* fix: Allow label operations on pull requests in external plugin approval workflow
The sync-merged-pr-labels job needs pull-requests: write permission to
add/remove labels on merged PRs. Previously it only had issues: write which
is for issues, not pull requests. This fixes the permission error when
workflows try to modify PR labels from a non-contributor account.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: Handle 403 permission errors when creating external plugin intake labels
When running on PRs from fork contributors, the GitHub token may not have
permission to create labels in the repository. This is expected and should
not cause the workflow to fail. Allow the ensureLabel function to gracefully
handle 403 Forbidden errors in addition to 422 (label already exists) errors.
This fixes the sync-pr-state job failure in external-plugin-pr-quality-gates.yml
when run on PRs from external contributors.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: Centralize label management into a single workflow_dispatch workflow
Create a new 'setup-labels' workflow that is manually dispatched and handles
all label creation and updates. This workflow:
- Creates all labels used by the repository
- Updates descriptions if labels already exist
- Reports success/failure counts
- Fails if any labels cannot be created
All individual workflows now assume labels exist and will fail (loudly) if
they don't. This makes it clear to maintainers when the setup-labels workflow
needs to be dispatched:
- label-pr-intent.yml
- skill-check-comment.yml
- external-plugin-approval-command.yml
- external-plugin-command-router.yml
- external-plugin-rereview.yml
- external-plugin-rereview-command.yml
- eng/external-plugin-intake-state.mjs
This approach is better because:
- Single source of truth for label definitions
- Avoids permission issues with fork contributors
- Clear failure modes when labels are missing
- Easier to maintain consistent label configuration
- No more scattered label creation logic across workflows
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Remove unused ensureLabel methods and managedLabels constants
Labels are now centrally managed by the setup-labels workflow and
assumed to exist in all other workflows. Removed:
- ensureLabel() methods from all 6 workflows and 1 JS module
- managedLabels constants that were only used by ensureLabel
- Promise.all() calls that invoked ensureLabel for each label
- Updated syncManagedLabels in skill-check-comment.yml to remove ensureLabel call
All workflows now assume labels exist and will fail if they don't,
which is the desired behavior—it signals maintainers to dispatch the
setup-labels workflow when new labels need to be created.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update PR template to include canvas extension as a contribution type
- Add 'canvas-extension' label (color: E4B9FF) to label-pr-intent workflow
with auto-detection for PRs touching extensions/**
- Add new validate-canvas-extensions.yml workflow that checks:
- extension.mjs is present in each changed extension folder
- assets/preview.png screenshot is present in each changed extension folder
- Posts a REQUEST_CHANGES review with a fix guide on failure
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add soft-gate PR risk scanning automation
Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Harden path checks and reduce scanner false positives
Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden soft-gate behavior and scanner coverage
Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* chore(deps, docs): bump marketplace version to 1.46.0
- Refine execution priority guidance in agent documentation
- Imrpvoe discovery guidance
- Improve context cache guidance
- Add script usage guidelines to agent documentation
- Simplify agent input references
* feat: bump marketplace version to 1.47.0 and enhance agent workflows
- Add Bug‑Fix Mode with validation gate for `debugger_diagnosis` tasks
- Expand allowed task types to include `research`
- Reduce subagent concurrency limit from 4 to 2
- Update design validation handling for flagged tasks
- Update marketplace plugin version reference to 1.47.0
* chore: bump marketplace version to 1.48.0 and refine agent context envelope workflow documentation
- Enhance the Init section in gem-browser-tester.agent.md, gem-code-simplifier.agent.md, and gem-critic.agent.md with detailed context envelope handling, active context treatment, and reuse_notes trust/verification logic.
- Add explicit steps for safe assumption, verification before use, and controlled re‑reading of context notes.
* chore: refine verification of symbol usages before modifying shared components
* chore(marketplace): bump version to 1.50.0; refactor(gem-browser-tester): simplify workflow steps
* chore(docs): simplify Phase 0 task classification and streamline initialization
* chore: Merges teps for batching
* feat: Enhcanc esuport for trivial/ low complex tasks
* chore: bump version to 1.56.0 and add config settings for visual regression, devops approvals, and orchestrator complexity
* chore: fix toc links
* chore: Remove emojis from headings
* chore: Update readme
* chore: Enforce orchestration
* chore: clarify orchestrator role and bump version to 1.59.0
* chore: bump version to 1.61.0 and refine agent documentation
* chore: bump version to 1.62.0 and refine agent documentation
* chore: bump version to 1.63.0 and add mandatory rules notice to all agent documentation files
* chore: Improve batching instructions
- bump version to 1.64.0
* chore: refactor gem-planner agent definition and JSON output to remove redundant fields and simplify structure
* chore: bump marketplace version to 1.66.0 and refactor gem-planner plan format, update agent documentation to clarify reuse_notes and simplify structures
* fix: reset bot review when PR base is changed off main
The check-pr-target workflow only ran on 'opened' events targeting main,
so it never re-ran after a submitter edited the base branch to 'staged'.
The REQUEST_CHANGES review was left in place, blocking merge and requiring
a manual maintainer override.
Changes:
- Broaden trigger to also fire on edited, reopened, and synchronize events,
and add 'staged' to the branches filter so the workflow runs after a
base-branch edit.
- Before posting REQUEST_CHANGES, check whether the bot already has an
active CHANGES_REQUESTED review to avoid duplicate reviews.
- After a base-branch edit: if the PR no longer targets main and the bot's
latest review state is CHANGES_REQUESTED, post an APPROVE review to
clear the block automatically.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: rerun PR target check for any base branch
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* aws plugin and adding few more aws agents
* updating the agent def
* fixed around skill validator results.
---------
Co-authored-by: Preyas Prakasan <preyasprakasan@Preyass-MacBook-Pro.local>
* chore(deps, docs): bump marketplace version to 1.46.0
- Refine execution priority guidance in agent documentation
- Imrpvoe discovery guidance
- Improve context cache guidance
- Add script usage guidelines to agent documentation
- Simplify agent input references
* feat: bump marketplace version to 1.47.0 and enhance agent workflows
- Add Bug‑Fix Mode with validation gate for `debugger_diagnosis` tasks
- Expand allowed task types to include `research`
- Reduce subagent concurrency limit from 4 to 2
- Update design validation handling for flagged tasks
- Update marketplace plugin version reference to 1.47.0
* chore: bump marketplace version to 1.48.0 and refine agent context envelope workflow documentation
- Enhance the Init section in gem-browser-tester.agent.md, gem-code-simplifier.agent.md, and gem-critic.agent.md with detailed context envelope handling, active context treatment, and reuse_notes trust/verification logic.
- Add explicit steps for safe assumption, verification before use, and controlled re‑reading of context notes.
* chore: refine verification of symbol usages before modifying shared components
* chore(marketplace): bump version to 1.50.0; refactor(gem-browser-tester): simplify workflow steps
* chore(docs): simplify Phase 0 task classification and streamline initialization
* chore: Merges teps for batching
* feat: Enhcanc esuport for trivial/ low complex tasks
* chore: bump version to 1.56.0 and add config settings for visual regression, devops approvals, and orchestrator complexity
* chore: fix toc links
* chore: Remove emojis from headings
* chore: Update readme
* chore: Enforce orchestration
* chore: clarify orchestrator role and bump version to 1.59.0
* chore: bump version to 1.61.0 and refine agent documentation
* feat: Add external plugins Kanban board canvas extension
- Create interactive Kanban board showing external plugin submission issues
- Display issues in columns based on labels: 'requires-submitter-fixes', 'ready-for-review', 'approved', 'rejected'
- Support drag-and-drop state transitions between columns
- Show PR links for approved issues via [Generated PR](url) pattern in issue body
- Display issue summaries with numbers and titles
- Use app theme variables for visual integration
- Implement demo mode with example issues for consistent testing
The canvas includes:
- HTTP server with /api/issues endpoint for issue fetching
- Drag-and-drop UI with vanilla JavaScript
- Responsive HTML/CSS Kanban layout
- Auto-refresh on drag operations
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: Add issue detail modal to Kanban board canvas
- Click any issue card to view full details in a modal
- Modal shows issue description, creation/update dates, labels, and PR link
- Displays formatted dates and color-coded label badges
- Modal can be closed via X button or clicking outside
- Drag-and-drop still works on issue cards
- Added hover effects to issue cards for better interactivity
Demo data now includes issue body descriptions, created_at, and updated_at timestamps for realistic display.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: Integrate real external plugin issues from repository
- Replaced hard-coded demo data with live gh CLI integration
- Attempts to fetch actual issues using 'gh issue list --label external-plugin'
- Tries multiple gh installation paths for Windows compatibility
- Falls back to demo data if gh CLI isn't accessible from extension subprocess
- Demo data now contains real external plugin issue titles from repository
- Maintains full functionality (Kanban board, drag-drop, modal details, PR links)
Note: gh CLI integration may require environment configuration on Windows.
The extension gracefully degrades to accurate demo data when live integration unavailable.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Implement external plugins Kanban board canvas with GitHub API integration
- Created external-plugins-board canvas extension with HTTP loopback server
- 4-column Kanban board layout (requires-submitter-fixes, ready-for-review, approved, rejected)
- Fetches real issues from github/awesome-copilot repository via GitHub REST API
- Click issues to view full details in modal (title, description, dates, labels, PR links)
- Drag-and-drop support for state transitions (future: update labels via API)
- Responsive design with theme variable integration for light/dark mode
- No hard-coded demo data - displays actual repository data
Resolved subprocess execution limitation:
- Extension subprocess is sandboxed and cannot execute system binaries (gh, cmd.exe, powershell.exe)
- Solution: Use GitHub REST API directly instead of gh CLI subprocess execution
- API calls work perfectly from within restricted subprocess environment
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Render issue body as markdown in board modal
- add marked dependency for markdown parsing\n- render issue body HTML in the modal\n- style markdown elements for readable theme-aware output\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add workflow run link to external plugin intake comments
- Include a link to the GitHub Actions workflow run in intake comment
- Helps users trace which action run generated the intake report
- Works for both initial intake and re-run intake flows
- Link appears at bottom of comment for all intake states (passed/failed/quality gates)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on intake comment formatting
- Remove leading spaces from runLink construction to preserve markdown formatting
- Remove unnecessary newline prefix before runLink in quality gates section
- Move workflow run link to the very end of all comment types (after warnings)
- For merged intake comments, append link as final element
- Remove unused runId parameter from applyExternalPluginIntakeEvaluation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(pm-skills): use plain tag name for ref, not refs/tags/
`apm install pm-skills@awesome-copilot` invokes `git clone --depth=1 --branch=<ref>` against the source repo. `git clone --branch` rejects `refs/tags/v2.1.0` ("Remote branch not found in upstream origin") and only accepts the plain tag name.
Matches the convention used by the other entries in this file - `chrome-devtools-plugin` uses `chrome-devtools-mcp-v1.0.1`, `ai-ready` uses a SHA. `pm-skills` was the only entry with the `refs/tags/` prefix, inherited from the placeholder example in the external-plugin issue form.
Tested locally: with the fix applied, `apm install pm-skills@awesome-copilot --target claude` resolves cleanly (12 skills + MCP server + 2 hooks integrated).
Original submission: github/awesome-copilot#1767 / github/awesome-copilot#1770
* fix: regenerate marketplace.json after pm-skills ref fix
The previous force-push (7fbf75a) updated plugins/external.json only.
.github/plugin/marketplace.json is a derived artifact regenerated by
`npm start` and must be kept in sync. The Validate README.md workflow
detected the mismatch and failed.
Ran `npm ci && npm start` locally; produces a single 1-line update to
marketplace.json matching the plugins/external.json change.
* Add visual-pr plugin: screenshot capture, annotation, PR embedding, and screen recording
Four skills that teach Copilot to capture UI screenshots (Playwright + PIL),
annotate them with algorithmic label placement, embed before/after images
in PR descriptions, and record animated GIF demos.
Includes demo images showing the annotation engine on GitHub Issues.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update generated README tables and marketplace.json
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Embed annotate.py module in image-annotations skill
The full working module (annotate_image, grid_image, diff_images) is now
included as a code block so users can save it as annotate.py and import
directly. Scrubbed project-specific labels from examples.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback: mss.mss() context manager, fix RECT struct, consistent placeholder
- Use mss.mss() context manager instead of mss.MSS() (ui-screenshots, screen-recording)
- Fix broken RECT struct in window+GIF combining example (screen-recording)
- Consistent projectId placeholder in AzDO upload example (pr-screenshots)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fixing path on chrome devtools external pluginPath is to the folder in the repo where the plugin structure starts, not where the plugin.json file lives.
* Updating validation scripts and guidance to avoid this mistake again
Aaron Powell
Florian Vogt
Sophio Japharidze
github-actions[bot]
Muhammad Ubaid Raza
Preyas Prakasan
Tim Mulholland
Sanyam Vipul Savla
Parth Sangani
Antonio Villanueva
Jakub Jareš
Copilot