Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-11 10:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7454bbdb7ca6a087f80052f6c27ea2f4a3f9740e
awesome-copilot/.github/workflows/skill-quality-report.yml
Jan Krivanek 1c6002448d Fix eval workflows (#1228) 
* Fix eval workflows

* Address review: secure two-phase PR comment & byte-based truncation

- skill-check.yml: Revert to pull_request trigger (read-only token).
  Remove PR comment posting; upload results as artifact instead.
- skill-check-comment.yml: New workflow_run-triggered workflow that
  downloads the artifact and posts/updates the PR comment with
  write permissions, without ever checking out PR code.
- skill-quality-report.yml: Replace character-based truncation with
  byte-based (Buffer.byteLength) limit. Shrink <details> sections
  structurally before falling back to hard byte-trim, keeping
  markdown rendering intact.
2026-03-31 10:47:54 +11:00

365 lines
14 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Skill Quality Report — Nightly Scan
on:
schedule:
- cron: "0 3 * * *" # 3:00 AM UTC daily
workflow_dispatch: # allow manual trigger
permissions:
contents: read
discussions: write
issues: write # fallback if Discussions are not enabled
jobs:
nightly-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0 # full history for git-log author fallback
# ── Download & cache skill-validator ──────────────────────────
- name: Get cache key date
id: cache-date
run: echo "date=$(date +%Y-%m-%d)" >> "$GITHUB_OUTPUT"
- name: Restore skill-validator from cache
id: cache-sv
uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: .skill-validator
key: skill-validator-linux-x64-${{ steps.cache-date.outputs.date }}
restore-keys: |
skill-validator-linux-x64-
- name: Download skill-validator
if: steps.cache-sv.outputs.cache-hit != 'true'
run: |
mkdir -p .skill-validator
curl -fsSL \
"https://github.com/dotnet/skills/releases/download/skill-validator-nightly/skill-validator-linux-x64.tar.gz" \
-o .skill-validator/skill-validator-linux-x64.tar.gz
tar -xzf .skill-validator/skill-validator-linux-x64.tar.gz -C .skill-validator
rm .skill-validator/skill-validator-linux-x64.tar.gz
chmod +x .skill-validator/skill-validator
- name: Save skill-validator to cache
if: steps.cache-sv.outputs.cache-hit != 'true'
uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: .skill-validator
key: skill-validator-linux-x64-${{ steps.cache-date.outputs.date }}
# ── Run full scan ─────────────────────────────────────────────
- name: Run skill-validator check on all skills
id: check-skills
run: |
set +e
set -o pipefail
.skill-validator/skill-validator check \
--skills ./skills \
--verbose \
2>&1 | tee sv-skills-output.txt
echo "exit_code=${PIPESTATUS[0]}" >> "$GITHUB_OUTPUT"
set +o pipefail
set -e
- name: Run skill-validator check on all agents
id: check-agents
run: |
set +e
set -o pipefail
AGENT_FILES=$(find agents -name '*.agent.md' -type f 2>/dev/null | tr '\n' ' ')
if [ -n "$AGENT_FILES" ]; then
.skill-validator/skill-validator check \
--agents $AGENT_FILES \
--verbose \
2>&1 | tee sv-agents-output.txt
echo "exit_code=${PIPESTATUS[0]}" >> "$GITHUB_OUTPUT"
else
echo "No agent files found."
echo "" > sv-agents-output.txt
echo "exit_code=0" >> "$GITHUB_OUTPUT"
fi
set +o pipefail
set -e
# ── Build report with author attribution ──────────────────────
- name: Build quality report
id: report
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const fs = require('fs');
const path = require('path');
const { execSync } = require('child_process');
// ── Parse CODEOWNERS ──────────────────────────────────
function parseCodeowners() {
const map = new Map();
try {
const raw = fs.readFileSync('CODEOWNERS', 'utf8');
for (const line of raw.split('\n')) {
const trimmed = line.trim();
if (!trimmed || trimmed.startsWith('#')) continue;
const parts = trimmed.split(/\s+/);
if (parts.length >= 2) {
const filePath = parts[0].replace(/^\//, '').replace(/\/$/, '');
const owners = parts.slice(1).filter(p => p.startsWith('@'));
if (owners.length > 0) {
map.set(filePath, owners);
}
}
}
} catch (e) {
console.log('Could not parse CODEOWNERS:', e.message);
}
return map;
}
// ── Resolve author for a path ─────────────────────────
function resolveAuthor(resourcePath, codeowners) {
// CODEOWNERS semantics: last matching rule wins.
// Also treat "*" as a match-all default rule.
let matchedOwners = null;
for (const [pattern, owners] of codeowners) {
if (
pattern === '*' ||
resourcePath === pattern ||
resourcePath.startsWith(pattern + '/')
) {
matchedOwners = owners;
}
}
if (matchedOwners && matchedOwners.length > 0) {
return matchedOwners.join(', ');
}
// Fallback: git log
try {
const author = execSync(
`git log --format='%aN' --follow -1 -- "${resourcePath}"`,
{ encoding: 'utf8' }
).trim();
return author || 'unknown';
} catch {
return 'unknown';
}
}
// ── Parse skill-validator output ──────────────────────
// The output is a text report; we preserve it as-is and
// augment it with author info in the summary.
const skillsOutput = fs.readFileSync('sv-skills-output.txt', 'utf8').trim();
const agentsOutput = fs.existsSync('sv-agents-output.txt')
? fs.readFileSync('sv-agents-output.txt', 'utf8').trim()
: '';
const codeowners = parseCodeowners();
// Count findings
const combined = skillsOutput + '\n' + agentsOutput;
const errorCount = (combined.match(/\bError\b/gi) || []).length;
const warningCount = (combined.match(/\bWarning\b/gi) || []).length;
const advisoryCount = (combined.match(/\bAdvisory\b/gi) || []).length;
// Count total skills & agents checked
let skillDirs = [];
try {
skillDirs = fs.readdirSync('skills', { withFileTypes: true })
.filter(d => d.isDirectory())
.map(d => d.name);
} catch {}
let agentFiles = [];
try {
agentFiles = fs.readdirSync('agents')
.filter(f => f.endsWith('.agent.md'));
} catch {}
// ── Build author-attributed summary ───────────────────
// Extract per-resource blocks from output. The validator
// prints skill names as headers — we annotate them with
// the resolved owner.
function annotateWithAuthors(output, kind) {
if (!output) return '_No findings._';
const lines = output.split('\n');
const annotated = [];
for (const line of lines) {
// Skill names appear as headers, e.g. "## skill-name" or "skill-name:"
const headerMatch = line.match(/^(?:#{1,3}\s+)?([a-z0-9][a-z0-9-]+(?:\.[a-z0-9.-]+)?)\b/);
if (headerMatch) {
const name = headerMatch[1];
const resourcePath = kind === 'skill'
? `skills/${name}`
: `agents/${name}.agent.md`;
const author = resolveAuthor(resourcePath, codeowners);
annotated.push(`${line} — ${author}`);
} else {
annotated.push(line);
}
}
return annotated.join('\n');
}
const today = new Date().toISOString().split('T')[0];
const title = `Skill Quality Report — ${today}`;
const body = [
`# ${title}`,
'',
`**${skillDirs.length} skills** and **${agentFiles.length} agents** scanned.`,
'',
`| Severity | Count |`,
`|----------|-------|`,
`| ⛔ Errors | ${errorCount} |`,
`| ⚠️ Warnings | ${warningCount} |`,
`| Advisories | ${advisoryCount} |`,
'',
'---',
'',
'## Skills',
'',
'<details>',
'<summary>Full skill-validator output for skills</summary>',
'',
'```',
annotateWithAuthors(skillsOutput, 'skill'),
'```',
'',
'</details>',
'',
'## Agents',
'',
'<details>',
'<summary>Full skill-validator output for agents</summary>',
'',
'```',
annotateWithAuthors(agentsOutput, 'agent'),
'```',
'',
'</details>',
'',
'---',
'',
`_Generated by the [Skill Validator nightly scan](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/workflows/skill-quality-report.yml)._`,
].join('\n');
core.setOutput('title', title);
core.setOutput('body_file', 'report-body.md');
// GitHub Issues/Discussions enforce a body size limit on the
// UTF-8 payload (~65536 bytes). Use byte-based limits and prefer
// shrinking verbose <details> sections to keep markdown valid.
const MAX_BODY_BYTES = 65000; // leave some margin
function shrinkDetailsSections(markdown) {
return markdown.replace(
/<details([\s\S]*?)>[\s\S]*?<\/details>/g,
(match, attrs) => {
const placeholder = '\n<summary>Details truncated</summary>\n\n' +
"> Full output was truncated to fit GitHub's body size limit. " +
'See the workflow run for complete output.\n';
return `<details${attrs}>${placeholder}</details>`;
}
);
}
function trimToByteLimit(str, maxBytes) {
const buf = Buffer.from(str, 'utf8');
if (buf.length <= maxBytes) return str;
// Slice bytes and decode, which safely handles multi-byte chars
return buf.slice(0, maxBytes).toString('utf8').replace(/\uFFFD$/, '');
}
const truncNote = '\n\n> **Note:** Output was truncated to fit GitHub\'s body size limit. See the [workflow run](https://github.com/' + context.repo.owner + '/' + context.repo.repo + '/actions/workflows/skill-quality-report.yml) for full output.\n';
const truncNoteBytes = Buffer.byteLength(truncNote, 'utf8');
let finalBody = body;
if (Buffer.byteLength(finalBody, 'utf8') > MAX_BODY_BYTES) {
// First try: collapse <details> sections to reduce size
finalBody = shrinkDetailsSections(finalBody);
}
if (Buffer.byteLength(finalBody, 'utf8') > MAX_BODY_BYTES) {
// Last resort: hard byte-trim + truncation note
finalBody = trimToByteLimit(finalBody, MAX_BODY_BYTES - truncNoteBytes);
}
if (Buffer.byteLength(finalBody, 'utf8') < Buffer.byteLength(body, 'utf8')) {
finalBody += truncNote;
}
fs.writeFileSync('report-body.md', finalBody);
# ── Create Discussion (preferred) or Issue (fallback) ────────
- name: Create Discussion
id: create-discussion
continue-on-error: true
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const fs = require('fs');
const title = '${{ steps.report.outputs.title }}'.replace(/'/g, "\\'");
const body = fs.readFileSync('report-body.md', 'utf8');
// Find the "Skill Quality Reports" category
const categoriesResult = await github.graphql(`
query($owner: String!, $repo: String!) {
repository(owner: $owner, name: $repo) {
id
discussionCategories(first: 25) {
nodes { id name }
}
}
}
`, {
owner: context.repo.owner,
repo: context.repo.repo,
});
const repo = categoriesResult.repository;
const categories = repo.discussionCategories.nodes;
const category = categories.find(c =>
c.name === 'Skill Quality Reports'
);
if (!category) {
core.setFailed('Discussion category "Skill Quality Reports" not found. Falling back to issue.');
return;
}
await github.graphql(`
mutation($repoId: ID!, $categoryId: ID!, $title: String!, $body: String!) {
createDiscussion(input: {
repositoryId: $repoId,
categoryId: $categoryId,
title: $title,
body: $body
}) {
discussion { url }
}
}
`, {
repoId: repo.id,
categoryId: category.id,
title: title,
body: body,
});
console.log('Discussion created successfully.');
- name: Fallback — Create Issue
if: steps.create-discussion.outcome == 'failure'
env:
GH_TOKEN: ${{ github.token }}
run: |
# Create label if it doesn't exist (ignore errors if it already exists)
gh label create "skill-quality" --description "Automated skill quality reports" --color "d4c5f9" 2>/dev/null || true
gh issue create \
--title "${{ steps.report.outputs.title }}" \
--body-file report-body.md \
--label "skill-quality"
Reference in New Issue View Git Blame Copy Permalink