* Add keyword display to extension cards on website
- Add .resource-keywords and .keyword-tag CSS styles for rendering keyword badges
- Update renderExtensionsHtml() to display keywords below extension description
- Keywords now visible on the website extensions page with styled badges
- Regenerate website data to include keyword metadata
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Canvas manifest implementation for all extensions
Add per-extension canvas manifests with:
- Structured canvas metadata (name, description, version, keywords)
- Screenshot definitions (icon and gallery with path/type)
- Relative paths for images within each extension directory
Enhance extension metadata:
- Generate meaningful descriptions from source analysis
- Extract and assign keywords for discoverability
- Store metadata in package.json and extension source files
Update website rendering and data generation:
- Include keywords in extension cards and search index
- Add per-extension canvas.json files for independent evolution
- Support screenshot metadata in manifest structure
- Generate extensions.json with full canonical paths for website
All 9 local canvas extensions now have complete manifests with descriptions, keywords, and screenshot references.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Tweaking some descriptions
* Fix description priority to prefer package.json over in-source metadata
Reverse the priority in canvasDescription so that package.json descriptions
(which contain the enhanced, manually-curated descriptions) take precedence
over older in-source descriptions extracted from createCanvas(...) calls.
This prevents regression when npm run website:data regenerates outputs,
ensuring that committed canvas.json files maintain the current descriptions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix canvas validation to skip external.json file
The validation script was treating extensions/external.json as if it were
a directory, causing false validation failures. Added check to skip files
(identified by presence of dot in filename) and only validate actual
canvas extension directories.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Allow label operations on pull requests in external plugin approval workflow
The sync-merged-pr-labels job needs pull-requests: write permission to
add/remove labels on merged PRs. Previously it only had issues: write which
is for issues, not pull requests. This fixes the permission error when
workflows try to modify PR labels from a non-contributor account.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Handle 403 permission errors when creating external plugin intake labels
When running on PRs from fork contributors, the GitHub token may not have
permission to create labels in the repository. This is expected and should
not cause the workflow to fail. Allow the ensureLabel function to gracefully
handle 403 Forbidden errors in addition to 422 (label already exists) errors.
This fixes the sync-pr-state job failure in external-plugin-pr-quality-gates.yml
when run on PRs from external contributors.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: Centralize label management into a single workflow_dispatch workflow
Create a new 'setup-labels' workflow that is manually dispatched and handles
all label creation and updates. This workflow:
- Creates all labels used by the repository
- Updates descriptions if labels already exist
- Reports success/failure counts
- Fails if any labels cannot be created
All individual workflows now assume labels exist and will fail (loudly) if
they don't. This makes it clear to maintainers when the setup-labels workflow
needs to be dispatched:
- label-pr-intent.yml
- skill-check-comment.yml
- external-plugin-approval-command.yml
- external-plugin-command-router.yml
- external-plugin-rereview.yml
- external-plugin-rereview-command.yml
- eng/external-plugin-intake-state.mjs
This approach is better because:
- Single source of truth for label definitions
- Avoids permission issues with fork contributors
- Clear failure modes when labels are missing
- Easier to maintain consistent label configuration
- No more scattered label creation logic across workflows
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Remove unused ensureLabel methods and managedLabels constants
Labels are now centrally managed by the setup-labels workflow and
assumed to exist in all other workflows. Removed:
- ensureLabel() methods from all 6 workflows and 1 JS module
- managedLabels constants that were only used by ensureLabel
- Promise.all() calls that invoked ensureLabel for each label
- Updated syncManagedLabels in skill-check-comment.yml to remove ensureLabel call
All workflows now assume labels exist and will fail if they don't,
which is the desired behavior—it signals maintainers to dispatch the
setup-labels workflow when new labels need to be created.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update PR template to include canvas extension as a contribution type
- Add 'canvas-extension' label (color: E4B9FF) to label-pr-intent workflow
with auto-detection for PRs touching extensions/**
- Add new validate-canvas-extensions.yml workflow that checks:
- extension.mjs is present in each changed extension folder
- assets/preview.png screenshot is present in each changed extension folder
- Posts a REQUEST_CHANGES review with a fix guide on failure
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add soft-gate PR risk scanning automation
Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Harden path checks and reduce scanner false positives
Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden soft-gate behavior and scanner coverage
Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix: reset bot review when PR base is changed off main
The check-pr-target workflow only ran on 'opened' events targeting main,
so it never re-ran after a submitter edited the base branch to 'staged'.
