Closed
Conversation
* fix: replace execSync with execFileSync in docs validation Replace all execSync calls with execFileSync to avoid shell interpretation of interpolated paths. This resolves a CodeQL alert about shell command injection via uncontrolled absolute paths (scripts/docs-validation/validate.ts:79). execFileSync passes arguments as an array, bypassing the shell entirely, which eliminates the risk of path characters being misinterpreted. Also updated catch blocks to check err.stderr in addition to err.stdout, since 2>&1 shell redirection is no longer used. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: remove unused spawn import Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Document Microsoft Foundry Local setup and usage Added section for Microsoft Foundry Local with installation and usage instructions. * Update docs/auth/byok.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…#542) Update the Copilot CLI dependency to the latest version. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…external cancellation (github#543)
* Improve discoverability of permission handler being required * Update TypeScript tests * Formatting * Test updates * Formatting * More doc updates * Fix E2E tests: add permission handler to all session calls across Python, Go, C# - Add on_permission_request/OnPermissionRequest to all Python and Go E2E test create_session/resume_session calls - Fix pre-existing deny tests: restore 'denied-interactively-by-user' kind (was accidentally changed by blanket replace) - Fix session-resume scenario builds for Go and C# Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix docs validation: add permission handler to getting-started.md examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix remaining E2E tests missing permission handler - Go: client_test.go CreateSession calls need OnPermissionRequest - Python: test_client.py create_session call needs config arg Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace fabricated skill.json references with actual SKILL.md format used by the SDK. The previous doc described a skill.json manifest, prompts/ directory, and tools/ directory that don't exist in the implementation. Changes: - Replace skill.json with SKILL.md format (YAML frontmatter + markdown) - Fix directory structure to match actual layout (skill-name/SKILL.md) - Add onPermissionRequest to all code examples (required by SDK) - Remove fabricated prompts/ and tools/ directory concepts - Fix troubleshooting and best practices to reference SKILL.md - Remove speculative skill conflict precedence claims Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add permission checks for SDK-registered custom tools Add 'custom-tool' to the PermissionRequest kind union in Node.js and Python types. Update all existing custom tool e2e tests across all four languages (Node.js, Python, Go, .NET) to provide an onPermissionRequest handler, and add new e2e tests verifying permission approval and denial flows for custom tools. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review: remove unused import, add toolName verification to Go and .NET tests - Remove unused PermissionRequestResult import from Node.js test - Add toolName assertion in Go test for cross-SDK parity - Add toolName assertion in .NET test for cross-SDK parity Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Formatting * Fix rebase issue * Go fix --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
--- updated-dependencies: - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…st() (github#592) * fix(python): remove 30s default timeout from JsonRpcClient.request() The Python SDK's JsonRpcClient.request() had a hardcoded 30s default timeout via asyncio.wait_for(), unlike the other three SDK languages (Go, Node/TS, .NET) which all wait indefinitely for the server to respond. Change the default from timeout=30.0 to timeout=None so that requests wait indefinitely by default, matching the behavior of the other SDKs. Callers can still pass an explicit timeout when needed. Fixes github#539 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(python): add type casts to fix ty check errors Add cast() calls for handler results that go through inspect.isawaitable(), which loses type narrowing: - session.py: _handle_permission_request, _handle_user_input_request - client.py: _execute_tool_call Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: WANG Xu <feici02@outlook.com>
* Fix Go JSON-RPC client data race * prevent race between startCLIServer and [Force]Stop * we require 1.24 * prevent races between Start and [Force]Stop * fail fast when CLI exits before reporting TCP port
…ub#561) * Set Python 3.11 as the minimum version * Run pyupgrade * More modernization * Address review comments * Update python/copilot/generated` via codegen instead of by pyupgrade * Update Python version matrix to only include 3.11 for compatibility testing * Regenerate codegen files Update generated files for Python and Go SDKs to include new agent API types, compaction result types, and new session event types (assistant.streaming_delta, session.task_complete). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix formatting * fix: gofmt Go generated files and fix Python test for fork PRs - Run gofmt on go/rpc/generated_rpc.go and go/generated_session_events.go to fix spaces→tabs formatting that caused the Codegen Check to fail. - Fix test_resume_session_forwards_client_name to return a mock response for session.resume instead of forwarding to the real CLI, which requires the COPILOT_HMAC_KEY secret unavailable to fork PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Patrick Nikoletich <patniko@github.com>
Bumps the npm_and_yarn group with 1 update in the /nodejs directory: [minimatch](https://github.com/isaacs/minimatch). Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the /test/harness directory: [hono](https://github.com/honojs/hono). Updates `hono` from 4.11.9 to 4.12.3 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.9...v4.12.3) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the /scripts/docs-validation directory: [minimatch](https://github.com/isaacs/minimatch). Updates `minimatch` from 10.1.2 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.2...v10.2.4) --- updated-dependencies: - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* More e2e nodejs tests * fix lint/format * Fix E2E tests: add missing onPermissionRequest, fix assertions, fix promise leak - Add onPermissionRequest: approveAll to all createSession()/resumeSession() calls in new E2E test files (CI blocker) - Fix no-op assertion in client_lifecycle.test.ts (was testing lambda return) - Fix weak assertion in tool_results.test.ts (now checks 'service is down') - Fix resumeSession in error_resilience.test.ts (was missing required arg) - Fix hanging Promise leak in replayingCapiProxy.ts (return without await) - Add TODO comment on skipped Compaction test suite Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix prettier formatting Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: fix glob snapshot mismatch and session cleanup in e2e tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: skip bash stderr test on Windows (PowerShell wrapping breaks snapshot match) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add Windows glob ordering variant to snapshot On Windows, glob returns files in alphabetical order (app.ts before index.ts) while macOS/Linux return them differently. Add a second conversation variant to handle both orderings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Patrick Nikoletich <patniko@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…thods (github#596) Fix truthy check for excluded_tools in create_session and resume_session that silently dropped empty lists ([]), preventing callers from explicitly clearing excluded tools. This is the remaining half of github#487 — available_tools was already fixed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…#529) Add comprehensive documentation for instrumenting Copilot SDK applications with OpenTelemetry GenAI semantic conventions. The guide includes: - Installation and basic setup for OpenTelemetry - Complete SessionEventType to GenAI attribute mapping - Detailed examples for ASSISTANT_USAGE, TOOL_EXECUTION events - Full working code example with proper span management - Content recording guidelines (opt-in for sensitive data) - MCP tool conventions - Metrics export - Azure Monitor integration - Best practices and troubleshooting This enables Copilot SDK users to add standardized observability following OpenTelemetry GenAI Semantic Conventions v1.34.0.
* docs: fix OpenTelemetry guide to use correct SDK APIs
- CopilotClient() takes CopilotClientOptions, not SessionConfig; model
is set on create_session() instead
- session.send() returns a message ID, not an async iterator; events
are received via session.on(handler) callbacks
- session.send() takes a dict {"prompt": ...}, not a bare string
- Add required on_permission_request to all create_session() calls
- Fix imports: SessionConfig → PermissionHandler
- Rewrite complete example with correct event subscription pattern
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: skip validation for contextual code snippets
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…github#600) directive pair that lets authors include a full compilable code block that is validated but not rendered in docs, while the visible snippet that follows is automatically skipped from validation. Convert 4 skipped samples in getting-started.md to use hidden blocks: - Python event subscription example - Go event subscription example - C# event subscription example - Go CLI server connection example This increases validated code blocks from 182 to 186 and demonstrates the hidden block pattern for future conversions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ning a list of exceptions (github#603) The Zen of Python says, "Errors should never pass silently".
* Add workflow to update @github/copilot dependency Adds a workflow_dispatch workflow that: - Accepts a target version of @github/copilot - Updates the dependency in nodejs/ and test/harness/ - Re-runs all code generators - Formats generated output - Pushes a branch and opens a PR for review Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Also refresh nodejs/samples lockfile during dependency update The samples package-lock.json picks up @github/copilot transitively through the file:.. link to the nodejs SDK and needs refreshing too. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review feedback - Add version input validation (semver regex) to prevent injection - Pass version via env var instead of direct interpolation in shell - Add actions/setup-dotnet for dotnet format step - Restrict formatting to generated files only (src/generated/**) - Handle idempotent re-runs: reuse existing branch, skip empty commits, detect existing PRs - Use --force-with-lease for safe branch updates Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Updated nodejs and test harness dependencies - Re-ran code generators - Formatted generated code Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Initial plan * Extract ActionDisposable into its own file and use it from both Client.cs and Session.cs Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
…b#625) * Initial plan * Remove unnecessary SemaphoreSlims for _permissionHandlerLock and _userInputHandlerLock Replace SemaphoreSlim-based locking with volatile fields for _permissionHandler and _userInputHandler. These fields are single reference types where reads and writes are atomic in .NET, so locking is unnecessary. The volatile keyword ensures proper visibility across threads. Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
….yml (github#628) * Initial plan * Fix: remove --locked flag from uv sync in copilot-setup-steps.yml The --locked flag requires a uv.lock file which doesn't exist in the python/ directory, causing the "Install Python dependencies" setup step to fail for CCA invocations. This aligns with the python-sdk-tests.yml workflow which uses uv sync without --locked. Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
…ler dispatch (github#624) * Initial plan * Use event delegate composition for thread-safe, insertion-ordered handler dispatch Replace HashSet<SessionEventHandler> with a private event (multicast delegate). The compiler-generated add/remove accessors use a lock-free CAS loop, dispatch reads the field once for an inherent snapshot, and invocation order matches registration order. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Stephen Toub <stoub@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ithub#618) The approve_all static method used untyped parameters (Any) and returned a plain dict, conflicting with the _PermissionHandlerFn signature that expects (PermissionRequest, dict[str, str]) -> PermissionRequestResult. - Replace parameter types: Any → PermissionRequest, dict[str, str] - Replace return type: dict → PermissionRequestResult - Use PermissionRequestResult() constructor instead of dict literal Fixes github#612 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add session.setModel() across all 4 languages
Allows changing the model mid-session without destroying it.
The new model takes effect for the next message while preserving
conversation history.
Node.js: session.setModel(model: string): Promise<void>
Python: session.set_model(model: str) -> None
Go: session.SetModel(ctx, model string) error
.NET: session.SetModelAsync(model, cancellationToken): Task
All send the 'session.setModel' JSON-RPC method with
{ sessionId, model } params.
Tests added for all 4 languages:
- Node.js: mocked sendRequest verifies correct RPC params (25/25 pass)
- Python: mocked request verifies sessionId + model (unit test)
- Go: JSON marshaling test for request type (pass)
- .NET: e2e test creating session, calling SetModelAsync
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Refactor setModel to be thin wrappers around session.Rpc.Model.SwitchTo()
Co-authored-by: SteveSandersonMS <1101362+SteveSandersonMS@users.noreply.github.com>
* Fix ESLint error, update .NET test to verify model_change event, add skipped Go test
Co-authored-by: SteveSandersonMS <1101362+SteveSandersonMS@users.noreply.github.com>
* Fix Prettier formatting in client.test.ts
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SteveSandersonMS <1101362+SteveSandersonMS@users.noreply.github.com>
Co-authored-by: Steve Sanderson <SteveSandersonMS@users.noreply.github.com>
* Add release changelog agentic workflow Create an AI agent that automatically generates CHANGELOG.md entries when a stable (non-preview) release is published. The agent: - Triggers on release:published events (filtered to non-prerelease) - Reads merged PRs/commits between the new and previous stable tags - Generates categorized, bullet-pointed changelog entries - Opens a PR to update CHANGELOG.md via create-pull-request safe output - Updates the GitHub Release notes via update-release safe output - Posts an announcement Discussion for team visibility Also adds a seed CHANGELOG.md at the repo root. Note: The .lock.yml must be compiled via 'gh aw compile release-changelog' before this workflow will run in CI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review feedback - Add explicit guidance for workflow_dispatch runs where release event fields are empty (fetch release by tag via API) - Use release publish date instead of today's date for changelog entries - Remove author attribution to match example style (keep it clean) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Don't include version heading in GitHub Release notes (redundant with release title) - Omit 'Other changes' subheading when there are no highlighted features above it - Add 'New contributors' section listing first-time contributors with their PR link Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…h trigger (github#641) - Support prerelease releases: update GitHub Release notes only (no CHANGELOG.md or PR) - Stable releases: update both CHANGELOG.md (via PR) and GitHub Release notes - Don't include version heading in GitHub Release notes (redundant with release title) - Omit 'Other changes' subheading when there are no highlighted features - Add 'New contributors' section for first-time contributors - Trigger changelog workflow from publish.yml for both latest and prerelease - Remove release:published trigger (GITHUB_TOKEN events don't trigger other workflows) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Upstream: github/copilot-sdk@dcd86c1 ACP auto-resolved: false
Owner
Author
|
Closed: upstream sync completed via manual merge in commit 14dcaa8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upstream Sync
Commits: 40 new commits from upstream
Upstream SHA:
dcd86c189501ce1b46b787ca60d90f3f315f3079Base SHA:
c4b3b366c4bd8dfba9ba4aa05e4019825360ad78Upstream Changes
Conflict Resolution
After Merge
# Rebase feature branches git fetch origin main git rebase origin/mainAuto-generated by upstream-sync workflow