refactor(sample-catalog): discover languages/frameworks dynamically, replace allowlists with empty blacklists#509
Merged
Merged
Conversation
Make the workflow_dispatch `commit_sha` input optional. When the user leaves it blank, a new `Resolve commit SHA` step queries the GitHub API for the current tip of `microsoft-foundry/foundry-samples@main` and pins the catalog generation to that SHA. - `commit_sha`: required=false, default empty. - New step uses `gh api` (default GITHUB_TOKEN, contents:read is enough for a public repo) and validates the result looks like a SHA before using it. - The pinned SHA + its source (user input vs. resolved-from-main) is echoed to the step summary so reviewers can see what the run targeted. - `Generate sample catalog` now reads from `steps.resolve-sha.outputs.sha` instead of `inputs.commit_sha` directly.
Switch sample discovery from a fail-open blacklist (BLOCKED_PATH_SEGMENTS) to a fail-closed category allow-list (ALLOWED_CATEGORY_SEGMENTS = responses, invocations, voicelive). Flat templates directly under a framework (csharp agent-framework layout) are always kept; nested templates must live under an allow-listed category, so new upstream groupings like a2a and invocations_ws stay out of the picker until explicitly opted in. Validated against foundry-samples@main: 76 templates kept; a2a and invocations_ws excluded; 4 voicelive and 17 flat csharp agent-framework templates retained.
Replace the hard-coded LANGUAGES/FRAMEWORKS allowlists and the responses/invocations protocol allowlist with dynamic discovery from the samples git tree, filtered through empty-by-default BLOCKED_LANGUAGES/BLOCKED_FRAMEWORKS/BLOCKED_PROTOCOLS blacklists. New upstream languages, frameworks, and protocols are now picked up automatically; the blacklists remain an explicit opt-out. Security validation (isSafePathSegment, commit-SHA regex, hidden-dir blocking) is unchanged.
Replace ALLOWED_CATEGORY_SEGMENTS (fail-closed allow-list) with an empty BLOCKED_CATEGORY_SEGMENTS (fail-open blacklist) so category filtering matches the language/framework/protocol blacklist model. Every discovered category now surfaces by default; add a segment to the blacklist to drop it.
…replace allowlists with empty blacklists
…icts) Resolve conflicts by keeping dev's all-blacklist generate_sample_catalog.mjs (a strict superset of stable's category allow-list) and taking stable's newer sample-catalog.json (regenerated by CI). CODEOWNERS and the identical workflow from stable are preserved.
huimiu
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.