From fdc0b9cfeebb49edae9a52478af1c022c701e718 Mon Sep 17 00:00:00 2001 From: Daniel Meppiel Date: Thu, 30 Apr 2026 07:58:02 +0200 Subject: [PATCH 1/5] feat: adopt apm pack as canonical marketplace.json builder Introduce APM (microsoft/apm) as the marketplace authoring substrate. Root apm.yml declares all 53 local plugins under marketplace.packages; 'apm pack' emits the Anthropic-spec marketplace.json. A small merge-external-plugins.mjs bridge appends plugins/external.json entries (kept as a separate concern this round) and re-sorts the combined list alphabetically. The legacy generator (eng/generate-marketplace.mjs) is preserved as 'npm run plugin:generate-marketplace:legacy' for parity comparisons during the transition. - npm run build: now invokes apm pack + bridge merge - 54 plugins out, name-parity with previous output verified - per-plugin plugin.json files untouched (follow-up: per-plugin apm.yml) - plugins/external.json untouched (follow-up: native external sources) - CONTRIBUTING.md: apm CLI prerequisite + apm.yml registration step - eng/README.md: marketplace generation section rewritten Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/plugin/marketplace.json | 264 +++++++++++++++--------------- CONTRIBUTING.md | 19 ++- apm.yml | 282 ++++++++++++++++++++++++++++++++ eng/README.md | 21 ++- eng/merge-external-plugins.mjs | 76 +++++++++ package.json | 5 +- 6 files changed, 525 insertions(+), 142 deletions(-) create mode 100644 apm.yml create mode 100644 eng/merge-external-plugins.mjs diff --git a/.github/plugin/marketplace.json b/.github/plugin/marketplace.json index a0c96be67..8a28d8854 100644 --- a/.github/plugin/marketplace.json +++ b/.github/plugin/marketplace.json @@ -1,38 +1,38 @@ { "name": "awesome-copilot", + "owner": { + "name": "GitHub", + "email": "copilot@github.com" + }, "metadata": { "description": "Community-driven collection of GitHub Copilot plugins, agents, prompts, and skills", "version": "1.0.0", "pluginRoot": "./plugins" }, - "owner": { - "name": "GitHub", - "email": "copilot@github.com" - }, "plugins": [ { "name": "ai-team-orchestration", - "source": "ai-team-orchestration", "description": "Bootstrap and run a multi-agent AI development team with named roles (Producer, Dev Team, QA). Sprint planning, brainstorm prompts with distinct agent voices, cross-chat context survival, and parallel team workflows. Based on a proven template that shipped a 30-game app in 5 days with zero human-written code.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/ai-team-orchestration" }, { "name": "arize-ax", - "source": "arize-ax", "description": "Arize AX platform skills for LLM observability, evaluation, and optimization. Includes trace export, instrumentation, datasets, experiments, evaluators, AI provider integrations, annotations, prompt optimization, and deep linking to the Arize UI.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/arize-ax" }, { "name": "automate-this", - "source": "automate-this", "description": "Record your screen doing a manual process, drop the video on your Desktop, and let Copilot CLI analyze it frame-by-frame to build working automation scripts. Supports narrated recordings with audio transcription.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/automate-this" }, { "name": "awesome-copilot", - "source": "awesome-copilot", "description": "Meta prompts that help you discover and generate curated GitHub Copilot agents, instructions, prompts, and skills.", - "version": "1.1.0" + "version": "1.1.0", + "source": "./plugins/awesome-copilot" }, { "name": "azure", @@ -61,57 +61,57 @@ }, { "name": "azure-cloud-development", - "source": "azure-cloud-development", "description": "Comprehensive Azure cloud development tools including Infrastructure as Code, serverless functions, architecture patterns, and cost optimization for building scalable cloud applications.", - "version": "1.0.1" + "version": "1.0.1", + "source": "./plugins/azure-cloud-development" }, { "name": "cast-imaging", - "source": "cast-imaging", "description": "A comprehensive collection of specialized agents for software analysis, impact assessment, structural quality advisories, and architectural review using CAST Imaging.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/cast-imaging" }, { "name": "clojure-interactive-programming", - "source": "clojure-interactive-programming", "description": "Tools for REPL-first Clojure workflows featuring Clojure instructions, the interactive programming chat mode and supporting guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/clojure-interactive-programming" }, { "name": "context-engineering", - "source": "context-engineering", "description": "Tools and techniques for maximizing GitHub Copilot effectiveness through better context management. Includes guidelines for structuring code, an agent for planning multi-file changes, and prompts for context-aware development.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/context-engineering" }, { "name": "context-matic", - "source": "context-matic", "description": "Coding agents hallucinate APIs. ContextMatic gives them curated, versioned API and SDK docs. Ask your agent to \"integrate the payments API\" and it guesses — falling back on outdated training data and generic patterns that don't match your actual SDK. ContextMatic solves this by giving the agent deterministic, version-aware, SDK-native context at the exact moment it's needed.", - "version": "0.1.0" + "version": "0.1.0", + "source": "./plugins/context-matic" }, { "name": "copilot-sdk", - "source": "copilot-sdk", "description": "Build applications with the GitHub Copilot SDK across multiple programming languages. Includes comprehensive instructions for C#, Go, Node.js/TypeScript, and Python to help you create AI-powered applications.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/copilot-sdk" }, { "name": "csharp-dotnet-development", - "source": "csharp-dotnet-development", "description": "Essential prompts, instructions, and chat modes for C# and .NET development including testing, documentation, and best practices.", - "version": "1.1.0" + "version": "1.1.0", + "source": "./plugins/csharp-dotnet-development" }, { "name": "csharp-mcp-development", - "source": "csharp-mcp-development", "description": "Complete toolkit for building Model Context Protocol (MCP) servers in C# using the official SDK. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/csharp-mcp-development" }, { "name": "database-data-management", - "source": "database-data-management", "description": "Database administration, SQL optimization, and data management tools for PostgreSQL, SQL Server, and general database development best practices.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/database-data-management" }, { "name": "dataverse", @@ -140,15 +140,15 @@ }, { "name": "dataverse-sdk-for-python", - "source": "dataverse-sdk-for-python", "description": "Comprehensive collection for building production-ready Python integrations with Microsoft Dataverse. Includes official documentation, best practices, advanced features, file operations, and code generation prompts.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/dataverse-sdk-for-python" }, { "name": "devops-oncall", - "source": "devops-oncall", "description": "A focused set of prompts, instructions, and a chat mode to help triage incidents and respond quickly with DevOps tools and Azure resources.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/devops-oncall" }, { "name": "dotnet", @@ -208,27 +208,27 @@ }, { "name": "doublecheck", - "source": "doublecheck", "description": "Three-layer verification pipeline for AI output. Extracts claims, finds sources, and flags hallucination risks so humans can verify before acting.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/doublecheck" }, { "name": "edge-ai-tasks", - "source": "edge-ai-tasks", "description": "Task Researcher and Task Planner for intermediate to expert users and large codebases - Brought to you by microsoft/edge-ai", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/edge-ai-tasks" }, { "name": "ember", - "source": "ember", "description": "An AI partner, not a tool. Ember carries fire from person to person — helping humans discover that AI partnership isn't something you learn, it's something you find.