so the canvas gallery shows attribution (by @ayangupt), matching other extensions. Co-authored-by: Ayan Gupta <ayangupt@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
235bdb1872 | Fixing git sha's (#2170) | ||
|
|
65ba0b3922 |
Add Java Modernization Studio canvas extension (#2156)
* Add Java Modernization Studio canvas extension A canvas extension that drives the GitHub Copilot App Modernization for Java workflow from an interactive dashboard: environment readiness checks, repo assessment, prioritized plan/progress, validation gates (CVE scan, test generation), and one-click predefined-task runs — all grounded in the repo's real artifacts (.appmod/assessment.json, plan.md, progress.md). Includes a node:test suite (109 tests) for the grounding logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> * Secure cockpit loopback server with a per-instance token Address Copilot review feedback on the Java Modernization Studio canvas: - Mint a per-instance secret in createInstanceServer, embed it in the iframe URL, and validate it on every loopback request (/, /state, /events, /action). Other local processes can no longer read repo state or dispatch agent actions just by guessing the random port. Mirrors the existing diagram-viewer token pattern; the client echoes the token from its boot payload. The guard is a no-op when no token is set, so direct makeHandler unit tests are unaffected. - Handle async request-handler rejections in createServer with a .catch that returns 500 and logs, instead of leaking an unhandled rejection that could destabilize the extension process. - Tests: token guard 403s unauthenticated /, /state, /events and /action and allows valid-token requests; the end-to-end test asserts the tokenized URL and a tokenless 403. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix CI: add preview screenshot and clear codespell hits Add the required assets/preview.png screenshot for the canvas-extension validator, and resolve two codespell findings in the cockpit: rename the planSim helper's `nd` variable to `notDone` and reword a catalog comment to avoid the `invokable`/`invocable` flag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Harden cockpit loopback server per Copilot review Address the second-round Copilot review comments on the loopback server: - broadcast(): drop an SSE client whose write() throws instead of keeping it in the Set, so a uncleanly-disconnected client can't cause repeated exceptions or leak dead entries on every subsequent broadcast. - POST /action: treat a malformed JSON body or a missing/invalid "kind" as a 400 client error (with an application/json body) instead of a 200 carrying { ok:false, error:"Unknown action: undefined" }. - Handler catch: set Content-Type: application/json on the 500 error response so it is consistent with the other JSON routes. Adds four tests covering dead-client eviction, the two 400 paths, and the JSON-typed 500. Full suite: 115 passing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> * Add canvas.json gallery metadata for Java Modernization Studio Aaron requested a canvas.json so the awesome-copilot website/gallery can list this extension. Generated via `npm run website:data` (writePerExtensionCanvasManifests), which derives id/name/description/ version/keywords/screenshots from package.json + the createCanvas source + assets, and carries the author through. Output committed verbatim so a CI regeneration produces no diff. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> * Add author tag to package.json Declare the author in the package manifest (object form, matching the author already carried in canvas.json so it includes the profile URL). The published gallery sources author from canvas.json; this adds the conventional npm author tag to package.json for completeness. Verified `npm run website:data` still emits the author on the extensions record and leaves canvas.json byte-identical. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> --------- Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
d47a6c93b7 |
Add copilot-pr-autopilot skill (#1944)
* Add copilot-pr-autopilot skill Skill that drives any GitHub pull request through repeated rounds of Copilot Code Review until the agent has either resolved every thread or explicitly escalated it to the human. Triggered via GraphQL (no @copilot mention needed), triages every open thread with a fix / decline / escalate rubric, replies and resolves each thread citing the pushed SHA, then re-triggers until HEAD is reviewed with zero threads awaiting the agent's reply. Includes step scripts (01 request-review, 02 check-review-status, 03 list-open-threads, 08 reply-and-resolve, 10 cleanup-outdated), shared library (_lib.ps1) with gh-CLI wrappers (Invoke-Gh, Invoke-GhGraphQL, ConvertFrom-GhJson, Assert-GhReady), reply templates, and reference docs for each step. Repo-agnostic. Requires gh CLI on PATH and repo Triage/Write for full autopilot; external PR authors get single-iteration mode with manual re-trigger via the UI re-request button or a substantive push. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review: split per-step references + add recap-gate circuit breaker - Fix #1: give steps 1/7/10 their own reference files (01-request-review.md, 07-commit-push.md, 10-cleanup.md); trim the inline bodies out of orchestration.md so it stays cross-cutting only. - Fix #3: add a recurring round-cap & recap gate to 09-convergence.md — default STOP every 10th round, recap all prior rounds, detect drift (out-of-scope / over-engineering / wrong-direction / belongs-in-separate-PR) with CONTINUE / REVERT-AND-SHIP / HAND-OFF verdicts. Agent reasoning, no new script. - Surface the gate from SKILL.md and orchestration.md; regenerate docs/README.skills.md. Markdown-only change; scripts unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(copilot-pr-autopilot): surface recap gate in decision pseudo-code; clarify Copilot+human convergence and round definition - Inject the round-cap recap gate into the '## Decision: loop back or exit' pseudo-code else-branch so an agent following the code block (not just the prose) runs the STOP-every-10th-round check before looping. - Broaden the 'never terminal' paragraph: non-convergence is driven by a Copilot finding OR a human review comment (this skill handles both); the loop ends only when there are no new comments from either source AND every open thread (Copilot or human) has an agent reply/escalation. - Define a 'round' explicitly as one execution of step 1 (01-request-review), i.e. one Copilot-review trigger — the cap counts review rounds, not tool calls or fix edits. Markdown-only; no script changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * copilot-pr-autopilot: make recap-gate round count deterministic Add 09-review-round.ps1: counts Copilot Code Review submissions straight from the PR's API history (full GraphQL pagination), so the recap-gate trigger is a derived number, not a fallible agent mental tally. This removes the exact failure mode the skill exists to survive — a count drifting across a long run (the real 156-round case). The script reports Round + RecapDue (Round % RecapInterval == 0) only; it never stops the loop or picks the verdict. CONTINUE / REVERT-AND-SHIP / HAND-OFF stays agent reasoning. 09-convergence.md updated to reference the deterministic count while preserving 'no script stops the loop' and 'non-convergence = Copilot finding OR human comment'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Regenerate docs/README.skills.md for copilot-pr-autopilot (add 09-review-round.ps1) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
79cda6bb19 |
Add canvas schema validation to extension submission workflow (#2161)
* Add canvas schema and extension submission checks Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: use namespace import for js-yaml Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Fix contributors page build markup Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Address PR feedback on canvas schema validation - Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes - Fix screenshot path regex to prevent .. traversal segments - Validate canvas.schema.json is parseable JSON even on schema-only PRs Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Harden canvas extension workflow against injection attacks Switch from newline to null-terminated git diff output (git diff -z) so filenames containing newlines are read atomically, matching the existing skill-check.yml pattern. Add an allowlist regex guard on the extracted extension directory name immediately after it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g. names containing dollar signs, parentheses, spaces, or other shell metacharacters) is silently skipped before being used anywhere in the script. Add a matching allowlist guard on each screenshot path extracted from canvas.json before the file-existence check, so a crafted manifest cannot supply a path with shell metacharacters or traversal segments even after the schema check passes. Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236 and #1240. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Replace ajv-cli with in-repo schema validator - Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies - Add eng/validate-json-schema.mjs using ajv + ajv-formats - Update validate-canvas-extensions workflow to use local script - Use npm ci --ignore-scripts in PR validation job Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
|
28c3a14af4 |
Switch skill CI validation workflows to vally lint (#2030)
* Switch skill CI checks to vally lint Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Adding Vally to allowed words * case sensitivity * Migrate external plugin quality gates from skill-validator to vally lint Replace the downloaded skill-validator binary with px @microsoft/vally-cli lint in the external plugin quality gates pipeline: - Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant - Replace uildSkillValidatorArgs() + unSkillValidatorGate() with uildVallyLintArgs() + unVallyLintGate() that run px vally-cli lint per resolved skill directory (falling back to the full plugin root when no specific skill paths can be resolved from plugin.json) - Rename result keys skill_validator_status / skill_validator_output to ally_lint_status / ally_lint_output throughout both ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs - Update PR comment markdown to show 'vally lint' instead of 'skill-validator' - Update CONTRIBUTING.md prose references accordingly Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Use @microsoft/vally library directly instead of vally-cli subprocess Replace the npx-spawned vally-cli process with a direct call to the @microsoft/vally core library in the external plugin quality gates scripts: - Add @microsoft/vally as a devDependency in package.json - Import runLint and LintConsoleReporter from @microsoft/vally - Replace runVallyLintGate() process spawn with async API call: - runLint({ rootPath }) returns structured LintResults - LintConsoleReporter with a Writable capture stream collects text output without printing to stdout - Make runExternalPluginQualityGates() async (propagated to runExternalPluginPrQualityGates() and both main entry points) - Use Promise.all in runExternalPluginPrQualityGates() for parallel plugin checks - Fix remaining skill_validator_status reference in pr-quality-gates summary string (now vally-lint=...) and YAML workflow table header - Add 'npm install @microsoft/vally' step to both calling workflows This removes a layer of indirection (Node -> npx -> CLI -> library) and replaces it with a direct in-process library call, which is faster, more reliable, and gives structured access to lint results. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
