mirror of https://github.com/github/awesome-copilot.git synced 2026-04-11 02:35:55 +00:00

Files

Gonzalo Fleming 6ef9d3c4fd feat(instructions): update security, a11y, and performance to 2025-2026 standards (#1270 )

* feat(instructions): update security, a11y, and performance to 2025-2026 standards

Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks)
Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks)
Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)

* fix(instructions): use globalThis.scheduler to prevent ReferenceError

Access scheduler via globalThis to safely handle environments where
the Scheduling API is not declared as a global variable.

* fix(instructions): correct regex patterns and harden SSRF example

- AU1: anchor jwt.verify lookahead inside parentheses
- AU2: anchor jwt.sign lookahead, add expiresIn alternative
- AU7: fix greedy .* before negative lookahead in OAuth state check
- I5: resolve all DNS records, add TOCTOU production note
- K2: add closing delimiters and multi-digit support to tabindex regex

* fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6

Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before
checking private ranges, preventing bypass via mapped addresses.

* fix(instructions): add noscript fallback for deferred CSS pattern

Without JS, the media="print" + onload pattern leaves the stylesheet
inactive. The noscript tag loads it normally when JS is disabled.

* fix(instructions): add execFileSync to I3 command injection detection

The BAD example uses execFileSync but the regex only matched exec,
execSync, and execFile — missing the sync variant.

* fix(instructions): cover full IPv6 link-local range in SSRF check

fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex
only matched fe80::. Also use normalized variable for consistency.

* fix(instructions): adjust SSRF wording and downgrade reduced-motion severity

- SSRF: replace "full DNS/IP validation" with accurate wording that
  acknowledges TOCTOU limitation
- V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION,
  remove 2.2.2 (A) reference since it's an AAA enhancement

* fix(instructions): rename AU4 heading to include SHA-256

The heading said "Weak Password Hash (MD5/SHA1)" but the detection
regex and BAD example both use SHA-256. Renamed to "Fast Hash for
Passwords" which better describes the actual anti-pattern.

* fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete

SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked
as obsolete (always satisfied). Changed wording from "removed" to
"obsolete" for accuracy.

* fix(instructions): rename I1 example vars to avoid TS redeclaration

Copy-pasting the I1 SQL injection example as a single block failed with a
TypeScript redeclaration error because both BAD and GOOD snippets used
`const result`. Rename to `unsafeResult`/`safeResult` so the block remains
copy-pasteable into a single scope.

* fix(instructions): migrate I3 example to async execFile with bounds

The I3 command injection example used `execFileSync` in both BAD and GOOD
paths, which (a) redeclared `const output` in the same block and (b) blocks
the Node event loop in server handlers, amplifying DoS impact.

Switch the GOOD/BEST paths to a promisified `execFile` call with explicit
`timeout` and `maxBuffer` bounds, and rename variables to
`unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a
trailing note recommending async child_process APIs for server code.

* fix(instructions): align AU6 heading with session fixation example

The AU6 heading claimed "Session Not Invalidated on Password Change" but
the mitigation example showed `req.session.regenerate`, which is the
canonical defense against session fixation on login rather than bulk
invalidation after a credential change.

Rename the anti-pattern to "Missing Session Regeneration on Login (Session
Fixation)" so it matches the example, and add a trailing note pointing to
the complementary practice of invalidating other active sessions for the
user on password change (e.g., via a `tokenVersion` counter).

* fix(instructions): make L1 critical CSS pattern CSP-compatible

The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"`
handler on a `<link>` tag. Under a strict CSP that disallows
`'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event
handlers are blocked, so the stylesheet would never activate and users
would hit a styling regression.

Replace the pattern with build-time critical CSS extraction
(Critters/Beasties/Next.js `optimizeCss`) plus a normal
`<link rel="preload" as="style">` and standard `<link rel="stylesheet">`.
Add a trailing note explaining why the older inline-onload trick breaks
under strict CSP and how to defer non-critical CSS with an external
script when deferral is truly needed.

2026-04-10 14:40:42 +10:00

.gitkeep

Partners (#354 )

2025-10-29 06:07:13 +11:00

README.agents.md

Maint: Remove old agents (#1351 )

2026-04-10 11:17:39 +10:00

README.hooks.md

Add tool guardian hook (#1044 )

2026-03-19 16:06:48 +11:00

README.instructions.md

feat(instructions): update security, a11y, and performance to 2025-2026 standards (#1270 )

2026-04-10 14:40:42 +10:00

README.plugins.md

feat: Adds React 18 and 19 migration plugin (#1339 )

2026-04-09 15:18:52 +10:00

README.skills.md

update eval-driven-dev skill (#1352 )

2026-04-10 11:19:28 +10:00

README.workflows.md

Merge branch 'staged' into aw/relevance-check

2026-02-27 10:24:59 +11:00

README.workflows.md

⚡ Agentic Workflows

Agentic Workflows are AI-powered repository automations that run coding agents in GitHub Actions. Defined in markdown with natural language instructions, they enable event-triggered and scheduled automation with built-in guardrails and security-first design.

How to Contribute

See CONTRIBUTING.md for guidelines on how to contribute new workflows, improve existing ones, and share your use cases.

How to Use Agentic Workflows

What's Included:

Each workflow is a single .md file with YAML frontmatter and natural language instructions
Workflows are compiled to .lock.yml GitHub Actions files via gh aw compile
Workflows follow the GitHub Agentic Workflows specification

To Install:

Install the gh aw CLI extension: gh extension install github/gh-aw
Copy the workflow .md file to your repository's .github/workflows/ directory
Compile with gh aw compile to generate the .lock.yml file
Commit both the .md and .lock.yml files

To Activate/Use:

Workflows run automatically based on their configured triggers (schedules, events, slash commands)
Use gh aw run <workflow> to trigger a manual run
Monitor runs with gh aw status and gh aw logs

When to Use:

Automate issue triage and labeling
Generate daily status reports
Maintain documentation automatically
Run scheduled code quality checks
Respond to slash commands in issues and PRs
Orchestrate multi-step repository automation

Name	Description	Triggers
Daily Issues Report	Generates a daily summary of open issues and recent activity as a GitHub issue	schedule
OSPO Contributors Report	Monthly contributor activity metrics across an organization's repositories.	schedule, workflow_dispatch
OSPO Organization Health Report	Comprehensive weekly health report for a GitHub organization. Surfaces stale issues/PRs, merge time analysis, contributor leaderboards, and actionable items needing human attention.	schedule, workflow_dispatch
OSPO Stale Repository Report	Identifies inactive repositories in your organization and generates an archival recommendation report.	schedule, workflow_dispatch
OSS Release Compliance Checker	Analyzes a target repository against open source release requirements and posts a detailed compliance report as an issue comment.	issues, workflow_dispatch
Relevance Check	Slash command to evaluate whether an issue or pull request is still relevant to the project	slash_command, roles
Relevance Summary	Manually triggered workflow that summarizes all open issues and PRs with a /relevance-check response into a single issue	workflow_dispatch