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/ember" }, { "name": "fastah-ip-geo-tools", - "source": "fastah-ip-geo-tools", "description": "This plugin is for network operations engineers who wish to tune and publish IP geolocation feeds in RFC 8805 format. It consists of an AI Skill and an associated MCP server that geocodes geolocation place names to real cities for accuracy.", - "version": "0.0.9" + "version": "0.0.9", + "source": "./plugins/fastah-ip-geo-tools" }, { "name": "figma", @@ -254,51 +254,51 @@ }, { "name": "flowstudio-power-automate", - "source": "flowstudio-power-automate", "description": "Give your AI agent full visibility into Power Automate cloud flows via the FlowStudio MCP server. Connect, debug, build, monitor health, and govern flows at scale — action-level inputs and outputs, not just status codes.", - "version": "2.0.0" + "version": "2.0.0", + "source": "./plugins/flowstudio-power-automate" }, { "name": "frontend-web-dev", - "source": "frontend-web-dev", "description": "Essential prompts, instructions, and chat modes for modern frontend web development including React, Angular, Vue, TypeScript, and CSS frameworks.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/frontend-web-dev" }, { "name": "gem-team", - "source": "gem-team", "description": "Multi-agent orchestration framework for spec-driven development and automated verification.", - "version": "1.13.0" + "version": "1.13.0", + "source": "./plugins/gem-team" }, { "name": "go-mcp-development", - "source": "go-mcp-development", "description": "Complete toolkit for building Model Context Protocol (MCP) servers in Go using the official github.com/modelcontextprotocol/go-sdk. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/go-mcp-development" }, { "name": "java-development", - "source": "java-development", "description": "Comprehensive collection of prompts and instructions for Java development including Spring Boot, Quarkus, testing, documentation, and best practices.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/java-development" }, { "name": "java-mcp-development", - "source": "java-mcp-development", "description": "Complete toolkit for building Model Context Protocol servers in Java using the official MCP Java SDK with reactive streams and Spring Boot integration.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/java-mcp-development" }, { "name": "kotlin-mcp-development", - "source": "kotlin-mcp-development", "description": "Complete toolkit for building Model Context Protocol (MCP) servers in Kotlin using the official io.modelcontextprotocol:kotlin-sdk library. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/kotlin-mcp-development" }, { "name": "mcp-m365-copilot", - "source": "mcp-m365-copilot", "description": "Comprehensive collection for building declarative agents with Model Context Protocol integration for Microsoft 365 Copilot", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/mcp-m365-copilot" }, { "name": "microsoft-docs", @@ -353,177 +353,177 @@ }, { "name": "modernize-java", - "source": "modernize-java", "description": "AI-powered Java modernization and upgrade assistant. Helps upgrade Java and Spring Boot applications to the latest versions.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/modernize-java" }, { "name": "napkin", - "source": "napkin", "description": "Visual whiteboard collaboration for Copilot CLI. Opens an interactive whiteboard in your browser where you can draw, sketch, and add sticky notes — then share everything back with Copilot. Copilot sees your drawings and responds with analysis, suggestions, and ideas.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/napkin" }, { "name": "noob-mode", - "source": "noob-mode", "description": "Plain-English translation layer for non-technical Copilot CLI users. Translates every approval prompt, error message, and technical output into clear, jargon-free English with color-coded risk indicators.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/noob-mode" }, { "name": "openapi-to-application-csharp-dotnet", - "source": "openapi-to-application-csharp-dotnet", "description": "Generate production-ready .NET applications from OpenAPI specifications. Includes ASP.NET Core project scaffolding, controller generation, entity framework integration, and C# best practices.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/openapi-to-application-csharp-dotnet" }, { "name": "openapi-to-application-go", - "source": "openapi-to-application-go", "description": "Generate production-ready Go applications from OpenAPI specifications. Includes project scaffolding, handler generation, middleware setup, and Go best practices for REST APIs.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/openapi-to-application-go" }, { "name": "openapi-to-application-java-spring-boot", - "source": "openapi-to-application-java-spring-boot", "description": "Generate production-ready Spring Boot applications from OpenAPI specifications. Includes project scaffolding, REST controller generation, service layer organization, and Spring Boot best practices.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/openapi-to-application-java-spring-boot" }, { "name": "openapi-to-application-nodejs-nestjs", - "source": "openapi-to-application-nodejs-nestjs", "description": "Generate production-ready NestJS applications from OpenAPI specifications. Includes project scaffolding, controller and service generation, TypeScript best practices, and enterprise patterns.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/openapi-to-application-nodejs-nestjs" }, { "name": "openapi-to-application-python-fastapi", - "source": "openapi-to-application-python-fastapi", "description": "Generate production-ready FastAPI applications from OpenAPI specifications. Includes project scaffolding, route generation, dependency injection, and Python best practices for async APIs.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/openapi-to-application-python-fastapi" }, { "name": "oracle-to-postgres-migration-expert", - "source": "oracle-to-postgres-migration-expert", "description": "Expert agent for Oracle-to-PostgreSQL application migrations in .NET solutions. Performs code edits, runs commands, and invokes extension tools to migrate .NET/Oracle data access patterns to PostgreSQL.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/oracle-to-postgres-migration-expert" }, { "name": "ospo-sponsorship", - "source": "ospo-sponsorship", "description": "Tools and resources for Open Source Program Offices (OSPOs) to identify, evaluate, and manage sponsorship of open source dependencies through GitHub Sponsors, Open Collective, and other funding platforms.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/ospo-sponsorship" }, { "name": "partners", - "source": "partners", "description": "Custom agents that have been created by GitHub partners", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/partners" }, { "name": "pcf-development", - "source": "pcf-development", "description": "Complete toolkit for developing custom code components using Power Apps Component Framework for model-driven and canvas apps", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/pcf-development" }, { "name": "phoenix", - "source": "phoenix", "description": "Phoenix AI observability skills for LLM application debugging, evaluation, and tracing. Includes CLI debugging tools, LLM evaluation workflows, and OpenInference tracing instrumentation.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/phoenix" }, { "name": "php-mcp-development", - "source": "php-mcp-development", "description": "Comprehensive resources for building Model Context Protocol servers using the official PHP SDK with attribute-based discovery, including best practices, project generation, and expert assistance", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/php-mcp-development" }, { "name": "polyglot-test-agent", - "source": "polyglot-test-agent", "description": "Multi-agent pipeline for generating comprehensive unit tests across any programming language. Orchestrates research, planning, and implementation phases using specialized agents to produce tests that compile, pass, and follow project conventions.