df58232729 |
create-implementation-plan: require unique identifiers (#1989) (#2142)
* create-implementation-plan: require unique identifiers (#1989) The skill template tells the agent to use REQ-, TASK-, GOAL-, and similar prefixed identifiers, but never says they have to be unique or how to check. @basilevs reported plans coming back with duplicate TASK IDs and proposed three POSIX one-liners that catch the two real collision modes (table rows and bullet declarations) plus a broad diagnostic scan. Document the uniqueness rule under the existing Template Validation Rules, then add a new "Identifier Uniqueness Check" section with all three bash commands and instructions on which must come back empty before the plan is finalized. DEP-* references intentionally allowed in multiple sections per the reporter's note. Closes #1989. * codespell: ignore GUD identifier prefix (#1989) Upstream skills/create-implementation-plan/SKILL.md already uses GUD-001 in the template body. Codespell currently slips past it on word-boundary, but the regex alternation (GUD|RISK|...) added in the previous commit on this branch makes codespell flag it as a misspelling of GOOD. GUD is the documented "Guideline" identifier prefix alongside REQ, SEC, CON, PAT, etc. Add it to the ignore-words-list, matching the pattern every other technical-token exemption in .codespellrc uses. * create-implementation-plan: clarify declaration vs reference (#1989 review) basilevs flagged that calling out DEP-* specifically was misleading, because any identifier can appear as a reference. A TASK body can cite a REQ, one TASK can cite another, and so on. The original phrasing made it sound like DEP-* was the only prefix allowed to recur. Rewrite the rule to lead with "uniquely declared": - Define declaration as the leading bullet/cell ID (e.g., the table row in Implementation Phase N, or '- **REQ-001**:'). - Say explicitly that references elsewhere in the plan are expected and not collisions, with concrete examples (TASK citing REQ, TASK citing TASK, Dependencies pointing at a DEP declared upstream). - Tighten the check intro to call (1) and (2) declaration-targeted gates and (3) a broad informational scan that will see references. Bash checks unchanged; they already encode the declaration-vs-reference distinction via the table-cell and bullet-prefix anchors. |
||
|
|
db80f8c2d4 |
chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates (#2160)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash). Bumps the npm_and_yarn group with 2 updates in the /website directory: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) and [esbuild](https://github.com/evanw/esbuild). Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.18.1) Updates `astro` from 6.1.9 to 6.4.8 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro) Updates `devalue` from 5.7.1 to 5.8.1 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](https://github.com/sveltejs/devalue/compare/v5.7.1...v5.8.1) Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.27.7...v0.28.1) Updates `vite` from 7.3.2 to 8.1.0 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: astro dependency-version: 6.4.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
4e8726dd50 |
azure-devops-cli: handle long comments on Windows (#2061) (#2140)
* azure-devops-cli: handle long comments on Windows (#2061) On Windows 'az' is a cmd.exe batch wrapper capped at ~8191 characters, so a long --discussion / --description value silently truncates or fails. Document three verified ways out so the coding agent doesn't waste 3-5 turns falling back to raw token retrieval and REST: 1. azps.ps1 in PowerShell on Windows. Same Azure CLI, invoked through the Python entry point with no cmd.exe length cap. Pair with 'Get-Content -Raw' so the body lives in a variable, not on the command line. 2. Native --file-path flags where Azure CLI offers them. Applies to 'az devops wiki page create' and 'az devops wiki page update', both documented with --encoding. 3. 'az devops invoke --in-file' as the universal escape hatch for commands with no --file-path (work-item --discussion, PR --description). Documented example posts to the work item comments REST endpoint with api-version 7.0-preview.3. The earlier draft suggested the Azure CLI '@<file>' convention as a generic substitute for inline string args. The official docs only document it for JSON parameters and the CLI source uses 'get_file_json' specifically, so the claim is removed and replaced with an explicit warning not to rely on it for plain string args. Files touched: - skills/azure-devops-cli/SKILL.md: new 'Posting long comments on Windows' section with shell-detection table and three verified options. - skills/azure-devops-cli/references/boards-and-iterations.md: short pointer at each --discussion example back to SKILL.md, plus an inline PowerShell snippet. Closes #2061. * azure-devops-cli: move long-comments guidance to reference file (#2061 review) aaronpowell asked for the Windows long-comments section to live as a reference file rather than inline in SKILL.md, so the token weight isn't always loaded into the agent's context. - Move the "Posting long comments on Windows" section to a new references/long-comments-on-windows.md verbatim. - Strip the section from SKILL.md (56 fewer lines in the always-loaded surface). - Add the new file to the Reference Files table in SKILL.md with a one-line "when to read" hint covering --discussion, --description, and --content failures on Windows. - Update the two pointer comments in references/boards-and-iterations.md to point at the new reference file instead of the SKILL.md section. docs/README.skills.md regenerated by 'npm run build' to pick up the new reference file in the skill's bundled assets column. |
