Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
101 commits
Select commit Hold shift + click to select a range
1b96bfa
fix(deps): update copilotkit examples
renovate[bot] May 10, 2026
20bff1e
chore(deps): bump pnpm to 11.1.2
AlemTuzlak May 14, 2026
edf1076
chore(ci): pin actions to SHA, add zizmor + dependabot, tighten permi…
AlemTuzlak May 14, 2026
63d1d9e
fix(web-inspector): polyfill localStorage in vitest env for Node 22.4+
ataibarkai May 14, 2026
f437231
feat(showcase/shell-dojo): surface feature categories in sidebar
ataibarkai May 14, 2026
a978b0b
feat(showcase/shell-dojo): URL state + file tree in code view
ataibarkai May 14, 2026
1ce4fcf
feat(showcase/shell-dojo): mark highlighted "core" files in code tree
ataibarkai May 14, 2026
e4987cc
feat(showcase/shell-dojo): pin a "Featured" meta-category to the top …
ataibarkai May 14, 2026
88d9435
feat(showcase/shell-dojo): highlight region-marked line ranges in cod…
ataibarkai May 14, 2026
bbb1a53
style: auto-fix formatting
github-actions[bot] May 14, 2026
b2ea77e
feat(showcase/shell-dojo): update Featured selection
ataibarkai May 14, 2026
11db8e8
refactor(showcase/shell-dojo, web-inspector): post-review cleanup
ataibarkai May 14, 2026
3dc8bf7
ci: daily dependabot, auto-merge, pnpm 10 hardening; revert pnpm 11
jpr5 May 15, 2026
cd3f795
ci: zizmor suppressions and workflow fixes
jpr5 May 15, 2026
6d49ecb
fix(showcase, runtime): subagents fixtures, voice mic format, fine-gr…
AlemTuzlak May 15, 2026
dd43576
fix(showcase, runtime): subagents fixtures, voice mic format, fine-gr…
AlemTuzlak May 15, 2026
bee96f9
fix(showcase/google-adk/voice): pin transcription baseURL to real OpenAI
AlemTuzlak May 15, 2026
e7f8f82
fix(showcase/google-adk/voice): pin transcription baseURL to real Ope…
AlemTuzlak May 15, 2026
12d3547
fix(deps): update copilotkit examples (major) (#4755)
AlemTuzlak May 15, 2026
36e0e24
fix(showcase/google-adk/beautiful-chat): wire calculator click handle…
AlemTuzlak May 15, 2026
23311b4
fix(showcase/google-adk/beautiful-chat): wire calculator click handle…
AlemTuzlak May 15, 2026
3e7271a
feat(shell-docs): add FrameworkOverviewData type definitions
samjulien May 15, 2026
954bf41
feat(shell-docs): port FrameworkOverview component and framework icons
samjulien May 15, 2026
d264e2e
feat(shell-docs): add FrameworkOverview data records for 13 frameworks
samjulien May 15, 2026
629a088
feat(shell-docs): render FrameworkOverview at framework root URL
samjulien May 15, 2026
3834465
feat(shell-docs): add Introduction entry at top of integration sidebars
samjulien May 15, 2026
cf4aa1c
fix(shell-docs): allow CDN images and canonicalize /built-in-agent to…
samjulien May 15, 2026
e984593
fix(shell-docs): register Blocks lucide icon stub for MDX docs
samjulien May 15, 2026
41a2847
fix(showcase/aimock): scope bare 'hi' / 'help' / 'deal' / 'city' / 'h…
AlemTuzlak May 15, 2026
25299bc
fix(ci): separate build from publish to isolate NPM_TOKEN
jpr5 May 15, 2026
228ea61
style: auto-fix formatting
github-actions[bot] May 15, 2026
82ff58a
style: auto-fix formatting
github-actions[bot] May 15, 2026
43d62e3
fix(shell-docs): wire shared-state.mdx with framework-aware demo content
samjulien May 15, 2026
4b43236
fix(shell-docs): wire generative-ui pages with framework-aware demo c…
samjulien May 15, 2026
00d0e90
chore(ci): tighten CI/CD security — SHA pins, zizmor, pnpm v11, audit…
jpr5 May 15, 2026
e70bd26
docs(showcase): backfill region markers for gen-ui-interrupt across i…
samjulien May 15, 2026
aadd40e
chore(ci)(deps): bump zizmorcore/zizmor-action
dependabot[bot] May 15, 2026
af21d6b
chore(ci)(deps): bump actions/cache from 4.3.0 to 5.0.5
dependabot[bot] May 15, 2026
e463373
chore(ci)(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.4 in…
github-actions[bot] May 15, 2026
a4268a3
chore(ci)(deps): bump dorny/paths-filter from 3.0.3 to 4.0.1
dependabot[bot] May 15, 2026
5799857
chore(ci)(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1
dependabot[bot] May 15, 2026
66467b7
chore(ci)(deps): bump docker/login-action from 3.7.0 to 4.1.0
dependabot[bot] May 15, 2026
0c8ede3
chore(ci)(deps): bump actions/setup-python from 5.6.0 to 6.2.0
dependabot[bot] May 15, 2026
164648a
chore(ci)(deps): bump actions/create-github-app-token
dependabot[bot] May 15, 2026
55baa76
chore(ci)(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.1.0
dependabot[bot] May 15, 2026
b170547
chore(ci)(deps): bump actions/download-artifact from 4.3.0 to 8.0.1
dependabot[bot] May 15, 2026
1b0adb5
chore(ci)(deps): bump actions/setup-node from 4.4.0 to 6.4.0
dependabot[bot] May 15, 2026
f0f3960
fix(showcase/aimock): scope bare 'hi' / 'help' / 'deal' / 'city' / 'h…
tylerslaton May 15, 2026
b5d59e7
feat(showcase/shell-dojo): category headers in sidebar + rename built…
tylerslaton May 15, 2026
c9cdbb4
fix(ci): limit devops-bot token exposure in capture-previews
jpr5 May 15, 2026
08433e9
fix(ci): limit credential exposure in format job
jpr5 May 15, 2026
fd80500
fix(ci): persist-credentials: false on docs-sync and stable-release
jpr5 May 15, 2026
4622e78
Add LinkPreview component with hover iframe popup
jpr5 May 15, 2026
6e0a158
feat(showcase/shell-dashboard): integrate LinkPreview into LinksLayer
jpr5 May 15, 2026
b439983
fix(showcase/shell-dashboard): add react-dom type declaration
jpr5 May 15, 2026
c083e2e
fix(ci): limit credential exposure in format job (#4860)
jpr5 May 15, 2026
6f783ae
fix(ci): limit devops-bot token exposure in capture-previews (#4859)
jpr5 May 15, 2026
fa6d66d
Merge remote-tracking branch 'origin/main' into fix/persist-credentia…
jpr5 May 15, 2026
8174016
fix(ci): persist-credentials: false on docs-sync and stable-release (…
jpr5 May 15, 2026
004a4cd
chore(ci)(deps): bump actions/setup-node from 4.4.0 to 6.4.0 (#4857)
jpr5 May 15, 2026
25f3dc6
chore(ci)(deps): bump actions/download-artifact from 4.3.0 to 8.0.1 (…
jpr5 May 15, 2026
df82f7e
chore(ci)(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.1.0 (…
jpr5 May 15, 2026
d89a5f3
chore(ci)(deps): bump actions/create-github-app-token from 2.2.2 to 3…
jpr5 May 15, 2026
1d342fd
chore(ci)(deps): bump actions/setup-python from 5.6.0 to 6.2.0 (#4853)
jpr5 May 15, 2026
c18031d
chore(ci)(deps): bump docker/login-action from 3.7.0 to 4.1.0 (#4852)
jpr5 May 15, 2026
027b1ab
fix(showcase/shell-dashboard): scale iframe content to fit preview popup
jpr5 May 15, 2026
ff79e84
chore(ci)(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 (#4…
jpr5 May 15, 2026
332cfc6
chore(ci)(deps): bump dorny/paths-filter from 3.0.3 to 4.0.1 (#4850)
jpr5 May 15, 2026
2a6c966
chore(ci)(deps): bump pnpm/action-setup from 4.3.0 to 6.0.8
dependabot[bot] May 15, 2026
1e657ae
chore(ci)(deps): bump pnpm/action-setup from 4.3.0 to 6.0.8 (#4849)
jpr5 May 15, 2026
3ccad7f
chore(ci)(deps): bump actions/cache from 4.3.0 to 5.0.5 (#4848)
jpr5 May 15, 2026
7247f60
Add loading and error states to link preview popup
jpr5 May 15, 2026
678d832
style: auto-fix formatting
github-actions[bot] May 15, 2026
2e918ff
fix(ci): correct zizmor-action input names (underscores to hyphens)
jpr5 May 15, 2026
0a40dec
fix(ci): correct zizmor-action input names (#4865)
jpr5 May 15, 2026
415f9d6
feat(showcase/shell-dashboard): add iframe link preview on hover (#4864)
jpr5 May 15, 2026
12c535a
fix(ci): scope app token permissions in eval workflows
jpr5 May 15, 2026
33b4d05
fix(ci): scope app token permissions in eval workflows (#4866)
jpr5 May 15, 2026
b169007
fix(ci): scope devops-bot app token permissions in capture-previews a…
jpr5 May 15, 2026
efe0605
fix(ci): scope devops-bot app token permissions (#4867)
jpr5 May 15, 2026
62b4c1d
fix(ci): suppress dependabot-cooldown (migrating to Renovate)
jpr5 May 15, 2026
f8e2799
fix(ci): suppress dependabot-cooldown finding (#4868)
jpr5 May 15, 2026
2cee1c4
fix(shell-docs): wire IntegrationGrid pages with framework-aware demo…
samjulien May 15, 2026
ceafc10
feat(shell-docs): backport per-framework introduction pages (#4844)
samjulien May 15, 2026
736d9aa
Add LinkPreview wrapping to LinksLayer in UnifiedCell
jpr5 May 15, 2026
9920fc7
fix(showcase/shell-dashboard): add LinkPreview to UnifiedCell (#4870)
jpr5 May 15, 2026
42d8c60
fix: add top-level permissions to 4 workflows
jpr5 May 15, 2026
c5ad23c
Add top-level permissions to 4 workflows (#4871)
jpr5 May 15, 2026
ebb1657
fix(ci): strip @mentions from dependabot major version analysis comments
jpr5 May 15, 2026
8537234
fix(ci): strip @mentions from dependabot major version analysis comme…
jpr5 May 15, 2026
bed747b
fix: add GitHub Environment protection to publish/deploy workflows
jpr5 May 15, 2026
802ac5c
Add GitHub Environment protection to publish/deploy workflows (#4873)
jpr5 May 15, 2026
4f77a2d
fix(ci): scope git config to --local in publish-release
jpr5 May 15, 2026
6c27744
fix(ci): scope git config to --local in publish-release (#4874)
jpr5 May 15, 2026
a768243
fix: pin aimock to 1.24.1 instead of @latest
jpr5 May 15, 2026
7bed352
Pin aimock to 1.24.1 in doc-tests workflow (#4875)
jpr5 May 15, 2026
60d10a2
fix(showcase): move @endregion marker after Chat closing brace in all…
Abubakar-01 May 15, 2026
8789210
fix(shell-docs): rendering parity, copy dedent, and content cleanup
samjulien May 15, 2026
4652def
fix(shell-docs): replace ... placeholder + add missing handler in a2a…
samjulien May 15, 2026
b039c8f
fix(showcase): move @endregion marker after Chat closing brace in rea…
samjulien May 15, 2026
fbe4888
fix(shell-docs): copy-dedent in fence-in-JSX bodies + framework-route…
samjulien May 15, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Dependabot config — keeps SHA-pinned GitHub Actions current.
#
# Without this, every action pinned to a commit SHA in .github/workflows
# silently rots: vulnerabilities discovered upstream don't reach us, and
# our pinned SHAs drift further from the action's release tags every week.
#
# Scope: GitHub Actions only. Node/Python/pnpm dependency updates are
# already handled by Renovate / manual upgrades and don't belong here.

version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
cooldown:
default-days: 1
commit-message:
prefix: "chore(ci)"
include: "scope"
labels:
- "dependencies"
- "github-actions"
- "security"
groups:
minor-and-patch:
patterns:
- "*"
update-types:
- "minor"
- "patch"
# Workaround for dependabot/dependabot-core#14202: without an explicit
# major group, major updates matching the minor-and-patch pattern are
# silently suppressed. Remove this group when #14202 is fixed to get
# individual (ungrouped) PRs per major bump instead.
major:
patterns:
- "*"
update-types:
- "major"
18 changes: 12 additions & 6 deletions .github/workflows/auto_merge_showcases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,25 +16,31 @@ jobs:
steps:
- name: Check author is on Demo team
id: check-team
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
# Authorize on the PR AUTHOR (immutable for the lifetime of the PR),
# never `context.actor` — `actor` is whoever triggered the most
# recent event, so a team member synchronizing or reopening an
# outsider's PR would otherwise green-light auto-merge of code
# they didn't author.
script: |
const prAuthor = context.payload.pull_request.user.login;
try {
await github.rest.teams.getMembershipForUserInOrg({
org: 'CopilotKit',
team_slug: 'demo',
username: context.actor,
username: prAuthor,
});
core.setOutput('is_demo', 'true');
} catch {
core.info(`${context.actor} is not a member of CopilotKit/demo`);
core.info(`${prAuthor} is not a member of CopilotKit/demo`);
core.setOutput('is_demo', 'false');
}

- name: Check PR only touches showcases
if: steps.check-team.outputs.is_demo == 'true'
id: check-files
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
script: |
const { data: files } = await github.rest.pulls.listFiles({
Expand All @@ -59,7 +65,7 @@ jobs:

- name: Approve PR
if: steps.check-team.outputs.is_demo == 'true' && steps.check-files.outputs.only_showcases == 'true'
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
script: |
await github.rest.pulls.createReview({
Expand All @@ -72,7 +78,7 @@ jobs:

- name: Enable auto-merge
if: steps.check-team.outputs.is_demo == 'true' && steps.check-files.outputs.only_showcases == 'true'
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
script: |
await github.graphql(`
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/cleanup_pr-caches.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,16 @@ on:
types:
- closed

permissions:
contents: read

jobs:
pr-caches:
runs-on: ubuntu-latest
permissions:
contents: read
# Needed to delete repository actions caches via `gh cache delete`
actions: write
steps:
- name: Cleanup
run: |
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Dependabot Auto-Merge (Minor/Patch)

on:
pull_request_target:
types: [opened, synchronize]

permissions:
contents: write
pull-requests: write

jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Auto-approve and merge minor/patch github-actions updates
if: >-
steps.metadata.outputs.package-ecosystem == 'github_actions' &&
(steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
steps.metadata.outputs.update-type == 'version-update:semver-patch')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
run: |
gh pr review "$PR_URL" --approve
gh pr merge "$PR_URL" --auto --merge
144 changes: 144 additions & 0 deletions .github/workflows/dependabot-major-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
name: Dependabot Major Version Analysis

on:
pull_request_target:
types: [opened]

permissions:
contents: read
pull-requests: write

jobs:
analyze-major:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Analyze major version bump
if: >-
steps.metadata.outputs.package-ecosystem == 'github_actions' &&
steps.metadata.outputs.update-type == 'version-update:semver-major'
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
env:
DEP_NAME: ${{ steps.metadata.outputs.dependency-names }}
PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const depName = process.env.DEP_NAME;
const prevVersion = process.env.PREV_VERSION;
const newVersion = process.env.NEW_VERSION;
const parts = depName.split('/');
const owner = parts[0];
const repo = parts[1];
const repoSlug = `${owner}/${repo}`;

let releases = [];
try {
const { data } = await github.rest.repos.listReleases({ owner, repo, per_page: 50 });
releases = data;
} catch (err) {
core.warning(`Could not fetch releases for ${repoSlug}: ${err.message}`);
}

const prevMajor = parseInt(prevVersion.replace(/^v/, ''), 10);
const newMajor = parseInt(newVersion.replace(/^v/, ''), 10);

const relevantReleases = releases.filter(r => {
const major = parseInt(r.tag_name.replace(/^v/, ''), 10);
return major > prevMajor && major <= newMajor;
});

let releaseNotesSummary = '';
let breakingChanges = '';

if (relevantReleases.length === 0) {
releaseNotesSummary = '_No releases found between these versions._';
breakingChanges = `_Unable to determine breaking changes automatically. Please review the [full changelog](https://github.com/${repoSlug}/releases)._`;
} else {
for (const release of relevantReleases.slice(0, 10)) {
const body = (release.body || '_No release notes._').replace(/(?<=^|\s)@(?=[a-zA-Z0-9])(?![a-zA-Z0-9-]*\/)/gm, '');
releaseNotesSummary += `### ${release.tag_name}${release.name && release.name !== release.tag_name ? ' — ' + release.name : ''}\n\n`;
releaseNotesSummary += body.substring(0, 2000);
if (body.length > 2000) releaseNotesSummary += '\n\n_...truncated_';
releaseNotesSummary += '\n\n---\n\n';
const lines = body.split('\n');
for (const line of lines) {
if (/breaking|BREAKING|removed|deprecated|incompatible|migration/i.test(line)) {
breakingChanges += `- ${line.trim()}\n`;
}
}
}
}

if (!breakingChanges) {
breakingChanges = '_No explicit breaking changes detected in release notes. Manual review recommended._';
}

let commentBody = `## :warning: Major Version Update — Manual Review Required

| Field | Value |
|-------|-------|
| **Action** | [\`${depName}\`](https://github.com/${repoSlug}) |
| **Previous** | \`v${prevVersion}\` |
| **New** | \`v${newVersion}\` |
| **Type** | Major (\`v${prevMajor}\` → \`v${newMajor}\`) |

### Breaking Changes

${breakingChanges}

### Release Notes (v${prevMajor + 1} → v${newMajor})

${releaseNotesSummary}

### Next Steps

1. Review breaking changes above
2. Check if workflow inputs/outputs changed
3. Verify compatibility with your CI/CD configuration

> Full changelog: https://github.com/${repoSlug}/releases

---
_Generated automatically for Dependabot major version PRs._`.replace(/^ /gm, '');

if (commentBody.length > 64000) {
commentBody = commentBody.substring(0, 63900) + '\n\n_...comment truncated due to size limit._';
}

await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: commentBody,
});

try {
const labelsToAdd = ['major-update', 'needs-review'];
for (const label of labelsToAdd) {
try {
await github.rest.issues.getLabel({ owner: context.repo.owner, repo: context.repo.repo, name: label });
} catch {
const colors = { 'major-update': 'B60205', 'needs-review': 'FBCA04' };
await github.rest.issues.createLabel({
owner: context.repo.owner, repo: context.repo.repo,
name: label, color: colors[label] || 'EDEDED',
});
}
}
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: labelsToAdd,
});
} catch (err) {
core.warning(`Could not add labels: ${err.message}`);
}
2 changes: 1 addition & 1 deletion .github/workflows/ghcr_unlinked_packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ jobs:

- name: Notify Slack (drift detected)
if: steps.audit.outputs.unlinked_count != '0' && env.SLACK_WEBHOOK != ''
uses: slackapi/slack-github-action@v2.1.0
uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
with:
webhook: ${{ secrets.SLACK_WEBHOOK_GHCR_DRIFT }}
webhook-type: incoming-webhook
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/integrations_parity.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,20 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"

- name: Install pnpm
uses: pnpm/action-setup@v4
# Omit `version:` so pnpm/action-setup inherits from the repo's
# `packageManager` field in package.json (via corepack).
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 10.13.1
run_install: false

- name: Install root dev dependencies (tsx)
Expand Down
Loading
Loading