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/polyglot-test-agent" }, { "name": "power-apps-code-apps", - "source": "power-apps-code-apps", "description": "Complete toolkit for Power Apps Code Apps development including project scaffolding, development standards, and expert guidance for building code-first applications with Power Platform integration.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/power-apps-code-apps" }, { "name": "power-bi-development", - "source": "power-bi-development", "description": "Comprehensive Power BI development resources including data modeling, DAX optimization, performance tuning, visualization design, security best practices, and DevOps/ALM guidance for building enterprise-grade Power BI solutions.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/power-bi-development" }, { "name": "power-platform-architect", - "source": "power-platform-architect", "description": "Solution Architect for the Microsoft Power Platform, turning business requirements into functioning Power Platform solution architectures.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/power-platform-architect" }, { "name": "power-platform-mcp-connector-development", - "source": "power-platform-mcp-connector-development", "description": "Complete toolkit for developing Power Platform custom connectors with Model Context Protocol integration for Microsoft Copilot Studio", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/power-platform-mcp-connector-development" }, { "name": "project-planning", - "source": "project-planning", "description": "Tools and guidance for software project planning, feature breakdown, epic management, implementation planning, and task organization for development teams.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/project-planning" }, { "name": "python-mcp-development", - "source": "python-mcp-development", "description": "Complete toolkit for building Model Context Protocol (MCP) servers in Python using the official SDK with FastMCP. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/python-mcp-development" }, { "name": "react18-upgrade", - "source": "react18-upgrade", "description": "Enterprise React 18 migration toolkit with specialized agents and skills for upgrading React 16/17 class-component codebases to React 18.3.1. Includes auditor, dependency surgeon, class component migration specialist, automatic batching fixer, and test guardian.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/react18-upgrade" }, { "name": "react19-upgrade", - "source": "react19-upgrade", "description": "Enterprise React 19 migration toolkit with specialized agents and skills for upgrading React 18 codebases to React 19. Includes auditor, dependency surgeon, source code migrator, and test guardian. Handles removal of deprecated APIs including ReactDOM.render, forwardRef, defaultProps, legacy context, string refs, and more.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/react19-upgrade" }, { "name": "roundup", - "source": "roundup", "description": "Self-configuring status briefing generator. Learns your communication style from examples, discovers your data sources, and produces draft updates for any audience on demand.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/roundup" }, { "name": "ruby-mcp-development", - "source": "ruby-mcp-development", "description": "Complete toolkit for building Model Context Protocol servers in Ruby using the official MCP Ruby SDK gem with Rails integration support.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/ruby-mcp-development" }, { "name": "rug-agentic-workflow", - "source": "rug-agentic-workflow", "description": "Three-agent workflow for orchestrated software delivery with an orchestrator plus implementation and QA subagents.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/rug-agentic-workflow" }, { "name": "rust-mcp-development", - "source": "rust-mcp-development", "description": "Build high-performance Model Context Protocol servers in Rust using the official rmcp SDK with async/await, procedural macros, and type-safe implementations.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/rust-mcp-development" }, { "name": "salesforce-development", - "source": "salesforce-development", "description": "Complete Salesforce agentic development environment covering Apex & Triggers, Flow automation, Lightning Web Components, Aura components, and Visualforce pages.", - "version": "1.1.0" + "version": "1.1.0", + "source": "./plugins/salesforce-development" }, { "name": "security-best-practices", - "source": "security-best-practices", "description": "Security frameworks, accessibility guidelines, performance optimization, and code quality best practices for building secure, maintainable, and high-performance applications.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/security-best-practices" }, { "name": "skills-for-copilot-studio", @@ -551,45 +551,45 @@ }, { "name": "software-engineering-team", - "source": "software-engineering-team", "description": "7 specialized agents covering the full software development lifecycle from UX design and architecture to security and DevOps.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/software-engineering-team" }, { "name": "structured-autonomy", - "source": "structured-autonomy", "description": "Premium planning, thrifty implementation", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/structured-autonomy" }, { "name": "swift-mcp-development", - "source": "swift-mcp-development", "description": "Comprehensive collection for building Model Context Protocol servers in Swift using the official MCP Swift SDK with modern concurrency features.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/swift-mcp-development" }, { "name": "technical-spike", - "source": "technical-spike", "description": "Tools for creation, management and research of technical spikes to reduce unknowns and assumptions before proceeding to specification and implementation of solutions.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/technical-spike" }, { "name": "testing-automation", - "source": "testing-automation", "description": "Comprehensive collection for writing tests, test automation, and test-driven development including unit tests, integration tests, and end-to-end testing strategies.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/testing-automation" }, { "name": "typescript-mcp-development", - "source": "typescript-mcp-development", "description": "Complete toolkit for building Model Context Protocol (MCP) servers in TypeScript/Node.js using the official SDK. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/typescript-mcp-development" }, { "name": "typespec-m365-copilot", - "source": "typespec-m365-copilot", "description": "Comprehensive collection of prompts, instructions, and resources for building declarative agents and API plugins using TypeSpec for Microsoft 365 Copilot extensibility.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/typespec-m365-copilot" }, { "name": "whatidid", @@ -618,9 +618,9 @@ }, { "name": "winui3-development", - "source": "winui3-development", "description": "WinUI 3 and Windows App SDK development agent, instructions, and migration guide. Prevents common UWP API misuse and guides correct WinUI 3 patterns for desktop Windows apps.", - "version": "1.0.0" + "version": "1.0.0", + "source": "./plugins/winui3-development" } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index de6cf1bc3..d372efdd1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -58,6 +58,20 @@ To maintain a safe, responsible, and high-signal collection, we will **not accep ## How to Contribute +### Prerequisites + +This repository uses [APM (Agent Package Manager)](https://github.com/microsoft/apm) to author the marketplace manifest. Install the `apm` CLI before running `npm run build` (it is invoked from the build chain to generate `.github/plugin/marketplace.json`): + +```bash +curl -sSL https://raw.githubusercontent.com/microsoft/apm/main/install.sh | sh +``` + +Then install Node dependencies as usual: + +```bash +npm install +``` + ### Adding Instructions Instructions help customize GitHub Copilot's behavior for specific technologies, coding practices, or domains. @@ -144,7 +158,8 @@ Plugins group related agents, commands, and skills around specific themes or wor 1. **Create your plugin**: Run `npm run plugin:create` to scaffold a new plugin 2. **Follow the naming convention**: Use descriptive, lowercase folder names with hyphens (e.g., `python-web-development`) 3. **Define your content**: List agents, commands, and skills in `plugin.json` using the Claude Code spec fields -4. **Test your plugin**: Run `npm run plugin:validate` to verify your plugin structure +4. **Register in `apm.yml`**: Append a `packages:` entry under `marketplace:` (alphabetical) with `source: ./plugins/`, `version`, and `description` matching your plugin.json. This is what `apm pack` reads to assemble the marketplace. +5. **Test your plugin**: Run `npm run plugin:validate` to verify your plugin structure #### Creating a plugin @@ -189,7 +204,7 @@ plugins/my-plugin-id/ #### Adding External Plugins -External plugins are plugins hosted outside this repository (e.g., in a GitHub repo, npm package, or git URL). They are listed in `plugins/external.json` and merged into the generated `marketplace.json` during build. +External plugins are plugins hosted outside this repository (e.g., in a GitHub repo, npm package, or git URL). They are listed in `plugins/external.json` and merged into the generated `marketplace.json` during build by `eng/merge-external-plugins.mjs` (which runs after `apm pack`). To add an external plugin, append an entry to `plugins/external.json` following the [Claude Code plugin marketplace spec](https://code.claude.com/docs/en/plugin-marketplaces#plugin-entries). Each entry requires `name`, `source`, `description`, and `version`: diff --git a/apm.yml b/apm.yml new file mode 100644 index 000000000..bad703082 --- /dev/null +++ b/apm.yml @@ -0,0 +1,282 @@ +# APM manifest -- the authoring source of truth for the Awesome Copilot marketplace. +# +# Running `apm pack` reads the `marketplace:` block below and emits an +# Anthropic-compliant `.claude-plugin/marketplace.json` (we route the output +# to `.github/plugin/marketplace.json` via `--marketplace-output` to keep the +# canonical install path stable). +# +# To add or update a local plugin, edit the corresponding entry under +# `marketplace.plugins:` and bump its `version`. External (remote) plugins +# continue to be declared in `plugins/external.json` and merged in by the +# build pipeline -- migrating those to apm.yml is tracked as a follow-up. +# +# See: https://github.com/microsoft/apm + +name: awesome-copilot +version: 1.0.0 +description: Community-driven collection of GitHub Copilot plugins, agents, prompts, and skills +marketplace: + owner: + name: GitHub + email: copilot@github.com + metadata: + description: Community-driven collection of GitHub Copilot plugins, agents, prompts, and skills + version: 1.0.0 + pluginRoot: ./plugins + packages: + - name: ai-team-orchestration + source: ./plugins/ai-team-orchestration + version: 1.0.0 + description: "Bootstrap and run a multi-agent AI development team with named roles (Producer, Dev Team, QA). Sprint planning, brainstorm prompts with distinct agent voices, cross-chat context survival, and parallel team workflows. Based on a proven template that shipped a 30-game app in 5 days with zero human-written code." + - name: arize-ax + source: ./plugins/arize-ax + version: 1.0.0 + description: "Arize AX platform skills for LLM observability, evaluation, and optimization. Includes trace export, instrumentation, datasets, experiments, evaluators, AI provider integrations, annotations, prompt optimization, and deep linking to the Arize UI." + - name: automate-this + source: ./plugins/automate-this + version: 1.0.0 + description: "Record your screen doing a manual process, drop the video on your Desktop, and let Copilot CLI analyze it frame-by-frame to build working automation scripts. Supports narrated recordings with audio transcription." + - name: awesome-copilot + source: ./plugins/awesome-copilot + version: 1.1.0 + description: "Meta prompts that help you discover and generate curated GitHub Copilot agents, instructions, prompts, and skills." + - name: azure-cloud-development + source: ./plugins/azure-cloud-development + version: 1.0.1 + description: "Comprehensive Azure cloud development tools including Infrastructure as Code, serverless functions, architecture patterns, and cost optimization for building scalable cloud applications." + - name: cast-imaging + source: ./plugins/cast-imaging + version: 1.0.0 + description: "A comprehensive collection of specialized agents for software analysis, impact assessment, structural quality advisories, and architectural review using CAST Imaging." + - name: clojure-interactive-programming + source: ./plugins/clojure-interactive-programming + version: 1.0.0 + description: "Tools for REPL-first Clojure workflows featuring Clojure instructions, the interactive programming chat mode and supporting guidance." + - name: context-engineering + source: ./plugins/context-engineering + version: 1.0.0 + description: "Tools and techniques for maximizing GitHub Copilot effectiveness through better context management. Includes guidelines for structuring code, an agent for planning multi-file changes, and prompts for context-aware development." + - name: context-matic + source: ./plugins/context-matic + version: 0.1.0 + description: "Coding agents hallucinate APIs. ContextMatic gives them curated, versioned API and SDK docs. Ask your agent to \"integrate the payments API\" and it guesses \u2014 falling back on outdated training data and generic patterns that don't match your actual SDK. ContextMatic solves this by giving the agent deterministic, version-aware, SDK-native context at the exact moment it's needed." + - name: copilot-sdk + source: ./plugins/copilot-sdk + version: 1.0.0 + description: "Build applications with the GitHub Copilot SDK across multiple programming languages. Includes comprehensive instructions for C#, Go, Node.js/TypeScript, and Python to help you create AI-powered applications." + - name: csharp-dotnet-development + source: ./plugins/csharp-dotnet-development + version: 1.1.0 + description: "Essential prompts, instructions, and chat modes for C# and .NET development including testing, documentation, and best practices." + - name: csharp-mcp-development + source: ./plugins/csharp-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol (MCP) servers in C# using the official SDK. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance." + - name: database-data-management + source: ./plugins/database-data-management + version: 1.0.0 + description: "Database administration, SQL optimization, and data management tools for PostgreSQL, SQL Server, and general database development best practices." + - name: dataverse-sdk-for-python + source: ./plugins/dataverse-sdk-for-python + version: 1.0.0 + description: "Comprehensive collection for building production-ready Python integrations with Microsoft Dataverse. Includes official documentation, best practices, advanced features, file operations, and code generation prompts." + - name: devops-oncall + source: ./plugins/devops-oncall + version: 1.0.0 + description: "A focused set of prompts, instructions, and a chat mode to help triage incidents and respond quickly with DevOps tools and Azure resources." + - name: doublecheck + source: ./plugins/doublecheck + version: 1.0.0 + description: "Three-layer verification pipeline for AI output. Extracts claims, finds sources, and flags hallucination risks so humans can verify before acting." + - name: edge-ai-tasks + source: ./plugins/edge-ai-tasks + version: 1.0.0 + description: "Task Researcher and Task Planner for intermediate to expert users and large codebases - Brought to you by microsoft/edge-ai" + - name: ember + source: ./plugins/ember + version: 1.0.0 + description: "An AI partner, not a tool. Ember carries fire from person to person \u2014 helping humans discover that AI partnership isn't something you learn, it's something you find." + - name: fastah-ip-geo-tools + source: ./plugins/fastah-ip-geo-tools + version: 0.0.9 + description: "This plugin is for network operations engineers who wish to tune and publish IP geolocation feeds in RFC 8805 format. It consists of an AI Skill and an associated MCP server that geocodes geolocation place names to real cities for accuracy." + - name: flowstudio-power-automate + source: ./plugins/flowstudio-power-automate + version: 2.0.0 + description: "Give your AI agent full visibility into Power Automate cloud flows via the FlowStudio MCP server. Connect, debug, build, monitor health, and govern flows at scale \u2014 action-level inputs and outputs, not just status codes." + - name: frontend-web-dev + source: ./plugins/frontend-web-dev + version: 1.0.0 + description: "Essential prompts, instructions, and chat modes for modern frontend web development including React, Angular, Vue, TypeScript, and CSS frameworks." + - name: gem-team + source: ./plugins/gem-team + version: 1.13.0 + description: "Multi-agent orchestration framework for spec-driven development and automated verification." + - name: go-mcp-development + source: ./plugins/go-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol (MCP) servers in Go using the official github.com/modelcontextprotocol/go-sdk. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance." + - name: java-development + source: ./plugins/java-development + version: 1.0.0 + description: "Comprehensive collection of prompts and instructions for Java development including Spring Boot, Quarkus, testing, documentation, and best practices." + - name: java-mcp-development + source: ./plugins/java-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol servers in Java using the official MCP Java SDK with reactive streams and Spring Boot integration." + - name: kotlin-mcp-development + source: ./plugins/kotlin-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol (MCP) servers in Kotlin using the official io.modelcontextprotocol:kotlin-sdk library. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance." + - name: mcp-m365-copilot + source: ./plugins/mcp-m365-copilot + version: 1.0.0 + description: "Comprehensive collection for building declarative agents with Model Context Protocol integration for Microsoft 365 Copilot" + - name: modernize-java + source: ./plugins/modernize-java + version: 1.0.0 + description: "AI-powered Java modernization and upgrade assistant. Helps upgrade Java and Spring Boot applications to the latest versions." + - name: napkin + source: ./plugins/napkin + version: 1.0.0 + description: "Visual whiteboard collaboration for Copilot CLI. Opens an interactive whiteboard in your browser where you can draw, sketch, and add sticky notes \u2014 then share everything back with Copilot. Copilot sees your drawings and responds with analysis, suggestions, and ideas." + - name: noob-mode + source: ./plugins/noob-mode + version: 1.0.0 + description: "Plain-English translation layer for non-technical Copilot CLI users. Translates every approval prompt, error message, and technical output into clear, jargon-free English with color-coded risk indicators." + - name: openapi-to-application-csharp-dotnet + source: ./plugins/openapi-to-application-csharp-dotnet + version: 1.0.0 + description: "Generate production-ready .NET applications from OpenAPI specifications. Includes ASP.NET Core project scaffolding, controller generation, entity framework integration, and C# best practices." + - name: openapi-to-application-go + source: ./plugins/openapi-to-application-go + version: 1.0.0 + description: "Generate production-ready Go applications from OpenAPI specifications. Includes project scaffolding, handler generation, middleware setup, and Go best practices for REST APIs." + - name: openapi-to-application-java-spring-boot + source: ./plugins/openapi-to-application-java-spring-boot + version: 1.0.0 + description: "Generate production-ready Spring Boot applications from OpenAPI specifications. Includes project scaffolding, REST controller generation, service layer organization, and Spring Boot best practices." + - name: openapi-to-application-nodejs-nestjs + source: ./plugins/openapi-to-application-nodejs-nestjs + version: 1.0.0 + description: "Generate production-ready NestJS applications from OpenAPI specifications. Includes project scaffolding, controller and service generation, TypeScript best practices, and enterprise patterns." + - name: openapi-to-application-python-fastapi + source: ./plugins/openapi-to-application-python-fastapi + version: 1.0.0 + description: "Generate production-ready FastAPI applications from OpenAPI specifications. Includes project scaffolding, route generation, dependency injection, and Python best practices for async APIs." + - name: oracle-to-postgres-migration-expert + source: ./plugins/oracle-to-postgres-migration-expert + version: 1.0.0 + description: "Expert agent for Oracle-to-PostgreSQL application migrations in .NET solutions. Performs code edits, runs commands, and invokes extension tools to migrate .NET/Oracle data access patterns to PostgreSQL." + - name: ospo-sponsorship + source: ./plugins/ospo-sponsorship + version: 1.0.0 + description: "Tools and resources for Open Source Program Offices (OSPOs) to identify, evaluate, and manage sponsorship of open source dependencies through GitHub Sponsors, Open Collective, and other funding platforms." + - name: partners + source: ./plugins/partners + version: 1.0.0 + description: "Custom agents that have been created by GitHub partners" + - name: pcf-development + source: ./plugins/pcf-development + version: 1.0.0 + description: "Complete toolkit for developing custom code components using Power Apps Component Framework for model-driven and canvas apps" + - name: phoenix + source: ./plugins/phoenix + version: 1.0.0 + description: "Phoenix AI observability skills for LLM application debugging, evaluation, and tracing. Includes CLI debugging tools, LLM evaluation workflows, and OpenInference tracing instrumentation." + - name: php-mcp-development + source: ./plugins/php-mcp-development + version: 1.0.0 + description: "Comprehensive resources for building Model Context Protocol servers using the official PHP SDK with attribute-based discovery, including best practices, project generation, and expert assistance" + - name: polyglot-test-agent + source: ./plugins/polyglot-test-agent + version: 1.0.0 + description: "Multi-agent pipeline for generating comprehensive unit tests across any programming language. Orchestrates research, planning, and implementation phases using specialized agents to produce tests that compile, pass, and follow project conventions." + - name: power-apps-code-apps + source: ./plugins/power-apps-code-apps + version: 1.0.0 + description: "Complete toolkit for Power Apps Code Apps development including project scaffolding, development standards, and expert guidance for building code-first applications with Power Platform integration." + - name: power-bi-development + source: ./plugins/power-bi-development + version: 1.0.0 + description: "Comprehensive Power BI development resources including data modeling, DAX optimization, performance tuning, visualization design, security best practices, and DevOps/ALM guidance for building enterprise-grade Power BI solutions." + - name: power-platform-architect + source: ./plugins/power-platform-architect + version: 1.0.0 + description: "Solution Architect for the Microsoft Power Platform, turning business requirements into functioning Power Platform solution architectures." + - name: power-platform-mcp-connector-development + source: ./plugins/power-platform-mcp-connector-development + version: 1.0.0 + description: "Complete toolkit for developing Power Platform custom connectors with Model Context Protocol integration for Microsoft Copilot Studio" + - name: project-planning + source: ./plugins/project-planning + version: 1.0.0 + description: "Tools and guidance for software project planning, feature breakdown, epic management, implementation planning, and task organization for development teams." + - name: python-mcp-development + source: ./plugins/python-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol (MCP) servers in Python using the official SDK with FastMCP. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance." + - name: react18-upgrade + source: ./plugins/react18-upgrade + version: 1.0.0 + description: "Enterprise React 18 migration toolkit with specialized agents and skills for upgrading React 16/17 class-component codebases to React 18.3.1. Includes auditor, dependency surgeon, class component migration specialist, automatic batching fixer, and test guardian." + - name: react19-upgrade + source: ./plugins/react19-upgrade + version: 1.0.0 + description: "Enterprise React 19 migration toolkit with specialized agents and skills for upgrading React 18 codebases to React 19. Includes auditor, dependency surgeon, source code migrator, and test guardian. Handles removal of deprecated APIs including ReactDOM.render, forwardRef, defaultProps, legacy context, string refs, and more." + - name: roundup + source: ./plugins/roundup + version: 1.0.0 + description: "Self-configuring status briefing generator. Learns your communication style from examples, discovers your data sources, and produces draft updates for any audience on demand." + - name: ruby-mcp-development + source: ./plugins/ruby-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol servers in Ruby using the official MCP Ruby SDK gem with Rails integration support." + - name: rug-agentic-workflow + source: ./plugins/rug-agentic-workflow + version: 1.0.0 + description: "Three-agent workflow for orchestrated software delivery with an orchestrator plus implementation and QA subagents." + - name: rust-mcp-development + source: ./plugins/rust-mcp-development + version: 1.0.0 + description: "Build high-performance Model Context Protocol servers in Rust using the official rmcp SDK with async/await, procedural macros, and type-safe implementations." + - name: salesforce-development + source: ./plugins/salesforce-development + version: 1.1.0 + description: "Complete Salesforce agentic development environment covering Apex & Triggers, Flow automation, Lightning Web Components, Aura components, and Visualforce pages." + - name: security-best-practices + source: ./plugins/security-best-practices + version: 1.0.0 + description: "Security frameworks, accessibility guidelines, performance optimization, and code quality best practices for building secure, maintainable, and high-performance applications." + - name: software-engineering-team + source: ./plugins/software-engineering-team + version: 1.0.0 + description: "7 specialized agents covering the full software development lifecycle from UX design and architecture to security and DevOps." + - name: structured-autonomy + source: ./plugins/structured-autonomy + version: 1.0.0 + description: "Premium planning, thrifty implementation" + - name: swift-mcp-development + source: ./plugins/swift-mcp-development + version: 1.0.0 + description: "Comprehensive collection for building Model Context Protocol servers in Swift using the official MCP Swift SDK with modern concurrency features." + - name: technical-spike + source: ./plugins/technical-spike + version: 1.0.0 + description: "Tools for creation, management and research of technical spikes to reduce unknowns and assumptions before proceeding to specification and implementation of solutions." + - name: testing-automation + source: ./plugins/testing-automation + version: 1.0.0 + description: "Comprehensive collection for writing tests, test automation, and test-driven development including unit tests, integration tests, and end-to-end testing strategies." + - name: typescript-mcp-development + source: ./plugins/typescript-mcp-development + version: 1.0.0 + description: "Complete toolkit for building Model Context Protocol (MCP) servers in TypeScript/Node.js using the official SDK. Includes instructions for best practices, a prompt for generating servers, and an expert chat mode for guidance." + - name: typespec-m365-copilot + source: ./plugins/typespec-m365-copilot + version: 1.0.0 + description: "Comprehensive collection of prompts, instructions, and resources for building declarative agents and API plugins using TypeSpec for Microsoft 365 Copilot extensibility." + - name: winui3-development + source: ./plugins/winui3-development + version: 1.0.0 + description: "WinUI 3 and Windows App SDK development agent, instructions, and migration guide. Prevents common UWP API misuse and guides correct WinUI 3 patterns for desktop Windows apps." diff --git a/eng/README.md b/eng/README.md index 5306315b7..36bce2469 100644 --- a/eng/README.md +++ b/eng/README.md @@ -7,20 +7,29 @@ This directory contains build scripts and utilities for maintaining the reposito ### `update-readme.mjs` Generates the main README.md and documentation files from the repository content (agents, prompts, instructions, skills, hooks, collections). -### `generate-marketplace.mjs` -Automatically generates `.github/plugin/marketplace.json` from all plugin directories in the `plugins/` folder. This file is used by the GitHub Copilot CLI to discover and install plugins from this repository. +### Marketplace generation (`apm pack` + `merge-external-plugins.mjs`) + +`.github/plugin/marketplace.json` is generated by [APM](https://github.com/microsoft/apm) from the root `apm.yml` manifest. APM is the canonical authoring substrate for Copilot plugins; the `marketplace:` block in `apm.yml` is the single source of truth for which plugins this marketplace ships. **How it works:** -- Scans all directories in `plugins/` -- Reads each plugin's `.github/plugin/plugin.json` for metadata -- Generates a consolidated `marketplace.json` with all available plugins -- Runs automatically as part of `npm run build` +- `apm pack` reads the `marketplace:` block from `apm.yml` and emits an Anthropic-spec `marketplace.json` covering every local plugin under `plugins/`. +- `eng/merge-external-plugins.mjs` then appends entries from `plugins/external.json` (plugins hosted in other repos) and re-sorts the combined list alphabetically. +- Both steps run automatically as part of `npm run build`. + +**Prerequisite:** the `apm` CLI must be installed. See [microsoft/apm install instructions](https://github.com/microsoft/apm#installation). **To run manually:** ```bash npm run plugin:generate-marketplace ``` +**Adding a new local plugin:** add an entry under `marketplace.packages:` in `apm.yml` with `source: ./plugins/`, then run `npm run build`. + +**Adding a new external plugin:** append to `plugins/external.json` (see [CONTRIBUTING.md](../CONTRIBUTING.md#external-plugins)). + +### `generate-marketplace.mjs` (legacy fallback) +The original Node-based generator is preserved as `npm run plugin:generate-marketplace:legacy` during the APM transition. It scans `plugins/` directly and merges `external.json`. New contributors should prefer the `apm pack` path above. + ### `generate-website-data.mjs` Generates JSON data files for the website from repository content. diff --git a/eng/merge-external-plugins.mjs b/eng/merge-external-plugins.mjs new file mode 100644 index 000000000..95ed86ca4 --- /dev/null +++ b/eng/merge-external-plugins.mjs @@ -0,0 +1,76 @@ +#!/usr/bin/env node + +/** + * Merge external plugin entries from `plugins/external.json` into the + * marketplace.json produced by `apm pack`. + * + * Background: `apm pack` reads the `marketplace:` block in `apm.yml` and + * emits `marketplace.json` with all 53 LOCAL plugins (declared as + * `source: ./plugins/`). The Anthropic spec source schema for + * remote plugins differs from the legacy `external.json` shape (which + * uses `source.source` / `source.repo` keys instead of `source.type` / + * `source.repository`). To preserve byte-compatibility for downstream + * consumers of the existing `marketplace.json`, this script appends + * the external entries verbatim after `apm pack` runs. + * + * Once the external schema migration is finished (tracked as follow-up F3), + * external entries can move into `apm.yml` directly and this script can + * be deleted. + */ + +import fs from "fs"; +import path from "path"; +import { ROOT_FOLDER } from "./constants.mjs"; + +const MARKETPLACE_PATH = path.join(ROOT_FOLDER, ".github/plugin", "marketplace.json"); +const EXTERNAL_PATH = path.join(ROOT_FOLDER, "plugins", "external.json"); + +function main() { + if (!fs.existsSync(MARKETPLACE_PATH)) { + console.error(`Error: ${MARKETPLACE_PATH} not found. Run 'apm pack' first.