feat: Phase 0 — Repository infrastructure, GHAS, GitHub Flow, awesome-copilot assets#89
Conversation
- Create .github/workflows/codeql.yml (JS/TS analysis, weekly + PR triggers) - Create scripts/setup-security.sh for enabling secret scanning + push protection - Update SECURITY.md with secret scanning documentation Closes #78 Closes #79 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Create scripts/setup-branch-protection.sh (gh api, requires admin) - Create .github/workflows/release.yml (release-please for semver + changelog) - Create release-please-config.json and .release-please-manifest.json Closes #75 Closes #80 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add e2e job with Playwright desktop tests and artifact upload on failure - Add commit-lint job checking PR title against conventional commits pattern - Add concurrency group to cancel redundant runs - Add npm cache via setup-node Closes #70 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Upgrade PR template with GitHub Flow + security checklist - Convert issue templates from Markdown to YAML forms - Add SDK feature issue template - Add security advisory contact link - Create CODEOWNERS with path-based ownership Closes #73 Closes #74 Closes #77 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Create labeler config with 10 path-based labels (backend, frontend, sdk, etc.) - Create labeler.yml workflow using actions/labeler@v5 - Create stale.yml workflow (30-day stale, 7-day close, exempt security/killer-feature) Closes #71 Closes #72 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Create 4 prompt files: generate-test, review-security, add-feature, fix-bug - Rewrite copilot-instructions.md with accurate counts (20 components, 78 message types) - Add skills system, testing sections, updated project structure Closes #76 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Skills added (4): github-issues, doublecheck, copilot-spaces, automate-this Agents added (6): 4.1-Beast, critical-thinking, implementation-plan, refine-issue, polyglot-test-generator, adr-generator Instructions added (2): code-review-generic, performance-optimization Workflows added (2): codespell, check-pr-target Closes #86 Closes #87 Closes #88 Closes #69 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| needs: check | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '24' | ||
| cache: 'npm' | ||
|
|
||
| - run: npm ci | ||
|
|
||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps chromium | ||
|
|
||
| - name: Run Playwright tests | ||
| run: npx playwright test --project=desktop | ||
| env: | ||
| PORT: '3001' | ||
| GITHUB_CLIENT_ID: test-client-id | ||
| SESSION_SECRET: test-secret-for-playwright | ||
| NODE_ENV: development | ||
|
|
||
| - name: Upload Playwright report | ||
| if: failure() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: playwright-report | ||
| path: playwright-report/ | ||
| retention-days: 7 | ||
|
|
||
| commit-lint: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the problem is fixed by explicitly defining a permissions block either at the top level of the workflow (applying to all jobs) or per job, and restricting GITHUB_TOKEN to the least privileges actually needed. For this workflow, all jobs only need to read the repository contents and upload artifacts; they do not push commits, modify issues, or update pull requests, so contents: read is sufficient as a minimal starting point. Additional scopes (e.g., pull-requests: write) are not required by any of the shown steps.
The single best fix, without changing any existing functionality, is to add a top-level permissions: block right under the name: CI line, specifying contents: read. This will apply to all jobs (check, e2e, commit-lint) because none of them define their own permissions. No other code, steps, or configuration lines need to be altered, and no additional imports or third-party actions are required. The only file to edit is .github/workflows/ci.yml, and the only region to change is the header area at the top of the YAML file, between line 1 (name: CI) and line 3 (on:), where we insert the new permissions block.
| @@ -1,4 +1,6 @@ | ||
| name: CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| if: github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check PR title follows conventional commits | ||
| env: | ||
| PR_TITLE: ${{ github.event.pull_request.title }} | ||
| run: | | ||
| pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?!?: .+' | ||
| if [[ ! "$PR_TITLE" =~ $pattern ]]; then | ||
| echo "❌ PR title does not follow Conventional Commits format" | ||
| echo "Expected: type(scope): description" | ||
| echo "Examples: feat: add new feature, fix(auth): resolve login bug" | ||
| echo "Got: $PR_TITLE" | ||
| exit 1 | ||
| fi | ||
| echo "✅ PR title follows Conventional Commits format" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
Generally, the fix is to add an explicit permissions: block that restricts the GITHUB_TOKEN to the minimum necessary scopes. You can define it at the workflow root so it applies to all jobs, or per-job if different jobs need different scopes. Here, all jobs only read repository contents and upload artifacts, so a single root-level permissions: contents: read (and optionally other read-only scopes if needed) is sufficient.
The single best fix with no behavior change is: in .github/workflows/ci.yml, add a root-level permissions block near the top (e.g., after name: CI or after the on: block) specifying contents: read. None of the shown steps require write access to issues, pull requests, or contents; actions/checkout, actions/setup-node, npm ci, builds, tests, and actions/upload-artifact all function with a read-only GITHUB_TOKEN. No imports or additional methods are required because this is pure YAML configuration.
Concretely:
-
Edit
.github/workflows/ci.yml. -
Insert:
permissions: contents: read
at the workflow root, aligned with
on:andjobs:, so it applies to every job (check,e2e, andcommit-lint).
| @@ -6,6 +6,9 @@ | ||
| pull_request: | ||
| branches: [main, master] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ci-${{ github.ref }} | ||
| cancel-in-progress: true |
Wire all six SDK session hooks (onPreToolUse, onPostToolUse, onSessionStart, onSessionEnd, onErrorOccurred) to forward events over WebSocket as new message types. Changes: - Add HookPreToolMessage, HookPostToolMessage, HookSessionStartMessage, HookSessionEndMessage, HookErrorMessage types to ServerMessage union - Add HookEventCallback type and buildSessionHooks() factory to session.ts - Add onHookEvent option to CreateSessionOptions - Wire hooks in both session creation paths in handler.ts - Add 7 unit tests covering all hook types and wiring Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add isValidAttachmentPath() to ensure attachment paths are inside the upload directory (tmpdir/copilot-uploads/), preventing malicious WebSocket clients from reading arbitrary server files via the SDK - Log rejected paths via security logger at warn level - Add unit tests for path validation (8 tests covering traversal, relative paths, prefix spoofing, etc.) - Add image-specific upload tests verifying all 5 image types (jpg, jpeg, png, gif, webp) are accepted with correct MIME types - Add test verifying upload returns absolute server-side paths Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Extract parseMcpServers() helper with defense-in-depth enabled filtering - Pass MCP servers (GitHub + user) on resume_session (SDK + fallback) - Update ResumeSessionMessage type to include mcpServers - Client sends enabled MCP servers when resuming sessions - Add unit tests for MCP parser (9 tests) and session config (3 tests) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add isValidSessionId() UUID validation for getSessionDetail/buildSessionContext - Reset isProcessing flag on resume to prevent stale state - Add 4 unit tests for UUID validation and path traversal rejection Closes #55 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2 participants
Description
Complete Phase 0 of the master implementation plan: repository infrastructure, security automation, GitHub Flow enforcement, and awesome-copilot asset adoption.
Closes #69, #70, #71, #72, #73, #74, #75, #76, #77, #78, #79, #80, #86, #87, #88
What's Included
🔒 GHAS & Security
🔄 GitHub Flow
📋 Templates & DX
🤖 Awesome-Copilot Assets
📝 Documentation
Type of Change
Testing
npm run test:unit)npm run checkpassesnpm run buildpassesSecurity