* Add canvas schema and extension submission checks Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: use namespace import for js-yaml Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Fix contributors page build markup Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * Address PR feedback on canvas schema validation - Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes - Fix screenshot path regex to prevent .. traversal segments - Validate canvas.schema.json is parseable JSON even on schema-only PRs Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Harden canvas extension workflow against injection attacks Switch from newline to null-terminated git diff output (git diff -z) so filenames containing newlines are read atomically, matching the existing skill-check.yml pattern. Add an allowlist regex guard on the extracted extension directory name immediately after it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g. names containing dollar signs, parentheses, spaces, or other shell metacharacters) is silently skipped before being used anywhere in the script. Add a matching allowlist guard on each screenshot path extracted from canvas.json before the file-existence check, so a crafted manifest cannot supply a path with shell metacharacters or traversal segments even after the schema check passes. Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236 and #1240. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Replace ajv-cli with in-repo schema validator - Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies - Add eng/validate-json-schema.mjs using ajv + ajv-formats - Update validate-canvas-extensions workflow to use local script - Use npm ci --ignore-scripts in PR validation job Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Awesome GitHub Copilot website
Astro + Starlight site published to https://awesome-copilot.github.com/.
Local development
Run these from the repository root (they generate the data the site needs first):
npm run website:data # generate public/data/*.json from repo content
npm run website:dev # generate data + start the dev server
npm run website:build # full production build
Social preview cards (LinkedIn, etc.)
Shared links render as large preview cards driven by Open Graph / Twitter meta tags.
LinkedIn (and most platforms) read Open Graph — primarily og:image — while Twitter/X
also uses twitter:card=summary_large_image. Most tags are produced automatically:
- Starlight defaults emit
og:title,og:description,og:url,og:type,og:site_name, andtwitter:card=summary_large_image. astro.config.mjs(globalhead) emits the shared image tags:og:image,og:image:width,og:image:height,og:image:alt, andtwitter:image.src/components/Head.astroaddstwitter:title/description,og:image:secure_url,og:image:type, andtwitter:image:alt.
Each page's title and description (StarlightPage frontmatter) flow into the card text,
so keep them clear and benefit-focused.
The image-dimension invariant
og:image:width / og:image:height in astro.config.mjs describe public/images/social-image.png
(currently 2400×1260, ~1.91:1). Crawlers use these dimensions to understand the image and
may use them when selecting/rendering the preview. If you swap the image or add a per-page image
override, update the full image set so every tag stays consistent: og:image,
og:image:width, og:image:height, og:image:alt, and twitter:image (the last one matters
because Head.astro derives og:image:secure_url from twitter:image first).
After deploying
LinkedIn caches scrapes aggressively. To force a refresh and confirm the card renders, run the
changed URL through the LinkedIn Post Inspector.
HTML output alone doesn't prove the live card — verify the deployed image returns HTTP 200 over
HTTPS with Content-Type: image/png and no auth.