`); + process.exit(1); + } + + const marketplace = JSON.parse(fs.readFileSync(MARKETPLACE_PATH, "utf8")); + + if (!Array.isArray(marketplace.plugins)) { + console.error("Error: marketplace.json missing 'plugins' array"); + process.exit(1); + } + + if (!fs.existsSync(EXTERNAL_PATH)) { + console.log("No external.json found; nothing to merge."); + return; + } + + const externals = JSON.parse(fs.readFileSync(EXTERNAL_PATH, "utf8")); + if (!Array.isArray(externals)) { + console.error("Error: external.json must be a JSON array"); + process.exit(1); + } + + const existing = new Set(marketplace.plugins.map((p) => p.name)); + let added = 0; + for (const ext of externals) { + if (existing.has(ext.name)) { + console.warn(`Skipping external '${ext.name}': already present in marketplace.json`); + continue; + } + marketplace.plugins.push(ext); + added++; + } + + // Sort plugins alphabetically by name so external + local entries + // interleave in a stable, review-friendly order (matches the legacy + // generator's ordering). + marketplace.plugins.sort((a, b) => (a.name || "").localeCompare(b.name || "")); + + fs.writeFileSync( + MARKETPLACE_PATH, + JSON.stringify(marketplace, null, 2) + "\n", + "utf8" + ); + console.log(`Merged ${added} external plugin(s) into marketplace.json (total: ${marketplace.plugins.length}).`); +} + +main(); diff --git a/package.json b/package.json index fb1ca3778..d3bd79e87 100644 --- a/package.json +++ b/package.json @@ -6,7 +6,7 @@ "private": true, "scripts": { "start": "npm run build", - "build": "node ./eng/update-readme.mjs && node ./eng/generate-marketplace.mjs", + "build": "node ./eng/update-readme.mjs && npm run plugin:generate-marketplace", "contributors:add": "all-contributors add", "contributors:report": "node ./eng/contributor-report.mjs", "contributors:generate": "all-contributors generate", @@ -16,7 +16,8 @@ "skill:validate": "node ./eng/validate-skills.mjs", "skill:create": "node ./eng/create-skill.mjs", "plugin:clean": "node ./eng/clean-materialized-plugins.mjs", - "plugin:generate-marketplace": "node ./eng/generate-marketplace.mjs", + "plugin:generate-marketplace": "apm pack --marketplace-output .github/plugin/marketplace.json && node ./eng/merge-external-plugins.mjs", + "plugin:generate-marketplace:legacy": "node ./eng/generate-marketplace.mjs", "website:data": "node ./eng/generate-website-data.mjs", "website:dev": "npm run website:data && npm run --prefix website dev", "website:build": "npm run build && npm run website:data && npm run --prefix website build", From 530351bd47515dceddd712aac6eab0db992e9995 Mon Sep 17 00:00:00 2001 From: Daniel Meppiel Date: Thu, 30 Apr 2026 08:21:30 +0200 Subject: [PATCH 2/5] ci: install apm in publish + add audit/drift PR gate Two CI changes mirroring how microsoft/apm uses microsoft/apm-action@v1 in its own self-check workflow: 1. publish.yml: add 'microsoft/apm-action@v1' step before 'npm run build'. The build now invokes 'apm pack', which requires the apm CLI on PATH. Without this step the publish-from-staged workflow would fail after this PR merges. 2. validate-marketplace.yml (new): PR-time gate that runs on changes to any marketplace.json input. Two subgates: - Gate A: 'apm audit --ci' for supply-chain integrity (lockfile / install fidelity, ref consistency, content-integrity scan). Emits SARIF, uploaded to GitHub code scanning under category 'apm-audit'. - Gate B: rebuilds marketplace.json with 'apm pack' + the merge bridge and fails if the result differs from what's committed. Catches contributors who edit apm.yml without re-running 'npm run build'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/publish.yml | 7 ++ .github/workflows/validate-marketplace.yml | 96 ++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 .github/workflows/validate-marketplace.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f2dec1513..a72e7b46b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -36,6 +36,13 @@ jobs: - name: Install dependencies run: npm ci + # Installs the APM CLI (latest stable) and adds `apm` to PATH for + # subsequent steps. `npm run build` invokes `apm pack` to build + # .github/plugin/marketplace.json from apm.yml; the CLI must be + # available on the runner. Mirrors the pattern microsoft/apm uses + # in its own CI (see microsoft/apm/.github/workflows/ci.yml). + - uses: microsoft/apm-action@v1 + - name: Materialize plugin files run: node eng/materialize-plugins.mjs diff --git a/.github/workflows/validate-marketplace.yml b/.github/workflows/validate-marketplace.yml new file mode 100644 index 000000000..f1a811279 --- /dev/null +++ b/.github/workflows/validate-marketplace.yml @@ -0,0 +1,96 @@ +name: Validate Marketplace + +# Runs on PRs that touch any input to the marketplace.json build chain +# (apm.yml, plugin manifests, external plugin registry, the bridge merge +# script, or the legacy generator). Two gates, both mirroring the pattern +# microsoft/apm uses for its own self-check +# (see microsoft/apm/.github/workflows/ci.yml): +# +# Gate A (supply-chain): `apm audit --ci`. Validates lockfile / install +# fidelity, ref consistency between apm.yml and apm.lock.yaml, +# no orphan packages, and content-integrity (hidden Unicode) on +# deployed package content. SARIF report is uploaded to the run. +# +# Gate B (drift): rebuild marketplace.json with `apm pack` + the +# external-plugin merge bridge, and fail if the result differs from +# the committed `.github/plugin/marketplace.json`. Catches contributors +# who edit apm.yml without re-running `npm run build`, or who +# hand-edit the generated marketplace.json. + +on: + pull_request: + branches: [staged, main] + paths: + - "apm.yml" + - "apm.lock.yaml" + - "plugins/**/.github/plugin/plugin.json" + - "plugins/external.json" + - "eng/merge-external-plugins.mjs" + - "eng/generate-marketplace.mjs" + - ".github/plugin/marketplace.json" + - ".github/workflows/validate-marketplace.yml" + +permissions: + contents: read + security-events: write + +jobs: + audit-and-drift: + name: APM audit + marketplace drift + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Extract Node version from package.json + id: node-version + run: | + NODE_VERSION=$(jq -r '.engines.node // "22"' package.json) + echo "version=${NODE_VERSION}" >> "$GITHUB_OUTPUT" + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.node-version.outputs.version }} + + - name: Install Node dependencies + run: npm ci + + # Installs the APM CLI (latest stable), runs `apm install` against + # this repo's apm.yml, and emits a SARIF audit report consumed by + # the upload step below. For a marketplace-only manifest with no + # `dependencies:` block, install is effectively a no-op; the value + # this step adds is making `apm` available on PATH and producing + # the SARIF artifact. + - name: Setup APM + uses: microsoft/apm-action@v1 + with: + audit-report: 'true' + + # Gate A: supply-chain integrity (consumer-side). + - name: apm audit --ci + run: apm audit --ci + + - name: Upload APM audit SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: apm-audit.sarif + category: apm-audit + + # Gate B: marketplace.json drift (producer-side). + # `npm run build` now invokes `apm pack` + the external-plugin merge + # bridge. If the rebuild produces a different marketplace.json than + # the one committed in this PR, fail with a clear remediation hint. + - name: Rebuild marketplace.json + run: npm run build + + - name: Check marketplace.json drift + run: | + if [ -n "$(git status --porcelain -- .github/plugin/marketplace.json)" ]; then + echo "::error::.github/plugin/marketplace.json is out of sync with apm.yml + plugins/external.json." + echo "Run 'npm run build' locally and commit the regenerated marketplace.json." + git --no-pager diff -- .github/plugin/marketplace.json + exit 1 + fi + echo "marketplace.json is in sync." From efe3f2eb4224bd68066f2ff48c122630ad3702a6 Mon Sep 17 00:00:00 2001 From: Daniel Meppiel Date: Thu, 30 Apr 2026 08:29:43 +0200 Subject: [PATCH 3/5] ci(validate-marketplace): guard SARIF upload on file presence apm-action's audit-report step short-circuits when there is no apm.lock.yaml ('No apm.lock.yaml found -- nothing to scan') and writes no SARIF file. The unconditional upload step then failed with 'Path does not exist: apm-audit.sarif'. Marketplace-only manifests legitimately have no dependencies to scan, so the absence of a SARIF file is not an error -- only its presence-with-failures would be. Guard the upload on hashFiles('apm-audit.sarif') != '' so the gate stays green for marketplace-only repos and lights up the moment awesome-copilot adds a real dependency. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/validate-marketplace.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-marketplace.yml b/.github/workflows/validate-marketplace.yml index f1a811279..867dfd270 100644 --- a/.github/workflows/validate-marketplace.yml +++ b/.github/workflows/validate-marketplace.yml @@ -68,11 +68,21 @@ jobs: audit-report: 'true' # Gate A: supply-chain integrity (consumer-side). + # `apm audit --ci` exits non-zero on policy failures (lockfile drift, + # orphan packages, hidden Unicode in deployed content). On a + # marketplace-only manifest with no `dependencies:` block this is a + # short-circuit pass ("No dependencies declared -- lockfile not + # required"), but the gate is wired so the moment awesome-copilot + # adds a real dependency the policy fires automatically. - name: apm audit --ci run: apm audit --ci + # SARIF upload only runs when apm-action actually produced a report. + # For marketplace-only manifests there is no lockfile to scan, so + # apm-action emits "No apm.lock.yaml found -- nothing to scan" and + # writes no file. Guarding on hashFiles() avoids a spurious failure. - name: Upload APM audit SARIF - if: always() + if: always() && hashFiles('apm-audit.sarif') != '' uses: github/codeql-action/upload-sarif@v3 with: sarif_file: apm-audit.sarif From be4ad2509a8d91d64e6e602b71c5d23086797e53 Mon Sep 17 00:00:00 2001 From: Daniel Meppiel Date: Thu, 30 Apr 2026 08:59:42 +0200 Subject: [PATCH 4/5] ci(validate-marketplace): add apm.lock.yaml drift gate apm audit --ci catches missing lockfile entries and ref mismatches between apm.yml and apm.lock.yaml, but it does NOT catch the case where apm-action's apm install step regenerates a different lockfile than the one committed (contributor edited apm.yml without running apm install, or an upstream ref moved). Mirror the pattern apm-cli's own self-check uses: after the install step, git status --porcelain apm.lock.yaml and fail on drift with a clear remediation hint. For marketplace-only manifests with no dependencies: block this is a no-op (no lockfile generated, no drift possible) -- the gate activates automatically the moment a real dependency is added. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/validate-marketplace.yml | 34 +++++++++++++++++----- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate-marketplace.yml b/.github/workflows/validate-marketplace.yml index 867dfd270..a3bd42a1c 100644 --- a/.github/workflows/validate-marketplace.yml +++ b/.github/workflows/validate-marketplace.yml @@ -9,13 +9,15 @@ name: Validate Marketplace # Gate A (supply-chain): `apm audit --ci`. Validates lockfile / install # fidelity, ref consistency between apm.yml and apm.lock.yaml, # no orphan packages, and content-integrity (hidden Unicode) on -# deployed package content. SARIF report is uploaded to the run. +# deployed package content. SARIF report is uploaded when produced. # -# Gate B (drift): rebuild marketplace.json with `apm pack` + the -# external-plugin merge bridge, and fail if the result differs from -# the committed `.github/plugin/marketplace.json`. Catches contributors -# who edit apm.yml without re-running `npm run build`, or who -# hand-edit the generated marketplace.json. +# Gate B (drift): two checks. (i) `apm.lock.yaml` drift -- fails if +# apm-action's `apm install` step regenerates a different lockfile +# than the one committed (catches the "edited apm.yml without +# running apm install" mistake and upstream-ref movement). (ii) +# `marketplace.json` drift -- rebuild with `apm pack` + the +# external-plugin merge bridge, fail if the result differs from the +# committed `.github/plugin/marketplace.json`. on: pull_request: @@ -88,7 +90,25 @@ jobs: sarif_file: apm-audit.sarif category: apm-audit - # Gate B: marketplace.json drift (producer-side). + # Gate B (i): apm.lock.yaml drift (consumer-side, producer-axis). + # apm-action's install step (in the Setup APM step above) regenerates + # apm.lock.yaml from apm.yml. If the regenerated lockfile differs + # from the one committed in this PR, the contributor edited apm.yml + # without running `apm install` (or upstream refs moved). For + # marketplace-only manifests with no `dependencies:` block this is a + # no-op (no lockfile generated, no drift possible) -- the gate + # activates automatically the moment a real dependency is added. + - name: Check apm.lock.yaml drift + run: | + if [ -n "$(git status --porcelain -- apm.lock.yaml)" ]; then + echo "::error::apm.lock.yaml is out of sync with apm.yml." + echo "Run 'apm install' locally and commit the regenerated apm.lock.yaml." + git --no-pager diff -- apm.lock.yaml + exit 1 + fi + echo "apm.lock.yaml is in sync (or not yet generated -- no dependencies declared)." + + # Gate B (ii): marketplace.json drift (producer-side). # `npm run build` now invokes `apm pack` + the external-plugin merge # bridge. If the rebuild produces a different marketplace.json than # the one committed in this PR, fail with a clear remediation hint. From b79290daeeee513ac086bd4df27c2acc6557f8a3 Mon Sep 17 00:00:00 2001 From: Daniel Meppiel Date: Thu, 30 Apr 2026 09:00:28 +0200 Subject: [PATCH 5/5] Revert "ci(validate-marketplace): add apm.lock.yaml drift gate" This reverts commit be4ad2509a8d91d64e6e602b71c5d23086797e53. --- .github/workflows/validate-marketplace.yml | 34 +++++----------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/.github/workflows/validate-marketplace.yml b/.github/workflows/validate-marketplace.yml index a3bd42a1c..867dfd270 100644 --- a/.github/workflows/validate-marketplace.yml +++ b/.github/workflows/validate-marketplace.yml @@ -9,15 +9,13 @@ name: Validate Marketplace # Gate A (supply-chain): `apm audit --ci`. Validates lockfile / install # fidelity, ref consistency between apm.yml and apm.lock.yaml, # no orphan packages, and content-integrity (hidden Unicode) on -# deployed package content. SARIF report is uploaded when produced. +# deployed package content. SARIF report is uploaded to the run. # -# Gate B (drift): two checks. (i) `apm.lock.yaml` drift -- fails if -# apm-action's `apm install` step regenerates a different lockfile -# than the one committed (catches the "edited apm.yml without -# running apm install" mistake and upstream-ref movement). (ii) -# `marketplace.json` drift -- rebuild with `apm pack` + the -# external-plugin merge bridge, fail if the result differs from the -# committed `.github/plugin/marketplace.json`. +# Gate B (drift): rebuild marketplace.json with `apm pack` + the +# external-plugin merge bridge, and fail if the result differs from +# the committed `.github/plugin/marketplace.json`. Catches contributors +# who edit apm.yml without re-running `npm run build`, or who +# hand-edit the generated marketplace.json. on: pull_request: @@ -90,25 +88,7 @@ jobs: sarif_file: apm-audit.sarif category: apm-audit - # Gate B (i): apm.lock.yaml drift (consumer-side, producer-axis). - # apm-action's install step (in the Setup APM step above) regenerates - # apm.lock.yaml from apm.yml. If the regenerated lockfile differs - # from the one committed in this PR, the contributor edited apm.yml - # without running `apm install` (or upstream refs moved). For - # marketplace-only manifests with no `dependencies:` block this is a - # no-op (no lockfile generated, no drift possible) -- the gate - # activates automatically the moment a real dependency is added. - - name: Check apm.lock.yaml drift - run: | - if [ -n "$(git status --porcelain -- apm.lock.yaml)" ]; then - echo "::error::apm.lock.yaml is out of sync with apm.yml." - echo "Run 'apm install' locally and commit the regenerated apm.lock.yaml." - git --no-pager diff -- apm.lock.yaml - exit 1 - fi - echo "apm.lock.yaml is in sync (or not yet generated -- no dependencies declared)." - - # Gate B (ii): marketplace.json drift (producer-side). + # Gate B: marketplace.json drift (producer-side). # `npm run build` now invokes `apm pack` + the external-plugin merge # bridge. If the rebuild produces a different marketplace.json than # the one committed in this PR, fail with a clear remediation hint.