Skip to content

Add canvas schema validation to extension submission workflow#2161

Merged
aaronpowell merged 10 commits into
mainfrom
aaronpowell-canvas-schema-workflow
Jul 1, 2026
Merged

Add canvas schema validation to extension submission workflow#2161
aaronpowell merged 10 commits into
mainfrom
aaronpowell-canvas-schema-workflow

Conversation

@aaronpowell

Copy link
Copy Markdown
Contributor

Pull Request Checklist

  • I have read and followed the CONTRIBUTING.md guidelines.
  • I have read and followed the Guidance for submissions involving paid services.
  • My contribution adds a new instruction, prompt, agent, skill, workflow, or canvas extension file in the correct directory.
  • The file follows the required naming convention.
  • The content is clearly structured and follows the example format.
  • I have tested my instructions, prompt, agent, skill, workflow, or canvas extension with GitHub Copilot.
  • I have run npm start and verified that README.md is up to date.
  • I am targeting the main branch for this pull request.

Description

Adds a dedicated JSON schema for extensions/*/canvas.json and upgrades canvas extension PR validation to enforce required files, schema compliance, and referenced screenshot asset existence.

To avoid duplicate website builds across workflows, website build triggering is centralized in build-website.yml by expanding its watched paths to include extension and canvas-schema changes.


Type of Contribution

  • New instruction file.
  • New prompt file.
  • New agent file.
  • New plugin.
  • New skill file.
  • New agentic workflow.
  • New canvas extension.
  • Update to existing instruction, prompt, agent, plugin, skill, workflow, or canvas extension.
  • Other (please specify):

Additional Notes

N/A


By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 02:02
@github-actions github-actions Bot added the workflow PR touches workflow automation label Jun 30, 2026
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 02:02 View session
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 02:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a dedicated JSON Schema for extensions/*/canvas.json and updates the canvas extension validation workflow to enforce required files, schema compliance, and referenced screenshot existence. It also expands the website build workflow’s path filters so extension and canvas schema updates trigger the website build.

Changes:

  • Add .schemas/canvas.schema.json defining the expected shape of extensions/<name>/canvas.json.
  • Replace the canvas extension PR validation logic with a shell-based validator that checks required files, validates canvas.json against the schema, and verifies referenced screenshot paths exist.
  • Update build-website.yml path filters to include extension and canvas schema changes.
Show a summary per file
File Description
.schemas/canvas.schema.json Adds a draft-07 JSON schema for canvas extension manifests.
.github/workflows/validate-canvas-extensions.yml Updates PR validation to enforce required files, schema validation, and screenshot asset existence.
.github/workflows/build-website.yml Expands watched paths so extension/schema changes trigger the website build.

Review details

  • Files reviewed: 3/3 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread .schemas/canvas.schema.json Outdated
Comment thread .github/workflows/validate-canvas-extensions.yml
Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 04:07
@aaronpowell aaronpowell removed the request for review from Copilot June 30, 2026 04:07
- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 04:19
@github-actions github-actions Bot added the website-update PR touches website content or code label Jun 30, 2026
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 04:19 View session
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 04:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/7 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
Comment thread website/src/pages/contributors.astro Outdated
Comment thread package.json Outdated
"author": "GitHub",
"license": "MIT",
"devDependencies": {
"ajv-cli": "^5.0.0",

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/7 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
Comment on lines 11 to +15
- instructions
- hooks
- workflows
- extensions
- .schemas/canvas.schema.json
Comment thread package.json
Comment on lines 40 to 42
"devDependencies": {
"ajv-cli": "^5.0.0",
"all-contributors-cli": "^6.26.1"
Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.

Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.

Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.

Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 04:32 View session
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 04:33
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 04:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/7 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
Comment thread .github/workflows/validate-canvas-extensions.yml Outdated
- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 04:52 View session
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 04:54
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 23:50
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 23:50 View session
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of aaronpowell June 30, 2026 23:50 View session
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 23:51
GitHub Advanced Security finished work on behalf of aaronpowell June 30, 2026 23:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 7/8 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment on lines +8 to +32
function parseArgs(argv) {
const args = { schema: null, data: null };
for (let i = 2; i < argv.length; i += 1) {
const arg = argv[i];
if (arg === "--schema") {
args.schema = argv[i + 1] || null;
i += 1;
} else if (arg === "--data") {
args.data = argv[i + 1] || null;
i += 1;
}
}
return args;
}

function readJson(filePath) {
const content = fs.readFileSync(filePath, "utf8");
return JSON.parse(content);
}

const args = parseArgs(process.argv);
if (!args.schema) {
console.error("Missing required argument: --schema <path>");
process.exit(1);
}
Comment on lines +16 to +22
"id": {
"type": "string",
"description": "Unique identifier for the canvas extension",
"pattern": "^[a-z0-9-]+$",
"minLength": 1,
"maxLength": 100
},
Comment on lines +63 to +68
"items": {
"type": "string",
"pattern": "^[a-z0-9-]+$",
"minLength": 1,
"maxLength": 50
},
GitHub Advanced Security started work on behalf of aaronpowell July 1, 2026 00:36 View session
GitHub Advanced Security finished work on behalf of aaronpowell July 1, 2026 00:36
@aaronpowell aaronpowell merged commit 79cda6b into main Jul 1, 2026
20 checks passed
@aaronpowell aaronpowell deleted the aaronpowell-canvas-schema-workflow branch July 1, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

website-update PR touches website content or code workflow PR touches workflow automation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants