FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 30, column 0: Use of unknown namespace: com-wordpress:feed-additions:1 (11 occurrences) [help]
```
<site xmlns="com-wordpress:feed-additions:1">153214340</site>	<item>
```
line 108, column 0: content:encoded should not contain html tag (8 occurrences) [help]
```
<html><body><p>You already know that security is important to keep in mind w ...
```
line 108, column 0: content:encoded should not contain body tag (8 occurrences) [help]
```
<html><body><p>You already know that security is important to keep in mind w ...
```
line 116, column 0: content:encoded should not contain data-recalc-dims attribute (4 occurrences) [help]
```
<figure class="wp-block-image size-full"><img data-recalc-dims="1" fetchprio ...
```
line 116, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<figure class="wp-block-image size-full"><img data-recalc-dims="1" fetchprio ...
```
line 116, column 0: content:encoded should not contain decoding attribute (10 occurrences) [help]
```
<figure class="wp-block-image size-full"><img data-recalc-dims="1" fetchprio ...
```
line 116, column 0: content:encoded should not contain sizes attribute (3 occurrences) [help]
```
<figure class="wp-block-image size-full"><img data-recalc-dims="1" fetchprio ...
```
line 350, column 0: style attribute contains potentially dangerous content: max-height (11 occurrences) [help]
line 538, column 0: content:encoded should not contain data-color-mode attribute (6 occurrences) [help]
line 538, column 0: content:encoded should not contain data-dark-theme attribute (6 occurrences) [help]
line 538, column 0: content:encoded should not contain data-light-theme attribute (6 occurrences) [help]
line 693, column 0: Non-html tag: summary (5 occurrences) [help]
```
<details>
```
line 811, column 0: content:encoded should not contain iframe tag (2 occurrences) [help]
```
<iframe title="Rubber Duck Thursdays - Let's build with agents" width="500"  ...
```
line 1530, column 0: content:encoded should not contain loading attribute (2 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```

Source: https://github.blog/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>The GitHub Blog</title>
<atom:link href="https://github.blog/feed/" rel="self" type="application/rss+xml" />
<link>https://github.blog/</link>
<description>Updates, ideas, and inspiration from GitHub to help developers build and design software.</description>
<lastBuildDate>Wed, 16 Jul 2025 21:06:18 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.2</generator>
<image>
<url>https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32</url>
<title>The GitHub Blog</title>
<link>https://github.blog/</link>
<width>32</width>
<height>32</height>
</image>
<site xmlns="com-wordpress:feed-additions:1">153214340</site> <item>
<title>GitHub Availability Report: June 2025</title>
<link>https://github.blog/news-insights/company-news/github-availability-report-june-2025/</link>
<dc:creator><![CDATA[Natalie Guevara]]></dc:creator>
<pubDate>Wed, 16 Jul 2025 21:06:17 +0000</pubDate>
<category><![CDATA[Company news]]></category>
<category><![CDATA[News & insights]]></category>
<category><![CDATA[GitHub Availability Report]]></category>
<guid isPermaLink="false">https://github.blog/?p=89594</guid>
<description><![CDATA[<p>In June, we experienced three incidents that resulted in degraded performance across GitHub services.</p>
<p>The post <a href="https://github.blog/news-insights/company-news/github-availability-report-june-2025/">GitHub Availability Report: June 2025</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>In June, we experienced three incidents that resulted in degraded performance across GitHub services.</p>
<p><strong>June 5 17:47 UTC (lasting 1 hour and 33 minutes)</strong></p>
<p>On June 5, 2025, between 17:47 UTC and 19:20 UTC, the Actions service was degraded, leading to run start delays and intermittent job failures. During this period, 47.2% of runs had delayed starts of 14 minutes on average, and 21.0% of runs failed. The impact extended beyond Actions itself; 60% of Copilot Coding Agent sessions were cancelled, and all Pages sites using branch-based builds failed to deploy (though Pages serving remained unaffected). The issue was caused by a spike in load between internal Actions services exposing a misconfiguration that caused throttling of requests in the critical path of run starts. We mitigated the incident by correcting the service configuration to prevent throttling and have updated our deployment process to ensure the correct configuration is preserved moving forward.</p>
<p><strong>June 12 17:55 UTC (lasting 3 hours and 12 minutes)</strong></p>
<p>On June 12, 2025, between 17:55 UTC and 21:07 UTC, the GitHub Copilot service was degraded and experienced unavailability for Gemini models and reduced availability for Claude models. Users experienced significantly elevated error rates for chat completions, slow response times, timeouts, and chat functionality interruptions across VS Code, JetBrains IDEs, and GitHub Copilot Chat. This was due to an outage affecting one of our model providers.</p>
<p>We mitigated the incident by temporarily disabling the affected provider endpoints to reduce user impact.</p>
<p>We are working to update our incident response playbooks for infrastructure provider outages and improve our monitoring and alerting systems to reduce our time to detection and mitigation of issues like this one in the future.</p>
<p><strong>June 17 19:32 UTC (lasting 31 minutes)</strong></p>
<p>On June 17, 2025, between 19:32 UTC and 20:03 UTC, an internal routing policy deployment to a subset of network devices caused reachability issues for certain network address blocks within our datacenters. Authenticated users of the github.com UI experienced 3-4% error rates for the duration of the incident. Authenticated callers of the API experienced 40% error rates. Unauthenticated requests to the UI and API experienced nearly 100% error rates. Actions experienced 2.5% of runs being delayed for an average of 8 minutes and 3% of runs failing. Large File Storage (LFS) requests experienced 1% errors. At 19:54 UTC, the deployment was rolled back, and network availability for the affected systems was restored. At 20:03 UTC, we fully restored normal operations. To prevent similar issues, we are expanding our validation process for routing policy changes.</p>
<hr class="wp-block-separator has-alpha-channel-opacity"/>
<p>Please follow our <a href="https://www.githubstatus.com/">status page</a> for real-time updates on status changes and post-incident recaps. To learn more about what we’re working on, check out the <a href="https://github.blog/category/engineering/">GitHub Engineering Blog</a>.</p>
<p>The post <a href="https://github.blog/news-insights/company-news/github-availability-report-june-2025/">GitHub Availability Report: June 2025</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89594</post-id> </item>
<item>
<title>How to catch GitHub Actions workflow injections before attackers do</title>
<link>https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/</link>
<dc:creator><![CDATA[Dylan Birtolo]]></dc:creator>
<pubDate>Wed, 16 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Vulnerability research]]></category>
<category><![CDATA[code scanning]]></category>
<category><![CDATA[CodeQL]]></category>
<guid isPermaLink="false">https://github.blog/?p=89525</guid>
<description><![CDATA[<p>Strengthen your repositories against actions workflow injections — one of the most common vulnerabilities.</p>
<p>The post <a href="https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/">How to catch GitHub Actions workflow injections before attackers do</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>You already know that security is important to keep in mind when creating code and maintaining projects. Odds are, you also know that it’s much easier to think about security from the ground up rather than trying to squeeze it in at the end of a project.</p>
<p>But did you know that GitHub Actions injections are one of the most common vulnerabilities in projects stored in GitHub repositories? Thankfully, this is a relatively easy vulnerability to address, and GitHub has some tools to make it even easier.</p>
<figure class="wp-block-image size-full"><img data-recalc-dims="1" fetchpriority="high" decoding="async" width="768" height="768" src="https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?resize=768%2C768" alt="A bar chart detailing the most common vulnerabilities found by CodeQL in 2024. In order from most to least, they are: injection, broken access control, insecure design, cryptographic failures, identification and authentication failures, security misconfigurations, software and data integrity failures, security logging and monitoring failures, server side request forgery, and vulnerable and outdated components." class="wp-image-89527" srcset="https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=768 768w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=150 150w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=300 300w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=600 600w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=400 400w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=200 200w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=90 90w, https://github.blog/wp-content/uploads/2025/07/vulnerabilities.png?w=116 116w" sizes="(max-width: 768px) 100vw, 768px" /><figcaption class="wp-element-caption"><em>From the 2024 Octoverse report detailing the most common types of OWASP-classified vulnerabilities identified by CodeQL in 2024. Our latest data shows a similar trend, highlighting the continued risks of injection attacks despite continued warnings for several decades.</em></figcaption></figure>
<h2 class="wp-block-heading" id="h-embracing-a-security-mindset">Embracing a security mindset</h2>
<p>The truth is that security is not something that is ever “done.” It’s a continuous process, one that you need to keep focusing on to help keep your code safe and secure. While automated tools are a huge help, they’re not an all-in-one, fire-and-forget solution.</p>
<p>This is why it’s important to understand the causes behind security vulnerabilities as well as how to address them. No tool will be 100% effective, but by increasing your understanding and deepening your knowledge, you will be better able to respond to threats. </p>
<p>With that in mind, let’s talk about one of the most common vulnerabilities found in GitHub repositories.</p>
<h2 class="wp-block-heading" id="h-explaining-actions-workflow-injections">Explaining actions workflow injections</h2>
<p>So what exactly is a GitHub Actions workflow injection? This is when a malicious attacker is able to submit a command that is run by a <a href="https://docs.github.com/actions/writing-workflows/about-workflows">workflow</a> in your repository. This can happen when an attacker controls the data, such as when they create an issue title or a branch name, and you execute that untrusted input. For example, you might execute it in the run portion of your workflow.</p>
<p>One of the most common causes of this is with the <code>${{}}</code> syntax in your code. In the preprocessing step, this syntax will automatically expand. That expansion may alter your code by inserting new commands. Then, when the system executes the code, these malicious commands are executed too.</p>
<p>Consider the following workflow as an example:</p>
<pre class="wp-block-code language-plaintext"><code>- name: print title
run: echo "${{ github.event.issue.title }}"</code></pre>
<p>Let’s assume that this workflow is triggered whenever a user creates an issue. Then an attacker can create an issue with malicious code in the title, and the code will be executed when this workflow runs. The attacker only needs to do a small amount of trickery such as adding backtick characters to the title: <code>touch pwned.txt</code>. Furthermore, this code will run using the permissions granted to the workflow, permissions the attacker is otherwise unlikely to have.</p>
<p>This is the root of the actions workflow injection. The biggest issues with actions workflow injections are awareness that this is a problem and finding all the instances that could lead to this vulnerability.</p>
<h2 class="wp-block-heading" id="how-to-proactively-protect-your-code">How to proactively protect your code</h2>
<p>As stated earlier, it’s easier to prevent a vulnerability from appearing than it is to catch it after the fact. To that end, there are a few things that you should keep in mind while writing your code to help protect yourself from actions workflow injections.</p>
<p>While these are valuable tips, remember that even if you follow all of these guidelines, it doesn’t guarantee that you’re completely protected.</p>
<h3 class="wp-block-heading" id="use-environment-variables">Use environment variables</h3>
<p>Remember that the actions workflow injections happen as a result of expanding what should be treated as untrusted input. When it is inserted into your workflow, if it contains malicious code, it changes the intended behavior. Then when the workflow triggers and executes, the attacker’s code runs.<br>One solution is to avoid using the <code>${{}}</code> syntax in workflow sections like <code>run</code>. Instead, expand the untrusted data into an environment variable and then use the environment variable when you are running the workflow. If you consider our example above, this would change to the following.</p>
<pre class="wp-block-code language-plaintext"><code>- name: print title
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"</code></pre>
<p>This won’t make the input trusted, but it will help to protect you from some of the ways attackers could take advantage of this vulnerability. We encourage you to do this, but still remember that this data is untrusted and could be a potential risk.</p>
<h3 class="wp-block-heading" id="the-principle-of-least-privilege-is-your-best-friend">The principle of least privilege is your best friend</h3>
<p>When an actions workflow injection triggers, it runs with the permissions granted to the workflow. You can specify what permissions workflows have by <a href="https://docs.github.com/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions">setting the permissions for the workflow’s GITHUB_TOKEN</a>. For this reason, it’s important to make sure that your workflows are only running with the lowest privilege levels they need in order to perform duties. Otherwise, you might be giving an attacker permissions you didn’t intend if they manage to inject their code into your workflow.</p>
<h3 class="wp-block-heading" id="be-cautious-with-pull_request_target">Be cautious with <code>pull_request_target</code></h3>
<p>The impact is usually much more devastating when injection happens in a workflow that is triggered on <code>pull_request_target</code> than on <code>pull_request</code>. There is a significant difference between the <code>pull_request</code> and <code>pull_request_target</code> workflow triggers.</p>
<p>The <code>pull_request</code> workflow trigger prevents write permissions and secrets access on the target repository by default when it’s triggered from a fork. Note that when the workflow is triggered from a branch in the same repository, it has access to secrets and potentially has write permissions. It does this in order to help prevent unauthorized access and protect your repository.</p>
<p>By contrast, the <code>pull_request_target</code> workflow trigger gives the workflow writer the ability to release some of the restrictions. While this is important for some scenarios, it does mean that by using <code>pull_request_target</code> instead of <code>pull_request</code>, you are potentially putting your repository at a greater risk.</p>
<p>This means you should be using the <code>pull_request</code> trigger unless you have a very specific need to use <code>pull_request_target</code>. And if you are using the latter, you want to take extra care with the workflow given the additional permissions.</p>
<h2 class="wp-block-heading" id="the-problems-not-just-on-main">The problem’s not just on main</h2>
<p>It’s not uncommon to create several branches while developing your code, often for various features or bug fixes. This is a normal part of the software development cycle. And sometimes we’re not the best at remembering to close and delete those branches after merging or after we’ve finished working with them. Unfortunately, these branches are still a potential vulnerability if you’re using the <code>pull_request_target</code> trigger.</p>
<p>An attacker can target a workflow that runs on a pull request in a branch, and still take advantage of this exploit. This means that you can’t just assume your repository is safe because the workflows against your <code>main</code> branch are secure. You need to review all of the branches that are publicly visible in your repository.</p>
<h2 class="wp-block-heading" id="what-codeql-brings-to-the-table">What CodeQL brings to the table</h2>
<p><a href="https://codeql.github.com/">CodeQL</a> is GitHub’s code analysis tool that provides automated security checks against your code. The specific feature of CodeQL that is most relevant here is <a href="https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql">the code scanning feature</a>, which can provide feedback on your code and help identify potential security vulnerabilities. We recently <a href="https://github.blog/changelog/2025-04-22-github-actions-workflow-security-analysis-with-codeql-is-now-generally-available/">made the ability to scan GitHub Actions workflow files generally available</a>, and you can use this feature to look for several types of vulnerabilities, such as potential actions workflow injection risks. </p>
<p>One of the reasons CodeQL is so good at finding where untrusted data might be used is because of taint tracking. We <a href="https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/#taint-tracking-is-key">added taint tracking to CodeQL</a> for actions late last year. With taint tracking, CodeQL tracks where untrusted data flows through your code and identifies potential risks that might not be as obvious as the previous examples.</p>
<p>Enabling CodeQL to scan your actions workflows is as easy as <a href="https://docs.github.com/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning">enabling CodeQL code scanning with the default setup</a>, which automatically includes analyzing actions workflows and will run on any <a href="https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches">protected branch</a>. You can then check for the code scanning results to identify potential risks and start fixing them. </p>
<p>If you’re already using <a href="https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning">the advanced setup for CodeQL</a>, you can add support for scanning your actions workflows by adding the <code>actions</code> language to the target languages. These scans will be performed going forward and help to identify these vulnerabilities.</p>
<p>While we won’t get into it in this blog, it’s important to know that CodeQL code scanning runs several queries—it’s not just good at finding actions workflow injections. We encourage you to give it a try and see what it can find. </p>
<p>While CodeQL is a very effective tool—and it is really good at finding this specific vulnerability—it’s still not going to be 100% effective. Remember that no tool is perfect, and you should focus on keeping a security mindset and taking a critical idea to your own code. By keeping this in the forefront of your thoughts, you will be able to develop more secure code and help prevent these vulnerabilities from ever appearing in the first place. </p>
<h2 class="wp-block-heading" id="future-steps">Future steps</h2>
<p>Actions workflow injections are known to be one of the most prevalent vulnerabilities in repositories available on GitHub. However, they are relatively easy to address. The biggest issues with eliminating this vulnerability are simply being aware that they’re a problem and discovering the possible weak spots in your code.</p>
<p>Now that you’re aware of the issue, and have CodeQL on your side as a useful tool, you should be able to start looking for and fixing these vulnerabilities in your own code. And if you keep the proactive measures in mind, you’ll be in a better position to prevent them from occurring in future code you write.</p>
<p>If you’d like to learn more about actions workflow injections, we previously published <a href="https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/">a four-part series about keeping your actions workflows secure</a>. The <a href="https://securitylab.github.com/resources/github-actions-untrusted-input/">second part</a> is specifically about actions workflow injections, but we encourage you to give the entire series a read.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Need some help searching through your code to look for potential vulnerabilities?</strong> <a href="https://docs.github.com/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning">Set up code scanning</a> in your project today.</p>
</div>
<p></p>
</body></html>
<p>The post <a href="https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/">How to catch GitHub Actions workflow injections before attackers do</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89525</post-id> </item>
<item>
<title>For the Love of Code: a summer hackathon for joyful, ridiculous, and wildly creative projects</title>
<link>https://github.blog/open-source/for-the-love-of-code-2025/</link>
<dc:creator><![CDATA[Lee Reilly]]></dc:creator>
<pubDate>Wed, 16 Jul 2025 15:00:00 +0000</pubDate>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[Open Source]]></category>
<category><![CDATA[hackathon]]></category>
<guid isPermaLink="false">https://github.blog/?p=87995</guid>
<description><![CDATA[<p>That idea you've been sitting on? The domain you bought at 2AM? A silly or serious side project? This summer, we invite you to build it — for the joy, for the vibes, For the Love of Code 🧡</p>
<p>The post <a href="https://github.blog/open-source/for-the-love-of-code-2025/">For the Love of Code: a summer hackathon for joyful, ridiculous, and wildly creative projects</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>Code isn’t just for solving problems. It’s also for exploring ideas, expressing creativity, and building something just because it sparks joy.</p>
<p><strong>For the Love of Code</strong> is a global, summer-long hackathon for developers of all experience levels to build the project they’ve been thinking about but haven’t had a reason to start. Whether it’s a web app, CLI tool, game, AI exploration, or a creative experiment, this is your invitation to build for the fun of it — solo, with friends, or alongside GitHub Copilot.</p>
<h2 class="wp-block-heading" id="h-when">When</h2>
<p><strong>For the Love of Code will run from July 16 to September 22, 2025.</strong></p>
<p class="is-typography-preset-h2">What you could win</p>
<ul class="wp-block-list">
<li>Internet immortality: Top entries will be featured on the GitHub blog</li>
<li>12 months of GitHub Copilot Pro+ for winners in each category</li>
<li>Glory, vibes, and an excellent excuse to finally build that thing</li>
</ul>
<p>The real prize is working on something you love.</p>
<h2 class="wp-block-heading is-typography-preset-h2">What can you build?</h2>
<p>Anything you want! We’ll be picking winners in six highly scientific categories. Each one is outlined below with inspiration to spark ideas and <a href="https://xkcd.com/356/">nerd-snipe</a> you into action <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f3af.png" alt="🎯" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
<p class="is-typography-preset-h3">Category 1: Buttons, beeps, and blinkenlights</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/1-beeps.png" alt="An illustration of a retro computer screen with Mona walking across">If it lights up, makes noise, or looks like it escaped from a 1998 RadioShack, it belongs here. Hardware hacks (real or simulated) that blink, beep, buzz, or surprise. Think interactive, physical, tactile, and just a little chaotic. Examples:</p>
<ul class="wp-block-list">
<li>A traffic light that displays your build status</li>
<li>A soldered-together sidekick that yells “LGTM!” every time your tests pass</li>
<li><a href="https://github.com/HarryHighPants/esp32-git-contributions-epd"><strike>An e-ink screen displaying your contribution graph</strike></a> – oops, this has already shipped!</li>
<li><a href="https://github.com/hasibzunair/boss-detector"><strike>A hack to make your screen display actual work when the webcam detects your boss approaching</strike></a></li>
<li><a href="https://github.com/veggiedefender/open-and-shut"><strike>A laptop opening and closing-powered morse code generator</strike></a></li>
<li><a href="https://github.com/orhun/tuitar"><strike>A Rust project that visualizes guitar notes on an ESP32 T-Display ♩ ♪ ♫ ♬</strike></a></li>
</ul>
<p class="is-typography-preset-h3">Category 2: Agents of change</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/2-agents.png" alt="An illustration GitHub Copilot with one of their eyes replaced with a heart">AI-powered experiences, agents, or old-fashioned bots that help, hinder, or hilariously misunderstand you. Whether it’s helping automate workflows, critiquing your code like a judgmental coworker, or pretending to be your sentient toaster, this is your playground for all things assistant-y and absurd. Examples:</p>
<ul class="wp-block-list">
<li>An LLM-powered changelog writer that wildly over-dramatizes every update. “Fixed minor bug” → “Vanquished a lurking menace that corrupted the sacred login flow.”</li>
<li>An agent that reviews PRs like a sarcastic senior dev, an overly nice intern, or a concerned parent: “Are you sure this function needs to be this recursive?”</li>
<li><a href="https://github.com/Nutlope/billsplit"><s>An AI-assisted app to help split your restaurant bills</s></a></li>
<li><a href="https://github.com/MetzinAround/shania"><s>A Shania Twain Slack or Discord bot to inspire</s></a><em> (Editor’s note: That don’t impress me much!)</em></li>
</ul>
<p class="is-typography-preset-h3">Category 3: Terminal talent</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/3-cli.png" alt="An illustration of a terminal with a familiar duck character">Command-line tools, extensions, and TUI projects that are clever, useful, or just plain fun. Serious utilities with personality, beautifully crafted interfaces, or quirky scripts that make your terminal feel more alive all belong here. If it runs in the shell and makes you smile, it belongs here. Examples:</p>
<ul class="wp-block-list">
<li>A command-line karaoke machine.</li>
<li>A GitHub CLI extension that gives your daily horoscope and outlook based on issues and pull requests.</li>
<li>An interactive tool to automate that one thing that you’ve been meaning to automate for years.</li>
<li><a href="https://github.com/jmhobbs/terminal-parrot"><s>An animated party parrot for your terminal</s></a></li>
<li><a href="https://github.com/cjlangan/MechSim"><s>A mechanical keyboard sound simulator</s></a></li>
</ul>
<p class="is-typography-preset-h3">Category 4: Game on</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/4-game.png" alt="An illustration of a blocktacular arcade cabinet of some sort... that kinda resembles Hubot">Code is your controller. Build something playable, puzzling, or just plain fun. This category is for interactive experiences of all kinds, like prototyping a game idea, remixing mechanics, or mashing up genres. Think nostalgic, clever, or completely original. Fun first, functional close behind. Examples:</p>
<ul class="wp-block-list">
<li>A retro-style arcade game inspired by the classics you grew up playing.</li>
<li>An adventure game with AI-generated plot twists, NPCs, and side quests.</li>
<li><a href="https://github.itch.io/dodled-jump"><s>A vibe-coded vertical jumper built with and featuring your favorite Copilot.</s></a></li>
<li><a href="https://github.itch.io/flappy-mona"><s>Yet another Flappy Bird clone, but with Octocats</s></a></li>
<li><a href="https://github.com/sergiubucur/falling-through-code"><s>A vertical scroller where you fall through real lines of GitHub code</s></a></li>
</ul>
<p class="is-typography-preset-h3">Category 5: World wide wonders</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/5.png" alt="An illustration of browser window with one of Mona's arms coming through">Any web project that makes people smile, think, learn, or click “view source” belongs here. Whether it’s your first HTML experiment, a polished tool you’ve been meaning to ship, or a playful side project that does something surprisingly useful, this is your space. Educational, delightful, impressive, or just plain fun, all kinds of web builds are welcome. Examples:</p>
<ul class="wp-block-list">
<li>A web app that takes a GitHub username and roasts them based on their contributions, commit messages, and questionable emoji use <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1fa84.png" alt="🪄" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f4df.png" alt="📟" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f9b4.png" alt="🦴" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f4be.png" alt="💾" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1fae0.png" alt="🫠" class="wp-smiley" style="height: 1em; max-height: 1em;" />.</li>
<li>A nostalgic 90s-style site that loads like it’s on dial-up, complete with pixel art loading bars, pop-up ads, a guestbook, and that dancing baby GIF.</li>
<li><a href="https://github.com/rauchg/doom-captcha"><s>A CAPTCHA that requires you to kill baddies in Doom</s></a></li>
<li><a href="https://github.com/ChrisPirillo/alien-computer"><s>An an interactive, randomized retro sci-fi dashboard with an alien aesthetic</s></a><s> Qapla’</s></li>
</ul>
<p class="is-typography-preset-h3">Category 6: Everything but the kitchen sink</p>
<p><img decoding="async" style="width: 150px;float: right;margin-left: 10px" src="https://github.blog/wp-content/uploads/2025/07/6-wildcard.png" alt="An illustration of a retro computer screen featuring a joker card">Too niche? Too specific? Hard to categorize? Perfect. This is your wild card category for all the creative projects that don’t fit neatly anywhere else. Think extensions, plugins, tools, GitHub Actions, or prototypes that turned into something unexpectedly useful. Practical, playful, or just uniquely yours, we want to see it all. Examples:</p>
<ul class="wp-block-list">
<li>A Git hook that plays sitcom laugh tracks when you commit. </li>
<li>A VS Code extension that gives your functions Yelp-style reviews.</li>
<li>A GitHub Action that refuses to deploy if your team hasn’t merged a PR with a positive emoji in the title that week.</li>
<li>A rewrite of something in Rust for the sake of it.</li>
<li><strike><a href="https://github.com/tonybaloney/vscode-pets">A VS Code extension to bring pets into your editor</a></strike></li>
<li>YOUR AMAZING IDEA GOES HERE!</li>
</ul>
<p>Make it wildly useful, or just plain weird. As long as it brings you joy.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--1" style="border-top-width:4px">
<h2 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-not-sure-where-to-start-ask-github-copilot" style="margin-top:0">Not sure where to start? Ask GitHub Copilot!</h2>
<p>You don’t have to build alone.</p>
<p>GitHub Copilot isn’t just for autocomplete, it’s a creative partner that can riff with you, brainstorm ideas, explain what your code is actually doing, and more. Ask it things like:</p>
<p><em>“Give me five fun and creative coding projects I can complete in a weekend.”</em></p>
<p><em>“Help me create a Git hook that plays sitcom laugh tracks when you commit.”</em></p>
<p>And if you want to take it further…</p>
<p>We may feature standout projects that make especially creative use of Copilot, including Agent mode. It’s not required for participation, but we’ll definitely be keeping an eye out.</p>
<p>Copilot can’t wait to get started with you! <3</p>
<figure class="wp-block-image size-full is-resized"><img data-recalc-dims="1" decoding="async" width="500" height="631" src="https://github.blog/wp-content/uploads/2025/05/leereilly-copilot.gif?resize=500%2C631" alt="An excited GitHub Copilot jumping." class="wp-image-89327" style="width:100px" /></figure>
<p class="is-typography-preset-subtitle"></p>
</aside>
<p class="is-typography-preset-h2">Who can participate?</p>
<p>Students, maintainers, weekend tinkerers, creative coders, <s>salty</s> seasoned pros, and curious beginners. Solo or squad. First-timer or frequent flyer. If you write code…or want to… it’s for you.</p>
<p class="is-typography-preset-h2">How to join</p>
<ol class="wp-block-list">
<li>Spend an afternoon or the whole summer. Build something joyful: solo, with friends, or with Copilot.</li>
<li>Push your code to a public GitHub repository by 11:59 p.m. Anywhere on Earth (AoE)* on September 22, 2025*.</li>
<li>Submit your entries via the <a href="https://gh.io/ftloc-submit">official submission form</a>.</li>
</ol>
<p>* <em>Editor’s note: We suspect Lee picked this deadline to avoid doing time zone math, and so he’d never have to explain daylight saving time again. Respect.</em></p>
<p>Tag your progress with <code>#ForTheLoveOfCode</code> and we’ll feature our favorites on social and <a href="https://github.com/explore">GitHub Explore</a> page!</p>
<h2 class="wp-block-heading is-typography-preset-h2">Rules</h2>
<p>The short and sweet version:</p>
<ul class="wp-block-list">
<li>The use of open source is encouraged!</li>
<li>The use of GitHub Copilot is encouraged, but optional.</li>
<li>Submit up to 42 projects. (Don’t ask why. You know why.)</li>
<li>Your project must be in a public GitHub repo with a clear README.</li>
</ul>
<p>Please see complete <a href="https://github.blog/wp-content/uploads/2025/07/ftloc-final.pdf">terms and conditions</a>.</p>
<p>We know… “terms and conditions” sounds like the least fun part of a joyful code challenge. But if you’re submitting a project or hoping for a prize, take a second to read the <a href="https://github.blog/wp-content/uploads/2025/07/ftloc-terms.pdf">official rules</a>. Future-you will thank you.<br><br>We’re building a space that’s creative, collaborative, and welcoming to all. Please be excellent to each other. See our <a href="https://docs.github.com/en/site-policy/github-terms/github-community-code-of-conduct">Code of Conduct</a>.</p>
<p class="is-typography-preset-h2">Judging</p>
<p>A panel of <a href="https://stars.github.com/">GitHub Stars</a>, <a href="https://github.com/education/students">Campus Experts</a>, and staff will evaluate entries based on joyfulness, execution, technical difficulty, ingenuity, and relevance to the category. Bonus points (figuratively) for unexpected use of GitHub Copilot.</p>
<p>We’ll pick three winners from each category and announce the winners by October 22, 2025 on the GitHub blog. But honestly? If it makes you smile, you’ve already won.<br></p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--2" style="border-top-width:4px">
<h2 class="wp-block-heading">New to Git, GitHub, and/or GitHub Copilot?</h2>
<p>For the Love of Code is the perfect opportunity to check them out (version control pun intended)!</p>
<ul class="wp-block-list">
<li><a href="https://git-scm.com/doc">Git Documentation</a>: Learn everything about version control and how to get started.</li>
<li><a href="https://docs.github.com/en">GitHub Docs</a>: Explore tutorials and FAQs about GitHub.</li>
<li><a href="https://github.com/features/copilot">GitHub Copilot</a>: Find out more about AI that builds with you and loves code as much as you.</li>
<li><a href="https://github.com/orgs/community/discussions/">GitHub Community Forum</a>: This is a great place to ask questions and share answers.</li>
</ul>
</aside>
<p class="is-typography-preset-h2">Frequently asked questions</p>
<details>
<summary><img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f4a1.png" alt="💡" class="wp-smiley" style="height: 1em; max-height: 1em;" /> General participation</summary>
<ul>
<li><strong>Can I work with a team?</strong><br>Yes! Solo or squad… your choice. GitHub Copilot makes a great pair (or peer) programmer. Limit your team to no more than 10 people.</li>
<li><strong>How many times can I enter?</strong><br>Up to 42 times. Don’t ask why. You know why.</li>
<li><strong>Who can participate?</strong><br>Anyone 13 years of age or older with a GitHub account except where prohibited by law. See official rules for regional restrictions.</li>
<li><strong>How much time should I spend?</strong><br>As much or as little as you like. Vibe code your project in an afternoon, build over a weekend, or stretch it out across the summer.</li>
<li><strong>I’m new to GitHub/Git/Copilot. Can I still join?</strong><br>Absolutely. This is a great excuse to dive in! We’ve linked beginner-friendly docs and tutorials to help you get started.</li>
<li><strong>Can I edit my project after the deadline?</strong><br>You can keep working on your repo forever — but for judging, we’ll look at the state of your project as of 11:59 p.m. AoE on September 22. If you want to keep improving it afterward, go for it! Just be sure the version you want judged is in place by the deadline.</li>
<li><strong>I submitted the form but made a typo. Can I fix it?</strong><br>Yes! You can submit the form again with corrected info. We’ll just review the latest one. No need to email us in a panic.</li>
</ul>
</details>
<details>
<summary><img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f6e0.png" alt="🛠" class="wp-smiley" style="height: 1em; max-height: 1em;" /> Projects and tools</summary>
<ul>
<li><strong>Can I reuse an old idea or prototype?</strong><br>Yes, as long as your project is built (or rebuilt) during the hackathon window. Forking, remixing, and using boilerplate is encouraged.</li>
<li><strong>Can I use paid tools, licensed software, or APIs?</strong><br>Yes! Just note any dependencies or subscriptions in your README. Do not commit sensitive info like API keys.</li>
<li><strong>Can I use GitHub Copilot?</strong><br>Yes! Copilot is optional, but encouraged. It’s great for riffing, prototyping, debugging, or naming your weird project.</li>
<li><strong>Can I submit something that’s not a traditional software project?</strong><br>Sure! If it involves code — hardware hacks, interactive art, generative anything — it counts. Just host it (or as much as you can) in a public GitHub repo.</li>
</ul>
</details>
<details>
<summary><img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f680.png" alt="🚀" class="wp-smiley" style="height: 1em; max-height: 1em;" /> Submission and deadlines</summary>
<ul>
<li><strong>Is there anything I shouldn’t build?</strong><br>Keep it respectful, safe, and fun. No NSFW content, hateful speech, or projects that violate GitHub’s Code of Conduct. Weird is good. Harmful isn’t.</li>
<li><strong>When is the deadline?</strong><br>All entries must be submitted by 11:59 p.m. (anywhere on Earth, or UTC−12) on September 22, 2025 (“Entry Period”). Submissions accepted until it’s no longer September 22 anywhere on the planet. Off-planet submissions discouraged.</li>
<li><strong>Do I need to share the source code?</strong><br>Yes. Submissions must be in a public GitHub repo. You can license your work however you like (see Choose a License).</li>
<li><strong>What should I include in my README?</strong><br>Mention any tools, dependencies, paid services, or setup instructions. The better your README, the better we can appreciate your work! Please consider applying the <a href="https://github.com/topics/fortheloveofcode">#ForTheLoveOfCode Topic</a> to your repo and adding screenshots, too.</li>
</ul>
</details>
<details>
<summary><img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f3c6.png" alt="🏆" class="wp-smiley" style="height: 1em; max-height: 1em;" /> Judging and prizes</summary>
<ul>
<li><strong>Who’s judging this?</strong><br>A panel of GitHub Stars, Campus Experts, and staff.</li>
<li><strong>How are winners selected?</strong><br>We’re looking for joyful, clever, and creative projects. Bonus points (figuratively) for unexpected uses of GitHub Copilot.</li>
<li><strong>What if I win more than one category? Do I get multiple prizes?</strong><br>That’d be amazing! But to keep things fair, we’ll likely award each participant one prize max. You’ll still get shoutouts for your other awesome entries.</li>
<li><strong>I don’t want the prize. Can I still participate or be featured?</strong><br>Definitely. Just let us know if you’re opting out of the prize; we’ll still celebrate your project like the internet legend you are.</li>
<li><strong>Is there cash money involved?</strong><br>Nope. But there’s Copilot Pro+, blog fame, and eternal internet glory.</li>
<li><strong>How do you define “best use of Copilot” or “surprise awards”?</strong><br>We’re keeping it loose and fun. If you do something clever, hilarious, or surprisingly useful with Copilot, we’ll take note. Same goes for standout docs, vibes, or chaos energy. Surprise us!</li>
</ul>
</details>
<details>
<summary><img src="https://s.w.org/images/core/emoji/16.0.1/72x72/1f5bc.png" alt="🖼" class="wp-smiley" style="height: 1em; max-height: 1em;" /> Media, demos, and showcasing</summary>
<ul>
<li><strong>Do I need a video or demo?</strong><br>Not required, but highly encouraged! GIFs, screenshots, or short videos help bring your project to life. They also increase your chances of getting noticed and being featured.</li>
<li><strong>Can I host my demo outside GitHub (e.g. itch.io, Vercel)?</strong><br>Yes! Just include the link in your README or submission form. We still need the project code in a public GitHub repo.</li>
<li><strong>Will projects be shown on livestreams, social, or at GitHub Universe?</strong><br>Maybe! Submitting gives us permission to showcase your project if it’s selected. We’ll always give credit.</li>
</ul>
</details>
<p>Something not covered here? Please ask in the <a href="https://github.com/orgs/community/discussions/166366">community discussion</a>.</p>
<p></p>
<p>The post <a href="https://github.blog/open-source/for-the-love-of-code-2025/">For the Love of Code: a summer hackathon for joyful, ridiculous, and wildly creative projects</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">87995</post-id> </item>
<item>
<title>From chaos to clarity: Using GitHub Copilot agents to improve developer workflows</title>
<link>https://github.blog/ai-and-ml/github-copilot/from-chaos-to-clarity-using-github-copilot-agents-to-improve-developer-workflows/</link>
<dc:creator><![CDATA[Chris Reddington]]></dc:creator>
<pubDate>Tue, 15 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[coding agent]]></category>
<category><![CDATA[Rubber Duck Thursdays]]></category>
<guid isPermaLink="false">https://github.blog/?p=89531</guid>
<description><![CDATA[<p>Explore how you can set Copilot coding agent up for success with custom instruction and Copilot setup steps.</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-chaos-to-clarity-using-github-copilot-agents-to-improve-developer-workflows/">From chaos to clarity: Using GitHub Copilot agents to improve developer workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Modern development often starts with good intentions: a quick script, a prototype, maybe an action to automate one small thing. But as projects evolve, those early efforts can become brittle. What if you could bring clarity and structure to those projects without slowing down your momentum?</p>
<p>This tutorial shows how we used <strong>GitHub Copilot coding agent</strong> to refactor and enhance a personal GitHub Actions project called <a href="https://github.com/chrisreddington/validate-file-exists"><code>validate-file-exists</code></a>. What started as a patchwork utility became well-structured, test-covered, documented, and set up for success with Copilot agent mode and coding agent.</p>
<p>We’ll walk through my example of:</p>
<ul class="wp-block-list">
<li>Updating <a href="https://docs.github.com/copilot/how-tos/custom-instructions/adding-repository-custom-instructions-for-github-copilot">Copilot custom instructions</a> for better task alignment.</li>
<li>Creating the <a href="https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/customizing-the-development-environment-for-copilot-coding-agent"><code>copilot-setup-steps.yaml</code></a> file to give the coding agent the needed tools in its environment.</li>
<li>Working with Copilot to identify technical debt.</li>
<li>Collaborating with Copilot in pull requests.</li>
<li>Partnering with Copilot to iteratively improve the UI on a separate project.</li>
</ul>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe title="Rubber Duck Thursdays - Let's build with agents" width="500" height="281" src="https://www.youtube.com/embed/fWsj8caUPt0?list=PL0lo9MOBetEEkxEQuYjIvrCbJTrsvRj36" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h2 class="wp-block-heading" id="h-the-github-action-that-started-it-all">The GitHub Action that started it all</h2>
<p>Back in November 2024, I created a small GitHub Action called <a href="https://github.com/chrisreddington/validate-file-exists"><code>validate-file-exists</code></a>. I wanted to ensure certain files (like a <code>dependabot.yml</code> file, or <code>.github/<a href="http://copilot-instructions.md">copilot-instructions.md</a></code>) were present in a repository. If not, then the GitHub Actions workflow would fail. It supported comma-separated inputs and was meant to be part of a larger “baseline” of quality gates I use across projects.</p>
<p>It was functional, but I could have improved it further. It was missing docs, had inconsistent metadata, some gaps in input validation, and didn’t have Copilot custom instructions or Copilot setup steps to help set Copilot up for success. Time to fix that—with help from Copilot agent mode in VS Code.</p>
<h2 class="wp-block-heading" id="h-step-one-improve-custom-instructions">Step one: Improve custom instructions</h2>
<p>Before bringing in the agent, I reviewed the existing <code>copilot-instructions.md</code>. It was sparse, without any description of the repository’s purpose, usage, or structure, nor any clear guidance for Copilot.</p>
<h3 class="wp-block-heading" id="h-action">Action:</h3>
<p>I based the instructions on <a href="https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#adding-custom-instructions-to-your-repository">best practices for using Copilot to work on tasks</a>, by providing the sample custom instructions file in my prompt, and asking Copilot to update based on the codebase. In other words, I wanted it to provide: </p>
<ul class="wp-block-list">
<li>A clear summary of the repository/codebase and what the action does.</li>
<li>Contribution guidelines (how to build, format, lint, and test the codebase, including expectations before committing).</li>
<li>Project structure overview.</li>
<li>Key technical principles (strict TypeScript, incorporating TSDoc, and focused and manageable functions).</li>
</ul>
<h3 class="wp-block-heading" id="h-result-nbsp">Result: </h3>
<p>Copilot had the right context on my expectations to guide it toward meaningful contributions. You can find the <a href="https://github.com/chrisreddington/validate-file-exists/blob/main/.github/copilot-instructions.md">latest version here</a>, but here’s a snapshot below:</p>
<pre class="wp-block-code language-plaintext"><code># Validate File Exists Action
This is a TypeScript-based GitHub Action that validates whether specified files
exist in a repository. It takes a comma-separated list of files and validates
their existence, failing the workflow if any files are missing. Please follow
these guidelines when contributing:
## Code Standards
### Required Before Each Commit
- Run `npm run format:write` to ensure consistent code formatting with Prettier
- Run `npm run lint` to check for ESLint violations
- Run `npm run test` to ensure all tests pass
- Run `npm run local-action` to test the action locally with a `.env` file
### Development Flow
- Build: `npm run package` (compiles TypeScript and bundles with ncc)
- Test: `npm run test` or `npm run ci-test`
- Coverage: `npm run coverage` (generates coverage badge)
- Full check: `npm run all` (format, lint, test, coverage, package)
- Local testing: `npm run local-action` (test action locally with .env file)
## Repository Structure
- `src/`: Core TypeScript source code
- `main.ts`: Main entry point and action orchestration
- `fileValidator.ts`: Core file validation logic
- `index.ts`: Action entrypoint that calls run()
- `types.ts`: TypeScript type definitions
- `__tests__/`: Jest unit tests for all source files
- `dist/`: Compiled and bundled JavaScript output (generated)
- `action.yml`: GitHub Action metadata and interface definition
- `script/`: Release automation scripts
- `badges/`: Generated coverage and status badges
## Key Guidelines
1. Follow TypeScript strict mode and best practices
1. Use clear, descriptive variable and function names
1. Add TSDoc comments for all public methods and classes
1. Write comprehensive unit tests using Jest for all new functionality
1. Keep functions focused and manageable (generally under 50 lines)
1. Use consistent error handling with @actions/core.setFailed()
1. Validate inputs and provide meaningful error messages
1. Use @actions/core for all GitHub Actions integrations (inputs, outputs,
logging)
1. Maintain backwards compatibility for action inputs/outputs</code></pre>
<h2 class="wp-block-heading" id="step-two-add-copilot-setup-steps-yaml">Step two: Add copilot-setup-steps.yaml</h2>
<p>Like any of us developers, Copilot coding agent needs a proper environment to work. That means setting up any required frameworks, installing dependencies, and making sure Copilot has access to the right tools to get the job done.</p>
<h3 class="wp-block-heading" id="action">Action:</h3>
<p>I created <code>.github/copilot-setup-steps.yaml</code> using the GitHub docs on <a href="https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/customizing-the-development-environment-for-copilot-coding-agent#preinstalling-tools-or-dependencies-in-copilots-environment">customizing the development environment for Copilot coding agent</a>. The example checks out the code, sets up Node.js, and installs the needed dependencies. Given this is a TypeScript action, that’s pretty much all I needed!<br><br>I made one minor change to the workflow: changing the node-version to be sourced from the <code>.node-version</code> file, to be consistent <a href="https://github.com/chrisreddington/validate-file-exists/blob/main/.github/workflows/ci.yml">with my CI workflow</a>: </p>
<pre class="wp-block-code language-plaintext"><code>- name: Setup Node.js
id: setup-node
uses: actions/setup-node@v4
with:
node-version-file: .node-version
cache: npm</code></pre>
<h3 class="wp-block-heading" id="result">Result:</h3>
<p>Copilot coding agent has the needed dependencies and tools to build, lint, and test the codebase. As it makes changes to the codebase, it will be able to check for quality (as requested in our custom instructions) using the tools that were installed in the <code>copilot-setup-steps.yml</code>.</p>
<h2 class="wp-block-heading" id="step-three-let-copilot-find-technical-debt">Step three: Let Copilot find technical debt</h2>
<p>With the setup steps and custom instructions in place, it was time to find a task. So of course, I turned to Copilot. Using Copilot Chat in VS Code, we asked Copilot:</p>
<p>“What technical debt exists in this project? Please give me a prioritized list of areas we need to focus on. I would like to create a GitHub Issue with the top 2 or 3 items. Please include a brief problem statement, a set of acceptance criteria, and pointers on what files need to be added/updated.”</p>
<p>Within minutes, it explored the codebase and came back with a list of suggestions:</p>
<ul class="wp-block-list">
<li>Inconsistent package metadata.</li>
<li>README mismatches (wrong input names).</li>
<li>No validation for empty or malformed inputs.</li>
</ul>
<p>Notice how we asked for a problem statement, acceptance criteria, and guidance on the files to add/update? These come from the <a href="https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#making-sure-your-issues-are-well-scoped">best practices for using Copilot to work on tasks</a>. In other words, make sure your issues are well-scoped!</p>
<h3 class="wp-block-heading" id="action">Action:</h3>
<p>I asked Copilot to write an issue that addresses those three items. Once I created the issue, I assigned it to Copilot.</p>
<h2 class="wp-block-heading" id="h-step-four-copilot-coding-agent-in-action">Step four: Copilot coding agent in action</h2>
<p>Once assigned, the agent kicked off a new pull request. Here’s what it did, asynchronously:</p>
<ul class="wp-block-list">
<li>Explored the contents of the repository to build up its understanding of the problem.</li>
<li>Created a plan based on its exploration.</li>
<li>Fixed the <code>package.json</code> name, description, URLs, and author field.</li>
<li>Updated the README usage examples to match the code.</li>
<li>Added input validation logic:
<ul class="wp-block-list">
<li>Reject empty or whitespace-only strings.</li>
<li>Reject inputs that are just commas.</li>
</ul>
</li>
<li>Wrote four new tests for these edge cases.</li>
<li>Confirmed linting, formatting, and coverage were intact.</li>
<li>Updated the pull request body with a checklist of work completed.</li>
</ul>
<p>As I delegated the task to Copilot, it freed me up to explain to the audience what it was doing, and how the Copilot setup steps and instructions work in the context of the agent’s session.</p>
<h3 class="wp-block-heading" id="result">Result:</h3>
<p>Copilot completed all tasks in just over 11 minutes. After a review of the agent’s approach, I approved the CI workflow so that it could run the standard quality checks on the codebase. The workflow failed, but through no fault of Copilot. I had some additional Markdown linting checks in the CI that weren’t in the instructions.</p>
<h2 class="wp-block-heading" id="real-time-debugging-and-linting-fixes">Real-time debugging and linting fixes</h2>
<p>While I could have fixed it manually, it was a good opportunity to show how we can iterate on changes with Copilot. I added a new comment to the pull request, and asked Copilot: </p>
<p>“Our GitHub Action had a linting error for the markdown, can you fix that please?” (Also pasting the error from the GitHub Actions workflow.)</p>
<p>A few minutes later, it updated the code, pushed a new commit, and the pull request passed. And while Copilot was working on my task in the background, I was able to wrap up the stream.</p>
<h2 class="wp-block-heading" id="bonus-making-ui-changes-with-copilot-coding-agent-and-the-playwright-mcp-server">Bonus: Making UI changes with Copilot coding agent and the Playwright MCP server</h2>
<p>While Copilot worked on the initial code changes for the GitHub Action, I showed off a second project: a <a href="https://chrisreddington.com/trend-radar/"><strong>Trend Radar visualisation app</strong></a> (<a href="https://github.com/chrisreddington/trend-radar">here’s the repository</a>) that I built using Next.js and Tailwind CSS.</p>
<h3 class="wp-block-heading" id="problem">Problem:</h3>
<p>Users had to manually input point data into forms. I wanted to:</p>
<ul class="wp-block-list">
<li>Let users click on the radar to place a point.</li>
<li>Enable drag-and-drop repositioning to change a point’s category or likelihood. </li>
</ul>
<h3 class="wp-block-heading" id="solution">Solution:</h3>
<p>I filed a GitHub issue describing the UX, acceptance criteria, and references.</p>
<p>After a few iterations of comments by working through the pull request, Copilot coding agent:</p>
<ul class="wp-block-list">
<li>Implemented click-to-place logic.</li>
<li>Added drag-and-drop support.</li>
<li>Wrote unit tests.</li>
<li>Took screenshots and attached them to the pull request.</li>
<li>Updated the pull request (and responded with comments) with summaries of the work that had been completed</li>
</ul>
<p><a href="https://github.blog/changelog/2025-07-02-copilot-coding-agent-now-has-its-own-web-browser/">Playwright is now installed by default</a> with the Copilot coding agent, which lets Copilot validate visual behaviors too.</p>
<h2 class="wp-block-heading" id="final-thoughts">Final thoughts</h2>
<p>This wasn’t just a cleanup session. It was a lesson in modern software collaboration. Copilot coding agent is our new teammate.</p>
<p>By structuring our repositories with context and intent, we invite Copilot to contribute meaningfully.</p>
<p>If you haven’t tried Copilot coding agent yet, think through your existing projects:</p>
<ul class="wp-block-list">
<li>Clean up an old GitHub Action.</li>
<li>Refactor a neglected repository.</li>
<li>Add validations and tests.</li>
</ul>
<p>You might be surprised how much progress you can make in an afternoon.</p>
<ul class="wp-block-list">
<li><a href="https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#adding-custom-instructions-to-your-repository">Write clear, concise <code>copilot-instructions.md</code></a> to steer the agent.</li>
<li><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/customizing-the-development-environment-for-copilot-coding-agent#preinstalling-tools-or-dependencies-in-copilots-environment">Use <code>copilot-setup-steps.yaml</code></a> to give the agent the tools it needs.</li>
<li><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#making-sure-your-issues-are-well-scoped">Setting a clear and well-scoped piece of work</a> is important when working with Copilot.</li>
<li><a href="https://github.blog/changelog/2025-07-02-copilot-coding-agent-now-has-its-own-web-browser/">Copilot now has access to a browser</a>, thanks to the Playwright MCP server – enabling it to interact with web pages, and add screenshots to the pull request.</li>
<li>You don’t have to work on new projects to try out Copilot and its agentic capabilities. Which existing project could you get started on?</li>
</ul>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Ready to explore more?</strong> See <a href="https://github.blog/ai-and-ml/github-copilot/how-the-github-billing-team-uses-the-coding-agent-in-github-copilot-to-continuously-burn-down-technical-debt/">how the GitHub billing team uses the coding agent to continuously burn down technical debt ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-chaos-to-clarity-using-github-copilot-agents-to-improve-developer-workflows/">From chaos to clarity: Using GitHub Copilot agents to improve developer workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89531</post-id> </item>
<item>
<title>Code review in the age of AI: Why developers will always own the merge button</title>
<link>https://github.blog/ai-and-ml/generative-ai/code-review-in-the-age-of-ai-why-developers-will-always-own-the-merge-button/</link>
<dc:creator><![CDATA[Elle Shwer]]></dc:creator>
<pubDate>Mon, 14 Jul 2025 16:38:03 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[Generative AI]]></category>
<category><![CDATA[agentic workflows]]></category>
<category><![CDATA[AI agents]]></category>
<category><![CDATA[code review]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<guid isPermaLink="false">https://github.blog/?p=89505</guid>
<description><![CDATA[<p>When it comes to merging code, developers will always make the final decision. But we’re rethinking how tools like GitHub Copilot can help. </p>
<p>The post <a href="https://github.blog/ai-and-ml/generative-ai/code-review-in-the-age-of-ai-why-developers-will-always-own-the-merge-button/">Code review in the age of AI: Why developers will always own the merge button</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>When GitHub first shipped the pull request (PR) back in 2008, it wrapped a plain-text diff in a social workflow: comments, approvals, and a merge button that crucially refused to light up without at least one thumbs up from another developer. That design decision hard-wired accountability into modern software and let maintainers scale far beyond hallway conversations or e-mail patches.</p>
<p>Seventeen years later, just about every “agentic” coding tool, from research demos to enterprise platforms, still funnels its work through that same merge gate. The PR remains the audit log, the governance layer, and the social contract that says nothing ships until a person is willing to own it.</p>
<p>Now that large language models (LLM) can scaffold projects, file PRs, and even reply to review comments they wrote themselves, the obvious next question is, who is accountable for code that ships when part of it comes from a model? </p>
<p>At GitHub, we think the answer hasn’t fundamentally changed: it’s the developer who hits “Merge.” But what has changed is everything that happens before that click. </p>
<p>In this article, we’ll explore how we’re re-thinking code reviews for a world where developers increasingly work with AI (and how your team can, too). </p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--3" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-what-a-code-review-is-still-for" style="margin-top:0">What a code review is (still) for</h3>
<p>Before diving into AI-assisted reviews, it’s worth revisiting what makes code reviews effective in the first place. A review is far more than a bug hunt. A good review: </p>
<ul class="wp-block-list">
<li>Catches defects and security issues </li>
<li>Ensures high code quality</li>
<li>Shares knowledge across the team and maintains consistency with your codebase’s patterns and standards</li>
<li>Safeguards long-term maintainability </li>
</ul>
<p>AI changes none of that; it only moves the bottlenecks. A model can quickly spot an unused import, but it can’t decide if a new endpoint undermines your privacy stance or if today is the right day to pay down that gnarly abstraction you’ve been avoiding. The merge button still needs (and, in our view, <em>always</em> will need) a developer fingerprint.</p>
<p>For a deeper dive into effective code review practices, <a href="https://github.blog/developer-skills/github/how-to-review-code-effectively-a-github-staff-engineers-philosophy/">check out our guide on reviewing code effectively</a>.</p>
</aside>
<h2 class="wp-block-heading" id="what-we-learned-from-github-copilots-code-review-capabilities">What we learned from GitHub Copilot’s code review capabilities</h2>
<p>Earlier this year, the GitHub Copilot code review team conducted in-depth interviews with developers about their code review process. They also walked us through their code review workflow. These interviews revealed three consistent patterns:</p>
<ol class="wp-block-list">
<li><strong>No special treatment for AI:</strong> Reviewers grilled model-generated diffs as hard as those from other developers.</li>
<li><strong>Self reviews raised the floor:</strong> Developers who <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-code-review/using-copilot-code-review?tool=vscode#requesting-a-review-from-copilot">ran a Copilot review before opening a PR</a> often wiped out an entire class of trivial nit-picks (i.e., trimmed imports, missing tests), cutting out back-and-forth by roughly a third.</li>
<li><strong>AI was no replacement for human judgement: </strong>Programming often involves trade-offs. LLMs can inform you about those trade-offs, but someone has to make the call about what path to take based on your organization’s goals and standards.  </li>
</ol>
<p>An overarching principle quickly became clear: <strong>AI augments developer judgment; it can’t replace it. </strong>And our findings, from confidence scores to red-flag explanations, are informing how we’re building Copilot’s code review features.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--4" style="border-top-width:4px">
<h2 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-github-copilot-code-review-is-generally-available" style="margin-top:0">GitHub Copilot code review is generally available</h2>
<p>Let an AI teammate handle the first pass. GitHub Copilot’s code-review agent is generally available for every Copilot plan, and it’s spotting bugs, performance issues, and even suggesting fixes before a human ever opens the diff. Enable automatic reviews in your repo rules or ask Copilot on-demand, right inside GitHub, GitHub Mobile, or VS Code.</p>
<p><a href="https://github.blog/changelog/2025-04-04-copilot-code-review-now-generally-available/">Learn more ></a></p>
</aside>
<h3 class="wp-block-heading" id="what-ai-can-and-cant-handle-today">What AI can (and can’t) handle today</h3>
<p>LLMs are already great at the “grind” layer of a review:</p>
<ul class="wp-block-list">
<li><strong>Mechanical scanning.</strong> “Is there a typo?” “Are all arguments used?”</li>
<li><strong>Pattern matching.</strong> “This looks like SQL injection” or “You forgot to await that promise.”</li>
<li><strong>Pedantic consistency.</strong> “Variable names snake_case here, camelCase there.”</li>
</ul>
<p>Soon they’ll be able to do even more, such as understand product and domain context.  But they still fall short on:</p>
<ul class="wp-block-list">
<li><strong>Architecture and trade-offs.</strong> Should we split this service? Cache locally?</li>
<li><strong>Mentorship.</strong> Explaining <em>why</em> a pattern matters and when to break it.</li>
<li><strong>Values.</strong> Should we build this feature at all?</li>
</ul>
<p>Those gaps keep developers in the loop and in the pilot’s seat. That principle is foundational for us as we continue to develop GitHub Copilot. </p>
<h2 class="wp-block-heading" id="a-playbook-for-modern-code-reviews">A playbook for modern code reviews</h2>
<p>The most effective approach to AI-assisted code reviews starts before you even submit your pull request. Think of it as the golden rule of development: Treat code reviewers the way you’d like them to treat you.</p>
<h3 class="wp-block-heading" id="use-ai-to-self-review-your-code-in-your-ide">Use AI to self review your code in your IDE</h3>
<p>Before pushing your code, <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-code-review/using-copilot-code-review?tool=vscode#requesting-a-review-from-copilot">run GitHub Copilot code review in your IDE</a> to catch the obvious stuff so your teammates can focus on the nuanced issues that require developer insight. Copilot code review can comb your staged diff, suggest docstrings, and flag null dereferences. From there, you can fix everything it finds before you submit your PR so teammates never see the noise.</p>
<h3 class="wp-block-heading" id="take-ownership-of-your-code">Take ownership of your code</h3>
<p>Just because you used AI to generate code doesn’t mean it’s not your code. Once you commit code, you’re responsible for it. That means understanding what it does, ensuring it follows your team’s standards, and making sure it integrates well with the rest of your codebase.</p>
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>If an AI agent writes code, it’s on me to clean it up before my name shows up in git blame.</p>
<cite>Jon Wiggins, Machine Learning Engineer at Respondology</cite></blockquote>
<h3 class="wp-block-heading" id="run-your-code-through-automated-ci-gates">Run your code through automated CI gates</h3>
<p>Your pipeline should already be running unit tests, secret scanning, CodeQL, dependency checks, style linters. Keep doing that. Fail fast, fail loudly.</p>
<h3 class="wp-block-heading" id="practical-tips-for-personal-code-hygiene">Practical tips for personal code hygiene:</h3>
<ul class="wp-block-list">
<li>Review your own code in your IDE.</li>
<li>Ensure variable names, comments, and structure to match your team’s conventions.</li>
<li>Test AI-generated code thoroughly before including it in pull requests.</li>
</ul>
<h2 class="wp-block-heading" id="use-ai-to-focus-on-the-areas-where-your-judgement-is-critical">Use AI to focus on the areas where your judgement is critical</h2>
<p>The real power of AI in code reviews isn’t in replacing developers as the reviewers. It’s in handling the routine work that can bog down the review process, freeing developers to focus where their judgment is most valuable.</p>
<h3 class="wp-block-heading" id="ai-doesnt-replace-your-existing-automated-checks">AI doesn’t replace your existing automated checks. </h3>
<p>Make sure tests pass, coverage metrics are met, and static analysis tools have done their work before developer reviews begin. This creates a solid foundation for more meaningful discussion. </p>
<p>You can use an LLM to catch not just syntax issues, but also patterns, potential bugs, and style inconsistencies. Ironically, LLMs are particularly good at catching the sorts of mistakes that LLMs make, which is increasingly relevant as more AI-generated code enters our codebases.</p>
<h3 class="wp-block-heading" id="clearly-define-roles">Clearly define roles</h3>
<p>Set clear expectations about when AI feedback should be considered versus when human judgment takes precedence. For example, you should rely on other developers for code architecture and consistency with business goals and organizational values. It’s especially useful to use AI to review long repetitive PRs where it can be easy to miss little things.</p>
<h2 class="wp-block-heading" id="implementation-tips-for-building-a-sustainable-ai-assisted-review-process">Implementation tips for building a sustainable AI-assisted review process</h2>
<ul class="wp-block-list">
<li><strong>Document clear guidelines</strong> that specify when to use AI in code reviews, what types of feedback to trust, and how to escalate when developers disagree with an AI code review. With GitHub Copilot, for instance, <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-code-review/using-copilot-code-review?tool=webui#customizing-copilots-reviews-with-custom-instructions">you can use custom instructions to set clear rules for how Copilot engages with your code</a>. </li>
<li><strong>Update guidelines regularly</strong> based on team feedback and evolving AI capabilities. Remember that as your codebase and AI tools evolve, what works today might not work tomorrow.</li>
<li><strong>Encourage open team discussions</strong> about the strengths and limitations of AI-assisted reviews. Share both positive and negative experiences to help everyone learn and improve their approach.</li>
<li><strong>Refine automation continuously</strong> by using feedback from reviewers to improve your automated testing strategy. Identify patterns where solutions to recurring issues could be automated.</li>
</ul>
<h2 class="wp-block-heading" id="developer-judgement-remains-crucial">Developer judgement remains crucial</h2>
<p>While AI can handle much of the routine work in code reviews, developer judgment remains irreplaceable for architectural decisions, mentoring and knowledge transfer, and context-specific decisions that require understanding of your product and users. </p>
<p>And even as LLMs get smarter, three review tasks remain stubbornly human:</p>
<ol class="wp-block-list">
<li><strong>Architecture trade-offs</strong>: Should we split this service? Cache locally? Pay tech debt now or later?</li>
<li><strong>Mentorship and culture</strong>: PR threads are team classrooms. A bot can’t tell a junior engineer the war story behind that odd regex.</li>
<li><strong>Ethics and product values</strong>: “Should we even build this?” is a question AI can’t answer.</li>
</ol>
<p>The goal is to make developers more effective by letting them focus on what they do best.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-code-review/using-copilot-code-review">code reviews with GitHub Copilot > </a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/generative-ai/code-review-in-the-age-of-ai-why-developers-will-always-own-the-merge-button/">Code review in the age of AI: Why developers will always own the merge button</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89505</post-id> </item>
<item>
<title>Modeling CORS frameworks with CodeQL to find security vulnerabilities</title>
<link>https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/</link>
<dc:creator><![CDATA[Kevin Stubbings]]></dc:creator>
<pubDate>Thu, 10 Jul 2025 17:38:14 +0000</pubDate>
<category><![CDATA[Application security]]></category>
<category><![CDATA[Security]]></category>
<category><![CDATA[CodeQL]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[security research]]></category>
<guid isPermaLink="false">https://github.blog/?p=89417</guid>
<description><![CDATA[<p>Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.</p>
<p>The post <a href="https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/">Modeling CORS frameworks with CodeQL to find security vulnerabilities</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>There are many <a href="https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebinding/">different types of vulnerabilities</a> that can occur when setting up CORS for your web application, and insecure usage of CORS frameworks and logic errors in homemade CORS implementations can lead to serious security vulnerabilities that allow attackers to bypass authentication. What’s more, attackers can utilize CORS misconfigurations to escalate the severity of other existing vulnerabilities in web applications to access services on the intranet.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="847" width="1024" src="https://github.blog/wp-content/uploads/2025/07/cors1.jpg?resize=1024%2C847" alt="A CORS diagram showing communication between two websites in the browser." class="wp-image-89421" srcset="https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1600 1600w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=300 300w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=768 768w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1024 1024w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1536 1536w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>In this blog post, I’ll show how developers and security researchers can use CodeQL to model their own libraries, using work that I’ve done on CORS frameworks in Go as an example. Since the techniques that I used are useful for modeling other frameworks, this blog post can help you model and find vulnerabilities in your own projects. Because static analyzers like CodeQL have the ability to get the detailed information about structures, functions, and imported libraries, they’re more versatile than simple tools like grep. Plus, since CORS frameworks often use set configurations via specific structures and functions, using CodeQL is the easiest way to find misconfigurations in your codebases.</p>
<h2 class="wp-block-heading" id="h-modeling-headers-in-codeql">Modeling headers in CodeQL</h2>
<p>When adding code to CodeQL, it’s best practice to always check the related queries and frameworks that are already available so that we’re not reinventing the wheel. For most languages, CodeQL already has a CORS query that covers many of the default cases. The easiest and simplest way of implementing CORS is by manually setting the  <code>Access-Control-Allow-Origin</code> and <code>Access-Control-Allow-Credentials</code> <a href="https://developer.mozilla.org/en-US/docs/Glossary/Response_header">response headers</a>. By modeling the frameworks for a language (e.g., Django, FastAPI, and Flask), CodeQL can identify where in the code those headers are set. Building on those models by looking for specific header values, CodeQL can find simple examples of CORS and see if they match vulnerable values.</p>
<p>In the following Go example, unauthenticated resources on the servers could be accessed by arbitrary websites.</p>
<pre class="wp-block-code language-go"><code>func saveHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
}</code></pre>
<p>This may be troublesome for web applications that do not have authentication, such as tools intended to be hosted locally, because any dangerous endpoint could be accessed and exploited by an attacker.</p>
<p>This is a snippet of the Go http framework where CodeQL models the <code>Set</code> method to find security-related header writes for this framework. Header writes are modeled by the <code>HeaderWrite</code> class in <code>HTTP.qll</code>, which is extended by other modules and classes in order to find all header writes.</p>
<pre class="wp-block-code language-go"><code> /** Provides a class for modeling new HTTP header-write APIs. */
module HeaderWrite {
/**
* A data-flow node that represents a write to an HTTP header.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `HTTP::HeaderWrite` instead.
*/
abstract class Range extends DataFlow::ExprNode {
/** Gets the (lower-case) name of a header set by this definition. */
string getHeaderName() { result = this.getName().getStringValue().toLowerCase() }</code></pre>
<p>Some useful methods such as <code>getHeaderName</code> and <code>getHeaderValue</code> can also  help in developing security queries related to headers, like CORS misconfiguration. Unlike the previous code example, the below pattern is an example of a CORS misconfiguration whose effect is much more impactful.</p>
<pre class="wp-block-code language-go"><code>func saveHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin",
r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials",
"true")
}</code></pre>
<p>Reflecting the request origin header and allowing credentials permits an attacking website to make requests as the current logged in user, which could compromise the entire web application.</p>
<p>Using CodeQL, we can model the headers, looking for specific headers and methods in order to help CodeQL identify the relevant security code structures to find CORS vulnerabilities.</p>
<pre class="wp-block-code language-plaintext"><code>/**
* An `Access-Control-Allow-Credentials` header write.
*/
class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
AllowCredentialsHeaderWrite() {
this.getHeaderName() = headerAllowCredentials()
}
}
/**
* predicate for CORS query.
*/
predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
exists(AllowCredentialsHeaderWrite allowCredentialsHW |
allowCredentialsHW.getHeaderValue().toLowerCase() = "true"</code></pre>
<p>Here, the <code>HTTP::HeaderWrite</code> class, as previously discussed, is used as a superclass for <code>AllowCredentialsHeaderWrite</code>, which finds all header writes of the value <code>Access-Control-Allow-Credentials</code>. Then, when our CORS misconfiguration query checks whether credentials are enabled, we use AllowCredentialsHeaderWrite as one of the possible sources to check.</p>
<p>The simplest way for developers to set a CORS policy is by setting headers on HTTP responses in their server. By modeling all instances where a header is set, we can check for these CORS cases in our CORS query. </p>
<p>When modeling web frameworks using CodeQL, creating classes that extend more generic superclasses such as <code>HTTP::HeaderWrite</code> allows the impact of the model to be used in all CodeQL security queries that need them. Since headers in web applications can be so important, modeling all the ways they can be written to in a framework can be a great first step to adding that web framework to CodeQL.</p>
<h2 class="wp-block-heading" id="modeling-frameworks-in-codeql">Modeling frameworks in CodeQL</h2>
<figure class="wp-block-image size-full"><img data-recalc-dims="1" loading="lazy" decoding="async" width="961" height="877" src="https://github.blog/wp-content/uploads/2025/07/cors2.png?resize=961%2C877" alt="A computer with two windows open showing secure code." class="wp-image-89422" srcset="https://github.blog/wp-content/uploads/2025/07/cors2.png?w=961 961w, https://github.blog/wp-content/uploads/2025/07/cors2.png?w=300 300w, https://github.blog/wp-content/uploads/2025/07/cors2.png?w=768 768w" sizes="auto, (max-width: 961px) 100vw, 961px" /></figure>
<p>Rather than setting the CORS headers manually, many developers use a CORS framework instead.  Generally, CORS frameworks use middleware in the router of a web framework in order to add headers for every response. Some web frameworks will have their own CORS middleware, or you may have to include a third-party package. When modeling a CORS framework in CodeQL, you’re usually modeling the relevant structures and methods that signify a CORS policy. Once the modeled structure or methods have the correct values, the query should check that the structure is actually used in the codebase.</p>
<p>For frameworks, we’ll look into Go as our language of choice since it has great support for CORS. Go provides a couple of CORS frameworks, but most follow the structure of Gin CORS, a CORS middleware framework for the Gin web framework. Here’s an example of a Gin configuration for CORS:</p>
<pre class="wp-block-code language-go"><code>package main
import (
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.Default()
router.Use(cors.New(cors.Config{
AllowOrigins: []string{"https://foo.com"},
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
AllowOriginFunc: func(origin string) bool {
return origin == "https://github.com"
}
}))
router.Run()
}</code></pre>
<p>Now that we’ve modeled the <code>router.Use</code> method and <code>cors.New</code> — ensuring that <code>cors.Config</code> structure is at some point put into a <code>router.Use</code> function for actual use — we should then check all <code>cors.Config</code> structures for appropriate headers.</p>
<p>Next, we find the appropriate headers fields we want to model. For a basic CORS misconfiguration query, we would model <code>AllowOrigins</code>, <code>AllowCredentials</code>, <code>AllowOriginFunc</code>. My pull requests for adding GinCors and RSCors to CodeQL can be used as references if you’re interested in seeing everything that goes into adding a framework to CodeQL. Below I’ll discuss some of the most important details.</p>
<pre class="wp-block-code language-plaintext"><code> /**
* A variable of type Config that holds the headers to be set.
*/
class GinConfig extends Variable {
SsaWithFields v;
GinConfig() {
this = v.getBaseVariable().getSourceVariable() and
v.getType().hasQualifiedName(packagePath(), "Config")
}
/**
* Get variable declaration of GinConfig
*/
SsaWithFields getV() { result = v }
}</code></pre>
<p>I modeled the Config type by using SSAWithFields, which is a <a href="https://en.wikipedia.org/wiki/Static_single-assignment_form">single static assignment</a> with fields. By using <code>getSourceVariable()</code>, we can get the variable that the structure was assigned to, which can help us see where the config is used. This allows us to find track variables that contain the CORS config structure across the codebase, including ones that are often initialized like this:</p>
<pre class="wp-block-code language-go"><code>func main() {
...
// We can now track the corsConfig variable for further updates,such as when one of the fields is updated.
corsConfig:= cors.New(cors.Config{
...
})}</code></pre>
<p>Now that we have the variable containing the relevant structure, we want to find all the instances where the variable is written to. By doing this, we can get an understanding of the relevant property values that have been assigned to it, and thus decide whether the CORS config is misconfigured.</p>
<pre class="wp-block-code language-plaintext"><code> /**
* A write to the value of Access-Control-Allow-Origins header
*/
class AllowOriginsWrite extends UniversalOriginWrite {
DataFlow::Node base;
// This models all writes to the AllowOrigins field of the Config type
AllowOriginsWrite() {
exists(Field f, Write w |
f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
w.writesField(base, f, this) and
// To ensure we are finding the correct field, we look for a write of type string (SliceLit)
this.asExpr() instanceof SliceLit
)
}
/**
* Get config variable holding header values
*/
override GinConfig getConfig() {
exists(GinConfig gc |
(
gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
base.asInstruction() or
gc.getV().getAUse() = base
) and
result = gc
)
}
}</code></pre>
<p>By adding the <code>getConfig</code> function, we return the previously created <code>GinConfig</code>, which allows us to verify that any writes to relevant headers affect the same configuration structure. For example, a developer may create a config that has a vulnerable origin and another config that allows credentials. The config that allows credentials wouldn’t be highlighted because only configs with vulnerable origins would create a security issue. By allowing CORS relevant header writes from different frameworks to all extend <code>UniversalOriginWrite</code> and <code>UniversalCredentialsWrite</code>, we can use those in our CORS misconfiguration query. </p>
<h2 class="wp-block-heading" id="writing-cors-misconfiguration-queries-in-codeql">Writing CORS misconfiguration queries in CodeQL</h2>
<p>CORS issues are separated into two types: those without credentials (where we’re looking for * or null) and CORS with credentials (where we’re looking for origin reflection or null). If you want to keep the CodeQL query simple, you can create one query for each type of CORS vulnerability and assign their severity accordingly. For the Go language, CodeQL only has a “CORS with credentials” type of query because it’s applicable to all applications. </p>
<p>Let’s tie in the models we just created above to see how they’re used in the Go CORS misconfiguration query itself. </p>
<pre class="wp-block-code language-plaintext"><code>from DataFlow::ExprNode allowOriginHW, string message
where
allowCredentialsIsSetToTrue(allowOriginHW) and
(
flowsFromUntrustedToAllowOrigin(allowOriginHW, message)
or
allowOriginIsNull(allowOriginHW, message)
) and
not flowsToGuardedByCheckOnUntrusted(allowOriginHW)
...
select allowOriginHW, message</code></pre>
<p>This query is only interested in critical vulnerabilities, so it checks whether credentials are allowed, and whether the allowed origins either come from a remote source or are hardcoded as null. In order to prevent false positives, it checks if there are certain guards — such as string comparisons —  before the remote source gets to the origin. Let’s take a closer look at the predicate <code>allowCredentialsIsSetToTrue</code>.</p>
<pre class="wp-block-code language-plaintext"><code>/**
* Holds if the provided `allowOriginHW` HeaderWrite's parent ResponseWriter
* also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
* header to `true`.
*/
predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
exists(AllowCredentialsHeaderWrite allowCredentialsHW |
allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
|
allowOriginHW.(AllowOriginHeaderWrite).getResponseWriter() =
allowCredentialsHW.getResponseWriter()
)
or
...</code></pre>
<p>For the first part of the predicate, we’ll use one of the headers we previously modeled, AllowCredentialsHeaderWrite, in order to compare headers. This will help us filter out all header writes that don’t have credentials set.</p>
<pre class="wp-block-code language-plaintext"><code> exists(UniversalAllowCredentialsWrite allowCredentialsGin |
allowCredentialsGin.getExpr().getBoolValue() = true
|
allowCredentialsGin.getConfig() = allowOriginHW.(UniversalOriginWrite).getConfig() and
not exists(UniversalAllowAllOriginsWrite allowAllOrigins |
allowAllOrigins.getExpr().getBoolValue() = true and
allowCredentialsGin.getConfig() = allowAllOrigins.getConfig()
)
or
allowCredentialsGin.getBase() = allowOriginHW.(UniversalOriginWrite).getBase() and
not exists(UniversalAllowAllOriginsWrite allowAllOrigins |
allowAllOrigins.getExpr().getBoolValue() = true and
allowCredentialsGin.getBase() = allowAllOrigins.getBase()
)
)
}</code></pre>
<p>If CORS is not set through a header, we check for CORS frameworks using <code>UniversalAllowCredentialsWrite</code>.To filter out all instances whose corresponding Origin value is set to “*”, we use the <code>not</code> CodeQL keyword on <code>UniversalAllowAllOriginsWrite</code>,  since these are not applicable to this vulnerability. <code>flowsFromUntrustedToAllowOrigin</code> and <code>allowOriginIsNull</code> follow similar logic to ensure that the resulting header rights are vulnerable.</p>
<h2 class="wp-block-heading" id="extra-credit">Extra credit</h2>
<p>When you model CodeQL queries to detect vulnerabilities related to CORS, you can’t use a one-size-fits-all approach. Instead, you have to tailor your queries to each web framework for two reasons: </p>
<ul class="wp-block-list">
<li>Each framework implements CORS policies in its own way</li>
<li>Vulnerability patterns depend on a framework’s behavior</li>
</ul>
<p>For example, we saw before in Gin CORS that there is an <code>AllowOriginFunc</code>. After looking at the documentation or experimenting with the code, we can see that it may override <code>AllowOrigins</code>. To improve our query, we could write a CodeQL query that looks for <code>AllowOriginFunc</code>s that always return true, which will result in a high severity vulnerability if paired with credentials.</p>
<h2 class="wp-block-heading" id="take-this-with-you">Take this with you </h2>
<p>Once you understand the behavior of web frameworks and headers with CodeQL, it’s simple to find security issues in your code and reduce the chance of vulnerabilities making their way into your work. The number of CodeQL languages that support CORS misconfiguration queries is still growing, and there is always room for improvement from the community . </p>
<p>If this blog has been helpful in helping you write CodeQL queries, please feel free to open anything you’d like to share with the community in our <a href="https://github.com/GitHubSecurityLab/CodeQL-Community-Packs">CodeQL Community Packs</a>.</p>
<p>Finally, <a href="https://github.com/security/advanced-security/code-security">GitHub Code Security</a> can help you secure your project by detecting and suggesting a fix for bugs such as <a href="https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials/">CORS misconfiguration</a>!</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Explore more</strong> GitHub Security Lab <a href="https://github.blog/tag/github-security-lab/">blog posts ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/">Modeling CORS frameworks with CodeQL to find security vulnerabilities</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89417</post-id> </item>
<item>
<title>Beyond prompt crafting: How to be a better partner for your AI pair programmer</title>
<link>https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/</link>
<dc:creator><![CDATA[Christopher Harrison]]></dc:creator>
<pubDate>Wed, 09 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<guid isPermaLink="false">https://github.blog/?p=89424</guid>
<description><![CDATA[<p>Ensuring quality code suggestions from Copilot goes beyond the perfect prompt. Context is key to success when working with your AI pair programmer.</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/">Beyond prompt crafting: How to be a better partner for your AI pair programmer</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>When a developer first starts working with <a href="https://github.com/features/copilot">GitHub Copilot</a> there’s (rightly) a focus on prompt crafting — or the art of providing good context and information to generate quality suggestions. </p>
<p>But context goes beyond typing out a couple of lines into Copilot Chat in VS Code. We want to ensure Copilot is considering the right files when performing operations, that these files are easy for Copilot to read, and that we provide Copilot any extra guidance it may need about the project or specific task. </p>
<p>So let’s explore taking the next step beyond prompt crafting, and think about how we can be a better partner for our AI pair programmer.</p>
<h2 class="wp-block-heading" id="h-context-is-key">Context is key</h2>
<p>I always like to talk about context by starting with a story. The other day my partner and I woke up and she said, “Let’s go to brunch!” Fantastic! Who doesn’t love brunch? </p>
<p>I recommended a spot, one of our favorites, and she said, “You know… we’ve been there quite a bit lately. I’d like to try something different.” I recommended another spot to which she replied, “Now that I’m thinking about it, I really want waffles. Let’s find somewhere that does good waffles.”</p>
<p>This conversation is, of course, pretty normal. My partner asked a question, I responded, she provided more context, and back and forth we went. All of my suggestions were perfectly reasonable based on the information I had, and when she didn’t hear what she was expecting she provided a bit more guidance. As we continued talking, she realized she had a craving for waffles, which she discovered as she considered my suggestions.</p>
<p>This is very much how we both talk with other people, but also how we approach working with generative AI tools, including Copilot. We ask questions, get answers, and work back and forth providing more context and making decisions based on what we see. </p>
<p>If we don’t receive the suggestions we’re expecting, or if something isn’t built to the specs we had in mind, it’s very likely Copilot didn’t have the context it needed — just as I didn’t have the context to suggest somewhere new when I started the conversation with my partner.</p>
<h2 class="wp-block-heading" id="h-how-github-copilot-works-with-code">How GitHub Copilot works with code</h2>
<p>To understand how Copilot in the IDE gets its context, it’s important to understand how it works. Except for <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">agent mode, which performs external tasks</a>, Copilot doesn’t build or run the code as it generates code suggestions. In fact, it behaves very similarly to, well, a pair programmer. It reads the code (and comments) of the files we’ve pointed it at just as another developer would. </p>
<p>But unlike a teammate, Copilot doesn’t have “institutional knowledge,” or the background information that comes with experience (although <a href="https://docs.github.com/en/copilot/how-tos/custom-instructions/adding-repository-custom-instructions-for-github-copilot">you can add custom instructions</a>, but more on that later). This could be the history of why things were built a certain way (which isn’t documented somewhere but everyone just “knows” 🙄), that an internal library or framework that should always be used, or patterns that need to be followed.</p>
<p>Obviously, all of this background info is important to get the right code suggestions from Copilot. If we’re using a data abstraction layer (DAL), for instance, but Copilot is generating raw SQL code, the suggestions aren’t going to be that helpful. </p>
<p>The problem isn’t that Copilot is generating invalid code. Instead, it’s lacking the context to generate the code in the format and structure we need. Basically, we want waffles and it’s giving us an omelette. Let’s see what we can do to get waffles.</p>
<h2 class="wp-block-heading" id="h-using-code-comments-to-improve-copilot-s-suggestions-through-better-context">Using code comments to improve Copilot’s suggestions through better context</h2>
<p>There’s a common belief that quality code shouldn’t need comments, and that adding comments is a “code smell,” or an indication that something could be improved. While it’s noble to strive to write code that’s as readable as possible, it’s something we often fall short of in our day-to-day work.</p>
<p>Even when we do “hit the mark”, we need to remember that just because code might be readable to one developer, it doesn’t mean it’s readable to all developers. A couple of lines of comments can go a long way to ensuring readability.</p>
<p>The same holds true for Copilot! As we highlighted above, Copilot doesn’t run or compile your code except in specific situations. Instead, it “reads” your code much like a developer would. </p>
<p>Following the guidelines for having <a href="https://peps.python.org/pep-0257/">docstrings</a> in functions/modules in Python, for example, can help ensure Copilot has a better understanding of what the code does and how it does it. This allows Copilot to generate higher-quality suggestions by using your existing code to ensure any new code follows the same patterns and practices already in place.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>💡 <strong>Pro tip</strong>: <strong>When you open a file, it’s always a good idea to leave it in a better state than when you found it</strong>. One of the little improvements you could make is to add a few comments to places to help describe the code. You could always ask Copilot to generate the first draft of the comments, and you can add any additional details Copilot missed!</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="the-benefit-of-using-custom-instructions-with-github-copilot-on-your-projects">The benefit of using custom instructions with GitHub Copilot on your projects</h2>
<p>To generate quality suggestions, Copilot benefits from having context around what you’re doing and how you’re doing it. Knowing the technology and frameworks you’re using, what coding standards to follow, and even some background on what you’re building helps Copilot raise the quality bar on its suggestions. This is where <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot">custom instructions</a> come into play.</p>
<p>Custom instructions help you provide all of this background information and set ground rules (things like what APIs you want to call, naming patterns you want followed, or even stylistic preferences). </p>
<p>To get started, you place everything that’s important into a file named <strong>copilot-instructions.md</strong> inside your <strong>.github</strong> folder. It’s a markdown file, so you can create sections like <strong>Project structure</strong>, <strong>Technologies</strong>, <strong>Coding standards</strong>, and any other notes you want Copilot to consider on every single chat request. You can also add any guidance on tasks where you see Copilot not always choosing the right path, like maybe using class-based React components instead of function-based components (all the cool kids are using function based-components).</p>
<p>Keep in mind that custom instructions are sent to Copilot on <strong>every single</strong> chat request. You want to keep your instructions limited to information that’s relevant to the entire project. Providing too many details can make it a bit harder for Copilot to determine what’s important.</p>
<p>In simpler terms, you can basically think about the one friend you have who maybe shares too much detail when they’re telling a story, and how it can make it tricky to focus on the main plot points. It’s the same thing with Copilot. Provide some project-level guidance and overviews, so it best understands the environment in which it’s working.</p>
<p>A good rule of thumb is to have sections that highlight the various aspects of your project. An outline for a monorepo with a client and server for a web app might look like this:</p>
<pre class="wp-block-code language-plaintext"><code># Tailspin Toys Crowd Funding
Website for crowd funding for games.
## Backend
The backend is written using:
- Flask for the API
- SQLAlchemy for the ORM
- SQLite for the database
## Frontend
The frontend is written using:
- Astro for routing
- Svelte for the components and interactivity
- Tailwind CSS for styling
## Code standards
- Use good variable names, avoiding abbreviations and single letter variables
- Use the casing standard for the language in question (camelCasing for TypeScript, snake_casing for Python, etc.)
- Use type hints in all languages which support them
## Project structure
- `client` contains the frontend code
- `docs` contains the documentation for the project
- `scripts` contains the scripts used to install services, start the app, and run tests
- `server` contains the backend code </code></pre>
<p>This is relatively abbreviated, but notice the structure. We’re telling Copilot about the project we have, its structure, the techs in use, and some guidance about how we want our code to be created. We don’t have anything specific to tasks, like maybe writing unit tests, because we have another way to tell Copilot that information!</p>
<h2 class="wp-block-heading" id="providing-specific-instructions-for-specific-tasks">Providing specific instructions for specific tasks</h2>
<p>Continuing our conversation about instruction files… (I’m Gen-X, so <a href="https://www.reddit.com/r/GenX/comments/108t56v/so_umm_theres_that/">I’m required to use the Gen-X ellipsis at least once</a>.)</p>
<p>VS Code and Codespaces also support <a href="https://code.visualstudio.com/docs/copilot/copilot-customization#_use-instructionsmd-files"><code>.instructions.md</code></a> files. These are just like the <code>copilot-instructions.md</code> file we spoke about previously, only they’re designed to be used for specific types of tasks and placed in <code>.github/instructions</code>.</p>
<p>Consider a project where you’re building out <a href="https://flask.palletsprojects.com/en/stable/blueprints/">Flask Blueprints</a> for the routes for an API. There might be requirements around how the file should be structured and how unit tests should be created. You can create a custom instructions file called <code>flask-endpoint.instructions.md</code>, place it in <code>.github/instructions</code>, then add it as context to the chat when you request Copilot to create a new endpoint. It might look something like:</p>
<pre class="wp-block-code language-plaintext"><code># Endpoint creation guidelines
## Endpoint notes
- Endpoints are created in Flask using blueprints
- Create a centralized function for accessing data
- All endpoints require tests
- Use the `unittest` module for testing
- All tests must pass
- A script is provided to run tests at `scripts/run-server-tests.sh`
## Project notes
- The Python virtual environment is located in the root of the project in a **venv** folder
- Register all blueprints in `server/app.py`
- Use the [test instructions](./python-tests.instructions.md) when creating tests
## Prototype files
- [Endpoint prototype](../../server/routes/games.py)
- [Tests prototype](../../server/tests/test_games.py)</code></pre>
<p>Notice how we’re providing specific information about how we want our endpoints created. You’ll also notice we’re even linking out to other files <strong>in the project</strong> using hyperlinks — both existing files for Copilot to use as representative examples, and other instructions files for more information.</p>
<p>Additionally, you can also apply instructions to file types based on a pattern. Let’s take the tests for example. If they were all located in <code>server/tests</code>, and started with <code>test_</code>, you could add metadata to the top to ensure Copilot always includes the instructions when working on a test file:</p>
<pre class="wp-block-code language-plaintext"><code>---
applyTo: server/tests/test_*.py
---</code></pre>
<p>This gives you a lot of flexibility in ensuring Copilot is able to access the right information at the right time. This can be done explicitly by adding in the instructions file, or implicitly by providing a pattern for Copilot to use when building certain files.</p>
<p>Just as before, these are artifacts in your repository. It can take some time to build a collection of instruction files, but that investment will pay off in the form of higher-quality code and, in turn, improved productivity.</p>
<h2 class="wp-block-heading" id="fully-reusable-prompts">Fully reusable prompts</h2>
<p>The VS Code team recently published a new, experimental feature called prompt files. Because they’re still in development I don’t want to dig too deep into them, but you can read more about <a href="https://code.visualstudio.com/docs/copilot/copilot-customization#_prompt-files-experimental">prompt files in the docs</a> and see how to utilize them as they are currently implemented. In a nutshell, they allow you to effectively create scripted prompts for Copilot. You can choose the Copilot modes they’re available in (ask, edit and agent), the tools to be called, and what questions to ask the developer. These can be created by the team for enhanced reuse and consistency.</p>
<h2 class="wp-block-heading" id="extending-github-copilots-capabilities-with-model-context-protocol-mcp">Extending GitHub Copilot’s capabilities with Model Context Protocol (MCP)</h2>
<p>In an ever changing software development landscape, we need to ensure the information we’re working with is accurate, relevant, and up to date. This is what MCP, or Model Context Protocol, is built for! Developed initially by Anthropic, MCP is an open source protocol that lets organizations expose their services or data to generative AI tools. </p>
<p>When you add an MCP server to your IDE, you allow Copilot to “phone a friend” to find information, or even perform tasks on your behalf. For example, the <a href="https://github.com/microsoft/playwright-mcp">Playwright MCP server</a> helps create <a href="https://playwright.dev/">Playwright</a> end-to-end tests, while the <a href="https://github.com/github/github-mcp-server">GitHub MCP server</a> provides access to GitHub services like repositories, issues, and pull requests.</p>
<p>Let’s say, for instance, that you added the Playwright MCP server to your IDE. When you ask Copilot to create a new test to validate functionality on your website, Copilot can consult an authoritative source, allowing it to generate the best code it can.</p>
<p>You can even create your own MCP servers! One question I commonly hear is about how you can allow Copilot to look through an internal codebase or suite of libraries. With a custom MCP server, you could provide a facade for Copilot to perform these types of queries, then utilize the information discovered to suggest code based on your internal environment.</p>
<p>MCP is large enough to have its own blog post, which my colleague Cassidy wrote, sharing <a href="https://github.blog/ai-and-ml/llms/what-the-heck-is-mcp-and-why-is-everyone-talking-about-it/">tips, tricks, and insights about MCP</a>.</p>
<h2 class="wp-block-heading" id="thinking-beyond-prompts">Thinking beyond prompts</h2>
<p>Let me be clear: prompt crafting is important. It’s one of the first skills any developer should learn when they begin using GitHub Copilot. </p>
<p>But writing a good prompt is only one piece Copilot considers when generating an answer. By using the best practices highlighted above — comments and good code, custom instructions, and MCP servers — you can help Copilot understand what you want it to do and how you want it to do it. To bring it back to my analogy, you can ensure Copilot knows when you want waffles instead of omelettes.</p>
<p>And on that note, I’m off to brunch.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with <a href="https://github.com/features/copilot">GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/">Beyond prompt crafting: How to be a better partner for your AI pair programmer</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89424</post-id> </item>
<item>
<title>Git security vulnerabilities announced</title>
<link>https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/</link>
<dc:creator><![CDATA[Taylor Blau]]></dc:creator>
<pubDate>Tue, 08 Jul 2025 17:02:11 +0000</pubDate>
<category><![CDATA[Git]]></category>
<category><![CDATA[Open Source]]></category>
<category><![CDATA[security alert]]></category>
<guid isPermaLink="false">https://github.blog/?p=89409</guid>
<description><![CDATA[<p>Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git.</p>
<p>The post <a href="https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/">Git security vulnerabilities announced</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Today, the Git project <a href="https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/">released new versions</a> to address seven security vulnerabilities that affect all prior versions of Git.</p>
<h2 class="wp-block-heading" id="h-vulnerabilities-in-git">Vulnerabilities in Git</h2>
<h3 class="wp-block-heading" id="h-cve-2025-48384">CVE-2025-48384</h3>
<p>When reading a <a href="https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration">configuration</a> value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a <a href="https://git-scm.com/docs/gitsubmodules">submodule</a> whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.</p>
<p>If a <a href="https://en.wikipedia.org/wiki/Symbolic_link">symlink</a> already exists between the stripped path and the submodule’s <a href="https://git-scm.com/docs/githooks">hooks</a> directory, an attacker can execute arbitrary code through the submodule’s <code>post-checkout</code> hook.</p>
<p>[<a href="https://github.com/git/git/compare/d2bc61fcabd6cfa582d286bed1ce20d5d7c58d52...05e9cd64ee23bbadcea6bcffd6660ed02b8eab89">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-48385">CVE-2025-48385</h3>
<p>When cloning a repository, Git can optionally fetch a <a href="https://git-scm.com/docs/git-bundle">bundle</a>, allowing the server to offload a portion of the clone to a <a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDN</a>. The Git client does not properly validate the advertised bundle(s), allowing the remote side to perform protocol injection. When a specially crafted bundle is advertised, the remote end can cause the client to write the bundle to an arbitrary location, which may lead to code execution similar to the previous CVE.</p>
<p>[<a href="https://github.com/git/git/compare/d61cfed2c23705fbeb9c0d08f59e75ee08738950...35cb1bb0b92c132249d932c05bbd860d410e12d4">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-48386-windows-only">CVE-2025-48386 (Windows only)</h3>
<p>When cloning from an authenticated remote, Git uses a <a href="https://git-scm.com/docs/gitcredentials">credential helper</a> in order to authenticate the request. Git includes a handful of <a href="https://git-scm.com/doc/credential-helpers">credential helpers</a>, including <a href="https://github.com/git/git/tree/v2.43.7/contrib/credential/wincred">Wincred</a>, which uses the <a href="https://support.microsoft.com/en-us/windows/credential-manager-in-windows-1b5c916a-6a16-889f-8581-fc16e8165ac0">Windows Credential Manager</a> to store its credentials.</p>
<p>Wincred uses the contents of a static buffer as a unique key to store and retrieve credentials. However, it does not properly bounds check the remaining space in the buffer, leading to potential buffer overflows.</p>
<p>[<a href="https://github.com/git/git/compare/2d22f0cd07c308d7ff25bbf4ec8f1bb53b4bcda7...9de345cb273cc7faaeda279c7e07149d8a15a319">source</a>]</p>
<h1 class="wp-block-heading" id="h-vulnerabilities-in-git-gui-and-gitk">Vulnerabilities in Git GUI and Gitk</h1>
<p>This release resolves four new CVEs related to <a href="https://git-scm.com/docs/gitk">Gitk</a> and <a href="https://git-scm.com/docs/git-gui">Git GUI</a>. Both tools are <a href="https://en.wikipedia.org/wiki/Tcl">Tcl/Tk</a>-based graphical interfaces used to interact with Git repositories. Gitk is focused on showing a repository’s history, whereas Git GUI focuses on making changes to existing repositories.</p>
<h3 class="wp-block-heading" id="h-cve-2025-27613-gitk">CVE-2025-27613 (Gitk)</h3>
<p>When running Gitk in a specially crafted repository without additional command-line arguments, Gitk can write and truncate arbitrary writable files. The “Support per-file encoding” option must be enabled; however, the operation of “Show origin of this line” is affected regardless.</p>
<p>[<a href="https://github.com/git/git/compare/4e7e3b792e6973e09de6ddc191b86bbc245c53dd...67a128b91e25978a15f9f7e194d81b441d603652">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-27614-gitk">CVE-2025-27614 (Gitk)</h3>
<p>If a user is tricked into running <code>gitk filename</code> (where <code>filename</code> has a particular structure), they may run arbitrary scripts supplied by the attacker, leading to arbitrary code execution.</p>
<p>[<a href="https://github.com/git/git/compare/664d4fa692cb8637a7c9297c94abf0de8593e585...8e3070aa5e331be45d4d03e3be41f84494fce129">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-46334-git-gui-windows-only">CVE-2025-46334 (Git GUI, Windows only)</h3>
<p>If a malicious repository includes an executable <code>sh.exe</code>, or common <a href="https://git-scm.com/docs/gitattributes#_performing_text_diffs_of_binary_files">textconv</a> programs (for e.g.,  <code>astextplain</code>, <code>exif</code>, or <code>ps2ascii</code>), path lookup on Windows may locate these executables in the working tree. If a user running Git GUI in such a repository selects either the “Git Bash” or “Browse Files” from the menu, these programs may be invoked, leading to arbitrary code execution.</p>
<p>[<a href="https://github.com/git/git/compare/27fbab4898620183e608865beffd960139c04d58...a1ccd2512072cf52835050f4c97a4fba9f0ec8f9">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-46335-git-gui">CVE-2025-46335 (Git GUI)</h3>
<p>When a user is tricked into editing a file in a specially named directory in an untrusted repository, Git GUI can create and overwrite arbitrary writable files, similar to CVE-2025-27613.</p>
<p>[<a href="https://github.com/git/git/compare/a7d1716fa648f6557ea9c91e0f04bae2e8738e6a...a437f5bc93330a70b42a230e52f3bd036ca1b1da">source</a>]</p>
<h2 class="wp-block-heading" id="h-upgrade-to-the-latest-git-version">Upgrade to the latest Git version</h2>
<p>The most effective way to protect against these vulnerabilities is to upgrade to Git 2.50.1, the newest release containing fixes for the aforementioned vulnerabilities. If you can’t upgrade immediately, you can reduce your risk by doing the following:</p>
<ul class="wp-block-list">
<li>Avoid running <code>git clone</code> with <code>--recurse-submodules</code> against untrusted repositories.</li>
<li>Disable auto-fetching bundle URIs by setting the <code>transfer.bundleURI</code> configuration value to “false.”</li>
<li>Avoid using the <code>wincred</code> credential helper on Windows.</li>
<li>Avoid running Gitk and Git GUI in untrusted repositories.</li>
</ul>
<p>In order to protect users against attacks related to these vulnerabilities, GitHub has taken proactive steps. Specifically, we have scheduled releases of <a href="https://github.com/apps/desktop">GitHub Desktop</a>. <a href="https://github.com/features/codespaces">GitHub Codespaces</a> and <a href="https://github.com/features/actions">GitHub Actions</a> will update their versions of Git shortly. GitHub itself, including <a href="https://github.com/enterprise">Enterprise Server</a>, is unaffected by these vulnerabilities.</p>
<hr class="wp-block-separator has-alpha-channel-opacity">
<p>CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 were discovered by <a href="https://github.com/dgl">David Leadbeater</a>. <a href="https://github.com/jltobler">Justin Tobler</a> and <a href="https://github.com/pks-t">Patrick Steinhardt</a> provided fixes for CVEs 2025-48384 and 2025-48385 respectively. The fix for CVE-2025-48386 is joint work between <a href="https://github.com/ttaylorr">Taylor Blau</a> and <a href="https://github.com/peff">Jeff King<br><br></a>CVE-2025-46835 was found and fixed by <a href="https://github.com/j6t">Johannes Sixt</a>. <a href="https://github.com/mark987">Mark Levedahl</a> discovered and fixed CVE-2025-46334. <a href="https://github.com/avih">Avi Halachmi</a> discovered both CVE-2025-27613 and CVE-2025-27614, and fixed the latter. CVE-2025-27613 was fixed by Johannes Sixt.</p>
</body></html>
<p>The post <a href="https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/">Git security vulnerabilities announced</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89409</post-id> </item>
<item>
<title>CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</title>
<link>https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/</link>
<dc:creator><![CDATA[Kevin Backhouse]]></dc:creator>
<pubDate>Thu, 03 Jul 2025 20:52:20 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Vulnerability research]]></category>
<category><![CDATA[CVE]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[linux]]></category>
<category><![CDATA[open source]]></category>
<guid isPermaLink="false">https://github.blog/?p=89368</guid>
<description><![CDATA[<p>DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p><a href="https://sourceforge.net/projects/djvu/">DjVuLibre</a> version 3.5.29 was released today. It fixes CVE-2025-53367 (GHSL-2025-055), an out-of-bounds (OOB) write in the <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method. The vulnerability could be exploited to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>DjVu is a document file format that can be used for similar purposes to PDF. It is supported by <a href="https://gitlab.gnome.org/GNOME/evince">Evince</a> and <a href="https://gitlab.gnome.org/GNOME/papers">Papers</a>, the default document viewers on many Linux distributions. In fact, even when a DjVu file is given a filename with a .pdf extension, Evince/Papers will automatically detect that it is a DjVu document and run DjVuLibre to decode it.</p>
<p>Antonio found this vulnerability while researching the Evince document reader. He found the bug with fuzzing.</p>
<p>Kev has developed a proof of concept exploit for the vulnerability, as demoed in this video.</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="CVE-2025-53367: Exploitable OOB write in DjVuLibre" width="500" height="281" src="https://www.youtube.com/embed/32kROHYhYVM?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>The POC works on a fully up-to-date Ubuntu 25.04 (x86_64) with all the standard security protections enabled. To explain what’s happening in the video:</p>
<ol class="wp-block-list">
<li>Kev clicks on a malicious DjVu document in his <code>~/Downloads</code> directory.</li>
<li>The file is named <code>poc.pdf</code>, but it’s actually in DjVu format.</li>
<li>The default document viewer (<code>/usr/bin/papers</code>) loads the document, detects that it’s in DjVu format, and uses DjVuLibre to decode it.</li>
<li>The file exploits the OOB write vulnerability and triggers a call to <code>system("google-chrome https://www.youtube.com/…")</code>.</li>
<li>Rick Astley appears.</li>
</ol>
<p>Although the POC is able to bypass <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a>, it’s somewhat unreliable: it’ll work 10 times in a row and then suddenly stop working for several minutes. But this is only a first version, and we believe it’s possible to create an exploit that’s significantly more reliable.</p>
<p>You may be wondering: why Astley, and not a calculator? That’s because <code>/usr/bin/papers</code> runs under an <a href="https://apparmor.net/">AppArmor</a> profile. The profile prohibits you from starting an arbitrary process but makes an exception for google-chrome. So it was easier to play a YouTube video than pop a calc. But the AppArmor profile is not particularly restrictive. For example, it lets you write arbitrary files to the user’s home directory, except for the really obvious one like <code>~/.bashrc</code>. So it wouldn’t prevent a determined attacker from gaining code execution.</p>
<h1 class="wp-block-heading" id="h-vulnerability-details">Vulnerability Details</h1>
<p>The <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method is affected by an OOB-write vulnerability, because it doesn’t check that the <code>xr</code> pointer stays within the bounds of the allocated buffer.</p>
<p>During the decoding process, run-length encoded data is written into two buffers: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l207"><code>lineruns</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l209"><code>prevruns</code></a>:</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.h
class DJVUAPI MMRDecoder : public GPEnabled
{
...
public:
unsigned short *lineruns;
...
unsigned short *prevruns;
...
}</code></pre>
<p>The variables named <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l583"><code>pr</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l584"><code>xr</code></a> point to the current locations in those buffers. </p>
<p><code>scanruns</code> does not check that those pointers remain within the bounds of the allocated buffers.</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.cpp
const unsigned short *
MMRDecoder::scanruns(const unsigned short **endptr)
{
...
// Swap run buffers
unsigned short *pr = lineruns;
unsigned short *xr = prevruns;
prevruns = pr;
lineruns = xr;
...
for(a0=0,rle=0,b1=*pr++;a0 < width;)
{
...
*xr = rle; xr++; rle = 0;
...
*xr = rle; xr++; rle = 0;
...
*xr = inc+rle-a0;
xr++;
}</code></pre>
<p>This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with <code>pr</code> is also possible for the same reason.</p>
<p>We will publish the source code of our proof of concept exploit in a couple of weeks’ time in the <a href="https://github.com/github/securitylab">GitHub Security Lab repository</a>.</p>
<h1 class="wp-block-heading" id="h-acknowledgements">Acknowledgements</h1>
<p>We would like to thank Léon Bottou and Bill Riemers for responding incredibly quickly and releasing a fix less than two days after we first contacted them!</p>
<h1 class="wp-block-heading" id="h-timeline">Timeline</h1>
<ul class="wp-block-list">
<li>2025-07-01: Reported via email to the authors: Léon Bottou, Bill Riemers, Yann LeCun.</li>
<li>2025-07-01: Responses received from Bill Riemers and Léon Bottou.</li>
<li>2025-07-02: Fix commit added by Léon Bottou: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/">https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/</a></li>
<li>2025-07-03: DjVuLibre version 3.5.29 released: <a href="https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/">https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/</a> </li>
</ul>
</body></html>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89368</post-id> </item>
<item>
<title>5 ways to transform your workflow using GitHub Copilot and MCP</title>
<link>https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/</link>
<dc:creator><![CDATA[Klint Finley]]></dc:creator>
<pubDate>Wed, 02 Jul 2025 17:44:02 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[agent mode]]></category>
<category><![CDATA[MCP]]></category>
<guid isPermaLink="false">https://github.blog/?p=89268</guid>
<description><![CDATA[<p>Learn how to streamline your development workflow with five different MCP use cases. </p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Traditional AI coding assistants typically operate in isolation, limited to the code in your current workspace. Now with the introduction of the Model Context Protocol (MCP), AI development workflows are further evolving to incorporate more tools and context. </p>
<p>MCP can enable AI assistants to interact with external systems like knowledge bases, data stores, and testing applications.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--5" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-what-is-mcp-anyway" style="margin-top:0">What is MCP, anyway?</h3>
<p>The Model Context Protocol (MCP) is an open standard developed by Anthropic that helps AI assistants like GitHub Copilot securely connect to external data sources and tools. MCP addresses a common challenge with Large Language Models (LLMs): providing the right context to generate accurate and useful responses. MCP standardizes how AI tools access external context—such as your codebase, documentation, or design specifications—and makes it easier to bring this context into your development workflow. For a deeper dive into MCP and why it’s gaining popularity, check out <a href="https://github.blog/ai-and-ml/llms/what-the-heck-is-mcp-and-why-is-everyone-talking-about-it/">Cassidy Williams’s article on the GitHub Blog</a>.</p>
</aside>
<p>The real value of MCP integration is that you can now perform tasks that previously required multiple tools, context switching, and manual effort—all directly in your IDE. That means you can save time, maintain focus, and ship code faster.</p>
<p>In this article, we’ll explore five practical ways MCP integrations with GitHub Copilot can streamline your workflow. We’ll follow a realistic scenario: implementing a secure JWT (JSON Web Token) authentication system for a web application, illustrating an end-to-end workflow with MCP.</p>
<p>Let’s jump in. </p>
<h2 class="wp-block-heading" id="1-using-mcp-to-bridge-design-and-development-with-figma">1. Using MCP to bridge design and development with Figma </h2>
<p>The gap between design and development has long been a source of friction in product teams. MCP provides a standardized way for GitHub Copilot to securely access and interpret design specifications directly. </p>
<p>Instead of manually translating design details into code, MCP enables Copilot to automatically retrieve exact design parameters—such as colors, spacing, typography, and component states—and generate accurate, ready-to-use code. This integration reduces guesswork and streamlines the handoff between designers and developers.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--6" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-explore-github-copilot-s-agentic-capabilities" style="margin-top:0">Explore GitHub Copilot’s agentic capabilities</h3>
<p>GitHub Copilot comes with two powerful agentic workflows that can be used with MCP:</p>
<ul class="wp-block-list">
<li><strong>Agent mode (in your IDE):</strong> Turn Copilot Chat into a real-time collaborator that works with you. Give it a goal (“add OAuth & tests”), and it plans, edits files, runs the suite, reads failures, fixes them, and loops until everything is green—all right in front of you, with the option to pause or steer at any step.</li>
<li><strong>Coding agent (in your GitHub projects)</strong>: Hand an Issue to Copilot and walk away. It spins up a protected workspace with GitHub Actions, writes code, runs linters/tests, and opens a pull request for you to review. Perfect for well-scoped tickets you’d give a junior dev (docs, tests, small refactors) while you stay focused elsewhere.<a href="https://github.blog/news-insights/product-news/github-copilot-meet-the-new-coding-agent/?utm_source=chatgpt.com"> </a></li>
</ul>
<p><strong>TL;DR: </strong>Think of Agent mode as a co-driver at your keyboard; the Coding agent is the valet that brings the finished work to your repo.</p>
<p><a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">Learn more ></a></p>
</aside>
<p>We’ll start developing our new JWT authentication system by taking a look at the user-facing side. Let’s say the design team updated the authentication UI components in Figma, including login forms, error states, loading spinners, and success messages. Now, you need to implement these changes to match the new design system.</p>
<p>Start by asking Copilot, “What are the latest design updates for the login form and authentication components?” It will then retrieve specs for the elements that need to change. Then you can prompt it to create React components for each element:</p>
<ul class="wp-block-list">
<li><code>LoginForm</code> with exact spacing, colors, typography</li>
<li><code>AuthErrorMessage</code> component with proper error styling</li>
<li><code>TokenRefreshNotification</code> component</li>
</ul>
<p>Copilot will then give you ready-to-use code that maintains consistency with the design specifications from Figma.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong><strong>Learn more </strong></strong>about <a href="https://help.figma.com/hc/en-us/articles/32132100833559-Guide-to-the-Dev-Mode-MCP-Server">Figma’s MCP server beta ></a></p>
</div>
<h2 class="wp-block-heading" id="2-tap-into-your-obsidian-knowledge-base-with-mcp">2. Tap into your Obsidian knowledge base with MCP</h2>
<p>When implementing complex features like JWT authentication, you often need to reference past decisions, architectural notes, and research findings scattered across your knowledge base. The unofficial, community-maintained Obsidian MCP server bridges this gap by connecting GitHub Copilot directly to your Obsidian vault.</p>
<p>Let’s say you’re implementing JWT token validation and need to understand your team’s previous security decisions. You tell Copilot: “Search for all files where JWT or token validation is mentioned and explain the context.”</p>
<p>With that, Copilot can:</p>
<ul class="wp-block-list">
<li>Search across all Markdown files in your vault for relevant security patterns</li>
<li>Retrieve contents from specific architecture decision records (ADR)</li>
<li>Access meeting notes from previous security reviews</li>
<li>Pull implementation guidelines from your team’s coding standards</li>
</ul>
<p>You might follow up with the following prompt: “Get the contents of the last architecture call note about authentication and summarize the key decisions.” Copilot will locate the relevant file and extract the critical information you need to inform your implementation approach.</p>
<p>Once you’ve gathered the necessary context, you can ask Copilot to synthesize this information: “Create a new note called ‘jwt-implementation-summary.md’ that combines our authentication standards with the new JWT approach.” Copilot will create this documentation directly in your vault, helping maintain your team’s knowledge base.</p>
<p><strong>Setup note</strong>: This integration requires the community “Obsidian Local REST API” plugin and an API key.</p>
<p>With your research complete and documented, you can proceed to test your application.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://github.com/MarkusPfundstein/mcp-obsidian">accessing Obsidian through MCP ></a></p>
</div>
<h2 class="wp-block-heading" id="3-test-your-code-with-playwright">3. Test your code with Playwright</h2>
<p>Integrating MCP with Playwright transforms test creation from a manual, error-prone process into a simple, guided experience.</p>
<p>Modern web applications often involve complex user journeys, asynchronous operations, and dynamic content. Authentication flows are particularly challenging to test comprehensively.</p>
<p>Continuing with our JWT authentication system, you need to test the complete authentication flow including login, token refresh, and secure route access. To do this, you’ll start by giving Copilot a prompt like this: “Test the JWT authentication flow including login, automatic token refresh, and access to protected routes.”</p>
<p>From there, Copilot will analyze your authentication implementation and generate comprehensive test coverage. But it doesn’t stop there. Copilot then runs the tests with Playwright and provides immediate feedback on failures, suggesting fixes for common issues, like timing problems or selector changes.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/microsoft/playwright-mcp">Playwright MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="4-file-pull-requests-faster">4. File pull requests faster</h2>
<p>Pull requests are the cornerstone of collaborative development. GitHub’s remote MCP server, <a href="https://github.blog/changelog/2025-06-12-remote-github-mcp-server-is-now-available-in-public-preview/">now in public beta for VS Code or Visual Studio</a>, helps transform the process into an intelligent, automated workflow.</p>
<p>Turning back to our JWT authentication example, you can prompt Copilot: “Create a pull request for my authentication feature changes”</p>
<p>Copilot will then analyze:</p>
<ul class="wp-block-list">
<li>Code changes across multiple files  </li>
<li>Related issues and project context  </li>
<li>Team review patterns and expertise areas  </li>
<li>Previous similar implementations</li>
</ul>
<p>Copilot returns Markdown with an overview, changes made, a testing strategy, and even related issues.</p>
<p>It will then suggest appropriate reviewers for each aspect of the change based on code ownership, expertise mapping, and current workload.</p>
<p>Once your application is deployed, you can move on to monitoring it.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">GitHub’s MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="5-monitor-application-performance">5. Monitor application performance</h2>
<p>With the core authentication logic handled, now it’s time to ensure that our application performs well by monitoring how it behaves in production. Using MCP to connect to Grafana through the open-source Grafana MCP server makes this easier—though setup requires a few configuration steps.</p>
<p>Let’s say you need to analyze the JWT authentication system’s latency metrics and error rates. You tell Copilot: “Show me auth latency and error-rate panels for the auth-service dashboard for the last 6 hours.”</p>
<p>After configuring the Grafana MCP server with your API key and host URL, Copilot can then query your Grafana instance to:</p>
<ul class="wp-block-list">
<li>Examine authentication latency metrics and p95 response times</li>
<li>Analyze error rates for login endpoints over time</li>
<li>Review existing alert rules for authentication services</li>
<li>Identify patterns in failed authentication attempts</li>
</ul>
<p>Copilot returns panel data as base64-encoded images and can extract raw time-series data when needed. If you need a longer time range, you can specify: “Show me the same metrics for the last 24 hours” and Copilot will adjust the query parameters accordingly.</p>
<p>For more advanced monitoring workflows, you can enable write operations by launching the server with the <code>--enable-write</code> flag and an Editor-role API key. This allows Copilot to create new alert rules or modify dashboard configurations based on your authentication metrics analysis.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/grafana/mcp-grafana">Grafana MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="whats-next">What’s next?</h2>
<p>Before diving into these powerful integrations, you’ll need to configure your development environment. Here’s how:</p>
<ol class="wp-block-list">
<li><strong>Install MCP extensions</strong>: Enable MCP support in your IDE through official extensions</li>
<li><strong>Configure API access</strong>: Set up authentication for each service (GitHub, Obsidian, Figma, etc.)</li>
<li><strong>Define context boundaries</strong>: Establish what information should be accessible to AI</li>
<li><strong>Security considerations</strong>: Implement proper access controls and data privacy measures</li>
</ol>
<p>A few best practices:</p>
<ul class="wp-block-list">
<li><strong>Start small</strong>: Begin with one integration and gradually expand your usage</li>
<li><strong>Maintain documentation</strong>: Keep your knowledge bases and documentation current for optimal AI assistance</li>
<li><strong>Regularly review Copilot’s outputs</strong>: Periodically audit AI-generated suggestions to ensure quality and security</li>
<li><strong>Build team alignment</strong>: Ensure your team understands and adopts consistent MCP usage patterns</li>
</ul>
<p>The five integration patterns we’ve explored represent just the beginning of what’s possible. As MCP’s ecosystem grows, new tools and integrations will continue to expand what’s possible.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with our <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">remote MCP server ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89268</post-id> </item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/

Home · About · News · Docs · Terms