The REQUEST_CHANGES review was left in place, blocking merge and requiring
a manual maintainer override.
Changes:
- Broaden trigger to also fire on edited, reopened, and synchronize events,
and add 'staged' to the branches filter so the workflow runs after a
base-branch edit.
- Before posting REQUEST_CHANGES, check whether the bot already has an
active CHANGES_REQUESTED review to avoid duplicate reviews.
- After a base-branch edit: if the PR no longer targets main and the bot's
latest review state is CHANGES_REQUESTED, post an APPROVE review to
clear the block automatically.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: rerun PR target check for any base branch
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Add workflow run link to external plugin intake comments
- Include a link to the GitHub Actions workflow run in intake comment
- Helps users trace which action run generated the intake report
- Works for both initial intake and re-run intake flows
- Link appears at bottom of comment for all intake states (passed/failed/quality gates)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on intake comment formatting
- Remove leading spaces from runLink construction to preserve markdown formatting
- Remove unnecessary newline prefix before runLink in quality gates section
- Move workflow run link to the very end of all comment types (after warnings)
- For merged intake comments, append link as final element
- Remove unused runId parameter from applyExternalPluginIntakeEvaluation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Run contributor checks from AGT scripts
Fetch the pinned AGT contributor check scripts directly and execute them with Python so the workflow no longer depends on missing console entrypoints from the published package.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Log contributor check JSON outputs
Dump the raw AGT JSON outputs and stderr logs in the contributor check workflow to make future debugging easier.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Normalize AGT risk extraction in the contributor check workflow so missing per-check values do not render as blank or inflate the overall risk.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add automated contributor reputation screening on PR/issue open events
using AGT's pip-installable CLI tools. Detects coordinated inauthentic
contribution patterns (credential laundering, spray-and-pray).
- Installs via pip (pinned to agent-governance-toolkit==3.3.0)
- Uses jq for JSON parsing
- Fails closed: UNKNOWN risk maps to MEDIUM
- Posts risk summary comment on MEDIUM/HIGH with link to workflow run
- Adds needs-review label for maintainer attention
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Updating the workflow to publish to the new marketplace branch
Using env vars for the branch names so that we can easily update without inlining everything as we progress through
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* removing old scripts
* consolidated folder
* Updating usage of scripts
* Adding script to generate an open PR report, rather than making AI gen it each time
* Adding step to close old quality report discussions
* Fix the nightly report summaries
* Fix workflow trigger
* Fix advisory regex to handle optional variation selector
Match ℹ with or without the trailing U+FE0F variation selector so advisory counts are reliable regardless of output encoding.
When the full report exceeds GitHub's 65K body limit, the summary
table stays in the discussion/issue body and the verbose skill/agent
output is posted as follow-up comments (split into chunks if needed).
This ensures no output is lost.
* Initial pass at bringing a website experience to copilot cli for beginners
* dropped the number from the heading
* Adding codeowner
* agentic workflow to keep the docs in sync
* Making it more aligned with the source material
* Removing the badges and TOC since we get some of that from astro
* updating the agentic workflow
* Adding learning hub to llms.txt
* Removing nav that comes from the source markdown files
* Fixing model names
* handling arrays of models for agent frontmatter
* Cleaning up some warnings on website build
* adding a workflow to run and perform CI of the website
Dan Wahlin
Aaron Powell
Copilot
Imran Siddique
Sertxito
Jan Krivanek
Renee Noble
Satya K
Simon Kurtz