Skip to content

refactor(sample-catalog): discover languages/frameworks dynamically, replace allowlists with empty blacklists#509

Merged
huimiu merged 11 commits into
template/stablefrom
template/dev
Jul 1, 2026
Merged

refactor(sample-catalog): discover languages/frameworks dynamically, replace allowlists with empty blacklists#509
huimiu merged 11 commits into
template/stablefrom
template/dev

Conversation

@Yimin-Jin

Copy link
Copy Markdown
Collaborator

No description provided.

Yimin-Jin and others added 10 commits June 2, 2026 10:52
Make the workflow_dispatch `commit_sha` input optional. When the user leaves it blank, a new `Resolve commit SHA` step queries the GitHub API for the current tip of `microsoft-foundry/foundry-samples@main` and pins the catalog generation to that SHA.

- `commit_sha`: required=false, default empty.

- New step uses `gh api` (default GITHUB_TOKEN, contents:read is enough for a public repo) and validates the result looks like a SHA before using it.

- The pinned SHA + its source (user input vs. resolved-from-main) is echoed to the step summary so reviewers can see what the run targeted.

- `Generate sample catalog` now reads from `steps.resolve-sha.outputs.sha` instead of `inputs.commit_sha` directly.
Switch sample discovery from a fail-open blacklist (BLOCKED_PATH_SEGMENTS) to a fail-closed category allow-list (ALLOWED_CATEGORY_SEGMENTS = responses, invocations, voicelive).

Flat templates directly under a framework (csharp agent-framework layout) are always kept; nested templates must live under an allow-listed category, so new upstream groupings like a2a and invocations_ws stay out of the picker until explicitly opted in.

Validated against foundry-samples@main: 76 templates kept; a2a and invocations_ws excluded; 4 voicelive and 17 flat csharp agent-framework templates retained.
Replace the hard-coded LANGUAGES/FRAMEWORKS allowlists and the responses/invocations protocol allowlist with dynamic discovery from the samples git tree, filtered through empty-by-default BLOCKED_LANGUAGES/BLOCKED_FRAMEWORKS/BLOCKED_PROTOCOLS blacklists.

New upstream languages, frameworks, and protocols are now picked up automatically; the blacklists remain an explicit opt-out. Security validation (isSafePathSegment, commit-SHA regex, hidden-dir blocking) is unchanged.
Replace ALLOWED_CATEGORY_SEGMENTS (fail-closed allow-list) with an empty BLOCKED_CATEGORY_SEGMENTS (fail-open blacklist) so category filtering matches the language/framework/protocol blacklist model. Every discovered category now surfaces by default; add a segment to the blacklist to drop it.
@Yimin-Jin Yimin-Jin requested a review from huimiu as a code owner July 1, 2026 09:29
…icts)

Resolve conflicts by keeping dev's all-blacklist generate_sample_catalog.mjs (a strict superset of stable's category allow-list) and taking stable's newer sample-catalog.json (regenerated by CI). CODEOWNERS and the identical workflow from stable are preserved.
@huimiu huimiu merged commit 1d923a1 into template/stable Jul 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants