Remove the read-only role override from the PR duplicate check so gh-aw pre-activation gates unsupported actors before the PR checkout step runs.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Remove pluginRoots property from marketplace.json
The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Migrate java-modernization-studio to plugin.json and update validation workflow
- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add extensions field to all extension plugin.json files
Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Enforce convention-based extension metadata and remove x-awesome-copilot
- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation
All 12 extensions validated successfully.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Use standard plugin validation for extensions
Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Initial plan
* Fix PR duplicate check not running on external contributor submissions
Add forks: [\"*\"] and roles: all to pr-duplicate-check.md so the
agentic workflow runs for all PR authors, including external contributors
submitting from forks. Previously, the generated lock.yml contained:
- A fork repository check blocking all fork PRs from running
- A team membership check (admin/maintainer/write) blocking external contributors
Recompiled with gh aw compile to regenerate pr-duplicate-check.lock.yml.
The pre_activation job (which held the membership gate) is now removed,
and the activation job runs unconditionally for all pull_request events.
Closes#2121
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fixing a bunch of warnings on all the agentic workflows
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add canvas schema and extension submission checks
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix: use namespace import for js-yaml
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Fix contributors page build markup
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Address PR feedback on canvas schema validation
- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden canvas extension workflow against injection attacks
Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.
Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.
Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.
Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Replace ajv-cli with in-repo schema validator
- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Switch skill CI checks to vally lint
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Adding Vally to allowed words
* case sensitivity
* Migrate external plugin quality gates from skill-validator to vally lint
Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:
- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() +
unSkillValidatorGate() with
uildVallyLintArgs() +
unVallyLintGate() that run
px vally-cli lint
per resolved skill directory (falling back to the full plugin root when no
specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
to ally_lint_status / ally_lint_output throughout both
ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Use @microsoft/vally library directly instead of vally-cli subprocess
Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:
- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
- runLint({ rootPath }) returns structured LintResults
- LintConsoleReporter with a Writable capture stream collects
text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows
This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Now that main is the contributor branch and staged is retired,
no new PRs will target staged. The check-pr-target guard is
no longer needed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The workflow was using the pull_request trigger which restricts
GITHUB_TOKEN to read-only for fork PRs, causing the sync-pr-state
job to fail with 403 when trying to add labels.
Switching to pull_request_target runs the workflow in the base
repo context so declared permissions (issues: write, pull-requests:
write) are honoured for cross-repository PRs.
The workflow is safe to use pull_request_target because:
- detect-changed-plugins reads files via the GitHub API only (no checkout)
- run-quality-gates checks out the trusted staged branch, not the PR head
- sync-pr-state also checks out the staged branch
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add keyword display to extension cards on website
- Add .resource-keywords and .keyword-tag CSS styles for rendering keyword badges
- Update renderExtensionsHtml() to display keywords below extension description
- Keywords now visible on the website extensions page with styled badges
- Regenerate website data to include keyword metadata
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Canvas manifest implementation for all extensions
Add per-extension canvas manifests with:
- Structured canvas metadata (name, description, version, keywords)
- Screenshot definitions (icon and gallery with path/type)
- Relative paths for images within each extension directory
Enhance extension metadata:
- Generate meaningful descriptions from source analysis
- Extract and assign keywords for discoverability
- Store metadata in package.json and extension source files
Update website rendering and data generation:
- Include keywords in extension cards and search index
- Add per-extension canvas.json files for independent evolution
- Support screenshot metadata in manifest structure
- Generate extensions.json with full canonical paths for website
All 9 local canvas extensions now have complete manifests with descriptions, keywords, and screenshot references.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Tweaking some descriptions
* Fix description priority to prefer package.json over in-source metadata
Reverse the priority in canvasDescription so that package.json descriptions
(which contain the enhanced, manually-curated descriptions) take precedence
over older in-source descriptions extracted from createCanvas(...) calls.
This prevents regression when npm run website:data regenerates outputs,
ensuring that committed canvas.json files maintain the current descriptions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix canvas validation to skip external.json file
The validation script was treating extensions/external.json as if it were
a directory, causing false validation failures. Added check to skip files
(identified by presence of dot in filename) and only validate actual
canvas extension directories.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Allow label operations on pull requests in external plugin approval workflow
The sync-merged-pr-labels job needs pull-requests: write permission to
add/remove labels on merged PRs. Previously it only had issues: write which
is for issues, not pull requests. This fixes the permission error when
workflows try to modify PR labels from a non-contributor account.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Handle 403 permission errors when creating external plugin intake labels
When running on PRs from fork contributors, the GitHub token may not have
permission to create labels in the repository. This is expected and should
not cause the workflow to fail. Allow the ensureLabel function to gracefully
handle 403 Forbidden errors in addition to 422 (label already exists) errors.