||
|
|
0fa87ab383 |
Refresh 6 stale instruction files (#2133) (#2139)
* Refresh 6 stale instruction files flagged in #2133 Targeted refresh: - blazor: C# 13 to C# 14. Drop the Visual Studio Enterprise mandate so contributors on VS Code or Rider aren't blocked by a paid SKU. Swap VS-only profiling for dotnet-trace and dotnet-counters. - copilot-thought-logging: narrow applyTo from '**' to '**/Copilot-Processing.md'. Replace 9 Windows backslash paths with POSIX './Copilot-Processing.md' so the workflow works on macOS and Linux. - genaiscript: drop the "avoid exception handlers or error checking" line. Replace it with: handle errors at I/O and external API boundaries, let unexpected exceptions surface. - memory-bank: add the required 'description' frontmatter field (was a validation failure). Narrow applyTo from '**' to 'memory-bank/**'. Add an opt-in note so contributors know auxiliary files land in the workspace root. Minor modernization: - azure-functions-typescript: Node.js v20 to v22 LTS. - localization: relative '../../issues' disclaimer link to absolute https://github.com/github/awesome-copilot/issues so it resolves regardless of the localized doc's path. docs/README.instructions.md regenerated by 'npm run build' to pick up the new memory-bank description. * revert applyTo narrow on copilot-thought-logging (#2133 review) aaronpowell flagged that narrowing applyTo from '**' to '**/Copilot-Processing.md' inverts the instruction. The instruction tells Copilot to CREATE Copilot-Processing.md when handling any user request, so it must apply globally, not only when that file is already open. Restore applyTo to '**'. Keep the POSIX path fixes (backslash to './Copilot-Processing.md') and the other 5 file fixes in this PR unchanged. --------- Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
f0b1d44c7e |
Add Site Studio canvas extension (#2117)
* Add Site Studio canvas extension Site Studio is a canvas extension for planning, drafting, and tracking a personal website section by section. It gives you and your agent a shared dashboard with a status board, an autosaving content editor (with AI-draft and [Sample: ...] placeholders), and a live feed of every change and milestone. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address Copilot review feedback Robustness, prototype-pollution safety, and accessibility fixes from the Copilot code review on #2117: - Add "ai_request" to VALID_CHANGE_TYPES so log_change accepts the change type the server itself emits (e.g. /api/request-generation). - Bound the git branch lookup with timeout + maxBuffer so a hung git can't block the extension process and canvas UI. - Serialize state persistence via a promise queue and snapshot state synchronously, so concurrent mutations can't clobber newer state on disk. - Enforce a maximum request body size in readBodyJson to avoid unbounded memory use on the loopback server. - Guard the /events handler against a missing/closed instance instead of throwing when servers.get(instanceId) is undefined. - Reject unsafe field names (__proto__, prototype, constructor) in upsertSectionContent and use an own-property check in deleteSectionContent to prevent prototype pollution. - Make the "Generate with AI" info tooltip reachable by keyboard and screen readers (focusable, labelled) instead of mouse-hover only. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: ayangupt <ayangupt@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|
|
564298be32 |
[bot] Add CLI v1.0.64–1.0.65 features to Learning Hub configuration docs (#2146)
* docs: update Learning Hub with CLI v1.0.64-1.0.65 features Add five missing features from the past week's CLI releases: - HTTP(S) proxy user setting (v1.0.64) - /every command and /loop alias for in-session scheduled prompts (v1.0.64) - Inline image rendering in the terminal (v1.0.64) - Autopilot auto-handles elicitation/permission prompts (v1.0.64) - Shell command history accessible in normal mode via up/down and Ctrl+R (v1.0.65) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: consolidate /every, /loop, /after docs and remove duplicate section - Merge the duplicate /every+/loop section (added at line 640) into the existing first-occurrence at line 521 - Add /after command documentation (from PR #2148 suggestion) - Add example of /every invoking slash commands (/every 1d /chronicle standup) - Add Ctrl+C as alternative to /every stop - Add Experimental callout for /every, /loop, and /after - Update lastUpdated to 2026-06-29 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Aaron Powell <me@aaron-powell.com> |
||
|
|
7f19be7380 |
Fix contributor check gh api marker argument error (#2151)
* Fix contributor check comment upsert behavior Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix contributor check jq marker filtering Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |