Files
awesome-copilot/website
Aaron Powell 79cda6bb19 Add canvas schema validation to extension submission workflow (#2161)
* Add canvas schema and extension submission checks

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: use namespace import for js-yaml

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Fix contributors page build markup

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Address PR feedback on canvas schema validation

- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Harden canvas extension workflow against injection attacks

Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.

Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.

Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.

Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Replace ajv-cli with in-repo schema validator

- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-01 10:40:40 +10:00
..
2026-05-29 11:11:10 +10:00

Awesome GitHub Copilot website

Astro + Starlight site published to https://awesome-copilot.github.com/.

Local development

Run these from the repository root (they generate the data the site needs first):

npm run website:data    # generate public/data/*.json from repo content
npm run website:dev     # generate data + start the dev server
npm run website:build   # full production build

Social preview cards (LinkedIn, etc.)

Shared links render as large preview cards driven by Open Graph / Twitter meta tags. LinkedIn (and most platforms) read Open Graph — primarily og:image — while Twitter/X also uses twitter:card=summary_large_image. Most tags are produced automatically:

  • Starlight defaults emit og:title, og:description, og:url, og:type, og:site_name, and twitter:card=summary_large_image.
  • astro.config.mjs (global head) emits the shared image tags: og:image, og:image:width, og:image:height, og:image:alt, and twitter:image.
  • src/components/Head.astro adds twitter:title/description, og:image:secure_url, og:image:type, and twitter:image:alt.

Each page's title and description (StarlightPage frontmatter) flow into the card text, so keep them clear and benefit-focused.

The image-dimension invariant

og:image:width / og:image:height in astro.config.mjs describe public/images/social-image.png (currently 2400×1260, ~1.91:1). Crawlers use these dimensions to understand the image and may use them when selecting/rendering the preview. If you swap the image or add a per-page image override, update the full image set so every tag stays consistent: og:image, og:image:width, og:image:height, og:image:alt, and twitter:image (the last one matters because Head.astro derives og:image:secure_url from twitter:image first).

After deploying

LinkedIn caches scrapes aggressively. To force a refresh and confirm the card renders, run the changed URL through the LinkedIn Post Inspector. HTML output alone doesn't prove the live card — verify the deployed image returns HTTP 200 over HTTPS with Content-Type: image/png and no auth.