This fixes the sync-pr-state job failure in external-plugin-pr-quality-gates.yml
when run on PRs from external contributors.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: Centralize label management into a single workflow_dispatch workflow
Create a new 'setup-labels' workflow that is manually dispatched and handles
all label creation and updates. This workflow:
- Creates all labels used by the repository
- Updates descriptions if labels already exist
- Reports success/failure counts
- Fails if any labels cannot be created
All individual workflows now assume labels exist and will fail (loudly) if
they don't. This makes it clear to maintainers when the setup-labels workflow
needs to be dispatched:
- label-pr-intent.yml
- skill-check-comment.yml
- external-plugin-approval-command.yml
- external-plugin-command-router.yml
- external-plugin-rereview.yml
- external-plugin-rereview-command.yml
- eng/external-plugin-intake-state.mjs
This approach is better because:
- Single source of truth for label definitions
- Avoids permission issues with fork contributors
- Clear failure modes when labels are missing
- Easier to maintain consistent label configuration
- No more scattered label creation logic across workflows
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Remove unused ensureLabel methods and managedLabels constants
Labels are now centrally managed by the setup-labels workflow and
assumed to exist in all other workflows. Removed:
- ensureLabel() methods from all 6 workflows and 1 JS module
- managedLabels constants that were only used by ensureLabel
- Promise.all() calls that invoked ensureLabel for each label
- Updated syncManagedLabels in skill-check-comment.yml to remove ensureLabel call
All workflows now assume labels exist and will fail if they don't,
which is the desired behavior—it signals maintainers to dispatch the
setup-labels workflow when new labels need to be created.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update PR template to include canvas extension as a contribution type
- Add 'canvas-extension' label (color: E4B9FF) to label-pr-intent workflow
with auto-detection for PRs touching extensions/**
- Add new validate-canvas-extensions.yml workflow that checks:
- extension.mjs is present in each changed extension folder
- assets/preview.png screenshot is present in each changed extension folder
- Posts a REQUEST_CHANGES review with a fix guide on failure
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add soft-gate PR risk scanning automation
Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Harden path checks and reduce scanner false positives
Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden soft-gate behavior and scanner coverage
Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix: reset bot review when PR base is changed off main
The check-pr-target workflow only ran on 'opened' events targeting main,
so it never re-ran after a submitter edited the base branch to 'staged'.
The REQUEST_CHANGES review was left in place, blocking merge and requiring
a manual maintainer override.
Changes:
- Broaden trigger to also fire on edited, reopened, and synchronize events,
and add 'staged' to the branches filter so the workflow runs after a
base-branch edit.
- Before posting REQUEST_CHANGES, check whether the bot already has an
active CHANGES_REQUESTED review to avoid duplicate reviews.
- After a base-branch edit: if the PR no longer targets main and the bot's
latest review state is CHANGES_REQUESTED, post an APPROVE review to
clear the block automatically.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: rerun PR target check for any base branch
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Add workflow run link to external plugin intake comments
- Include a link to the GitHub Actions workflow run in intake comment
- Helps users trace which action run generated the intake report
- Works for both initial intake and re-run intake flows
- Link appears at bottom of comment for all intake states (passed/failed/quality gates)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on intake comment formatting
- Remove leading spaces from runLink construction to preserve markdown formatting
- Remove unnecessary newline prefix before runLink in quality gates section
- Move workflow run link to the very end of all comment types (after warnings)
- For merged intake comments, append link as final element
- Remove unused runId parameter from applyExternalPluginIntakeEvaluation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Run contributor checks from AGT scripts
Fetch the pinned AGT contributor check scripts directly and execute them with Python so the workflow no longer depends on missing console entrypoints from the published package.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Log contributor check JSON outputs
Dump the raw AGT JSON outputs and stderr logs in the contributor check workflow to make future debugging easier.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Normalize AGT risk extraction in the contributor check workflow so missing per-check values do not render as blank or inflate the overall risk.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add automated contributor reputation screening on PR/issue open events
using AGT's pip-installable CLI tools. Detects coordinated inauthentic
contribution patterns (credential laundering, spray-and-pray).
- Installs via pip (pinned to agent-governance-toolkit==3.3.0)
- Uses jq for JSON parsing
- Fails closed: UNKNOWN risk maps to MEDIUM
- Posts risk summary comment on MEDIUM/HIGH with link to workflow run
- Adds needs-review label for maintainer attention
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>