diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md deleted file mode 100644 index 7835e93..0000000 --- a/.github/copilot-instructions.md +++ /dev/null @@ -1,56 +0,0 @@ -# Copilot code review — devantler-tech/agent-plugins - -A tool-neutral **agent-plugin marketplace** that bundles curated skills from -[`devantler-tech/agent-skills`](https://github.com/devantler-tech/agent-skills) into category-based plugins for -**VS Code**, **GitHub Copilot CLI**, and **Claude Code**. Canonical conventions live in -[`AGENTS.md`](../AGENTS.md); this is the concise review checklist — flag violations of the rules below. - -## Always (every PR) - -- **Conventional-Commit PR title** (`feat:`/`fix:`/`docs:`/`ci:`/`chore:`/`refactor:`). The repo is - consumed directly as a marketplace (no release pipeline), so the type drives changelog/intent — a - non-conventional or bracket-prefixed title is a defect. -- **Root-cause fixes only.** Flag anything that masks a failure: a CI check skipped or set - `continue-on-error` to dodge red, a weakened validation, `--no-verify`, silenced linters. -- **No secrets in plaintext** — flag committed tokens, keys, or kubeconfigs. -- PRs from the Daily AI Assistant carry a `> 🤖 Generated by the Daily AI Assistant` line — expected, - not a finding. - -## The two manifests are the contract - -- The marketplace ships **two manifests that must stay byte-for-byte in sync** (modulo key order): - `.github/plugin/marketplace.json` (Copilot / VS Code) and `.claude-plugin/marketplace.json` (Claude - Code). CI diffs them (`jq -S`) and fails on drift — **any change to the plugin set edits both in the - same PR**. Flag a PR that touches one manifest but not the other. -- Each entry's `source` is a **relative path** (`./plugins/`) so moves stay link-safe — flag an - absolute or URL `source`. -- Keep manifest `name`s and descriptions **tool-neutral** (cross-tool: VS Code / Copilot CLI / Claude - Code); flag Copilot-only framing where the capability isn't tool-specific. -- The **README plugin table mirrors the manifests** — flag a plugin-set change that doesn't update the - README in lockstep. - -## Plugins & bundled skills - -- A plugin is a dir under `plugins/` with a `plugin.json` (kebab-case `name` matching `^[a-z0-9-]+$`, a - `description`, a `version`, and `"skills": "skills/"`) plus a `skills/` subdir. Skill dirs sit at - `plugins//skills//` (CI discovers `SKILL.md` at depth 4) — flag a misplaced layout or - a non-kebab plugin name. -- **Skills come from upstream — no lockfile.** Each bundled `SKILL.md` is installed with - `gh skill install` and validates against the [agentskills.io](https://agentskills.io) spec. **Never - hand-edit a bundled `SKILL.md` to diverge from its upstream** — fix it in `devantler-tech/agent-skills` and - let the daily `update-agent-skills` PR pull it through. Flag a hand-authored or spec-invalid `SKILL.md`. - -## CI & security - -- **Pin every external action** to a full commit SHA with a `# v` comment — this repo SHA-pins - all `uses:` refs (including `actions/*`), so flag any unpinned or tag-pinned ref. -- **Least privilege:** give each workflow the minimum `permissions` it needs — prefer `{}` at the top - level and grant per job; a workflow that genuinely needs write (e.g. the PR-opening - `update-agent-skills`) scopes it explicitly. Set `persist-credentials: false` on `actions/checkout` - unless a job must push. Keep workflows `actionlint`-clean. -- Bundle Dependabot `github_actions` bumps; call out **major** bumps. Never weaken a security control or - a check to make CI pass. - -Copilot code review reads this file (and any `.github/instructions/**/*.instructions.md`, if present) -at **≤4000 chars** and does **not** read [`AGENTS.md`](../AGENTS.md). When a rule here is ambiguous, -flag it and request human clarification rather than assuming.