Skip to content

ci: bootstrap sample-catalog sync workflow#398

Merged
Yimin-Jin merged 9 commits into
devfrom
yimin/sync-catalog-bootstrap
May 27, 2026
Merged

ci: bootstrap sample-catalog sync workflow#398
Yimin-Jin merged 9 commits into
devfrom
yimin/sync-catalog-bootstrap

Conversation

@Yimin-Jin
Copy link
Copy Markdown
Collaborator

@Yimin-Jin Yimin-Jin commented May 27, 2026
edited
Loading

Summary

Bootstrap the sample-catalog sync pipeline in this repo, mirroring what was
just landed in microsoft-foundry-for-vscode
(PRs #643
and #646).

What this adds

File Purpose
.github/workflows/sync-sample-catalog.yml workflow_dispatch job that runs the generator, opens a draft PR with the refreshed catalog, and labels it.
.github/scripts/generate_sample_catalog.mjs Walks the upstream microsoft-foundry/foundry-samples repo, extracts metadata from agent.yaml / agent.manifest.yaml, merges overrides, and writes samples/hosted-agent/sample-catalog.json.
samples/hosted-agent/sample-overrides.json PM-managed per-path framework/requiresModel/displayName/description overrides.
samples/hosted-agent/sample-catalog.json Initially generated catalog (added by the workflow's first run via the auto-PR it created against this branch).

How the workflow authenticates

PR creation goes through a dedicated GitHub App (see Generate GitHub App token step). This matches the source workflow in
microsoft-foundry-for-vscode and is required because the microsoft org
blocks the built-in GITHUB_TOKEN from creating or approving pull requests.

The default GITHUB_TOKEN is scoped to contents: read (only what
actions/checkout needs); all write operations use the App token.

Required secrets (must be configured before triggering the workflow)

Secret Purpose
SYNC_APP_ID App ID of the GitHub App used to author the auto-PRs.
SYNC_APP_PRIVATE_KEY Private key (PEM) for that App.
AZURE_OPENAI_ENDPOINT Azure OpenAI endpoint used to generate description fields when an entry has none.
AZURE_OPENAI_API_KEY Azure OpenAI key.
AZURE_OPENAI_DEPLOYMENT Deployment name (currently gpt-4o-mini).

The App must be installed on this repo with Contents: write and
Pull requests: write permissions.

Reviewer checks

  • Workflow has only the workflow_dispatch trigger (won't auto-run on push/PR).
  • Default GITHUB_TOKEN is scoped to contents: read; writes go via the App token.
  • Secrets list matches what the workflow actually references.

Yimin-Jin and others added 8 commits May 27, 2026 12:00
@Yimin-Jin
ci: bootstrap sample-catalog sync workflow
6510109 
Copy the sync-sample-catalog pipeline from microsoft-foundry-for-vscode so the foundry-toolkit repo can publish samples/hosted-agent/sample-catalog.json from upstream microsoft-foundry/foundry-samples.

- .github/workflows/sync-sample-catalog.yml: workflow_dispatch-triggered job that runs the generator and opens a draft PR with the regenerated catalog.
- .github/scripts/generate_sample_catalog.mjs: walks the upstream tree, derives displayName/protocol/requiresModel from each agent.yaml + manifest, applies sample-overrides.json, and LLM-generates descriptions.
- samples/hosted-agent/sample-overrides.json: PM-managed per-path framework/requiresModel overrides.

The workflow has only a workflow_dispatch trigger and requires repo secrets (SYNC_APP_ID, SYNC_APP_PRIVATE_KEY, AZURE_OPENAI_ENDPOINT, AZURE_OPENAI_API_KEY, AZURE_OPENAI_DEPLOYMENT) to run; secrets are intentionally not configured yet, so the workflow stays dormant until they are added.
@Yimin-Jin
ci: drop GitHub App token, use built-in GITHUB_TOKEN
bfb88eb 
Org-level GitHub App creation requires admin permission this repo's maintainer does not have. Since foundry-toolkit has no PR checks today, the anti-recursion limitation of GITHUB_TOKEN (auto-PRs don't trigger downstream workflows) is acceptable. Drop the create-github-app-token step and the SYNC_APP_ID / SYNC_APP_PRIVATE_KEY secret requirements; comment in the workflow records the trade-off so a future switch back to a GitHub App is obvious.
@Yimin-Jin
ci(temp): push trigger + hardcoded SHA for bootstrap smoke test
6225353 
workflow_dispatch requires the workflow file to exist on the default branch before dispatch is allowed (404 otherwise). Temporarily add a push trigger scoped to this feature branch and a hardcoded DEFAULT_COMMIT_SHA fallback so committing alone runs the pipeline end-to-end. To be reverted before merge.
@Yimin-Jin
ci: restore GitHub App token
148795d 
Org policy blocks GITHUB_TOKEN from creating PRs (see https://github.com/microsoft/foundry-toolkit/actions/runs/26492230324). Switch back to the App-token approach: a personal GitHub App was created and installed on this repo, with App ID + private key stored in SYNC_APP_ID / SYNC_APP_PRIVATE_KEY secrets. This reverts the GITHUB_TOKEN simplification commit; the temporary push trigger + DEFAULT_COMMIT_SHA are still in place for one more smoke test before final cleanup.
@Yimin-Jin
ci: retrigger sync workflow smoke test
144285c
@Yimin-Jin @github-actions
ci: sync sample catalog from foundry-samples (yimin/sync-catalog-boot…
c1c12c4 
…strap)
@Yimin-Jin
Merge pull request #399 from microsoft/ci/sync-sample-catalog-yimin/s…
fa9b5fa 
…ync-catalog-bootstrap-20260527
@Yimin-Jin
Revert "ci(temp): push trigger + hardcoded SHA for bootstrap smoke test"
86e74b7 
This reverts commit 6225353.
@Yimin-Jin Yimin-Jin requested a review from Copilot May 27, 2026 06:43
@Yimin-Jin Yimin-Jin marked this pull request as ready for review May 27, 2026 06:43
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bootstraps a GitHub Actions–driven pipeline to regenerate samples/hosted-agent/sample-catalog.json from the upstream microsoft-foundry/foundry-samples repo, including a Node.js generator script and a small overrides file to correct per-template metadata.

Changes:

  • Adds a workflow_dispatch workflow that generates the catalog and opens/updates a draft PR with the refreshed JSON.
  • Introduces a Node.js generator script that scans upstream templates, derives metadata from agent.yaml / agent.manifest.yaml, applies overrides, and optionally generates descriptions via Azure OpenAI.
  • Adds a checked-in initial sample-catalog.json plus sample-overrides.json for per-path metadata corrections.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/sync-sample-catalog.yml Adds the manual workflow to generate the catalog and open a draft PR via a GitHub App token.
.github/scripts/generate_sample_catalog.mjs Implements the upstream scan + catalog generation logic, including overrides and optional LLM description generation.
samples/hosted-agent/sample-overrides.json Adds PM-managed per-path overrides used during generation.
samples/hosted-agent/sample-catalog.json Adds the initially generated catalog output committed into the repo.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/sync-sample-catalog.yml
Comment thread .github/workflows/sync-sample-catalog.yml Outdated
Comment thread .github/scripts/generate_sample_catalog.mjs
Comment thread .github/scripts/generate_sample_catalog.mjs
@Yimin-Jin
ci: tighten default GITHUB_TOKEN to contents:read
05fed8b 
All write operations (branch push, PR create) go through the GitHub App token, so the default GITHUB_TOKEN only needs read access for actions/checkout. Addresses PR #398 review feedback.
@Yimin-Jin Yimin-Jin merged commit 26cc039 into dev May 27, 2026
1 check passed
@Yimin-Jin Yimin-Jin deleted the yimin/sync-catalog-bootstrap branch May 27, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@huimiu huimiu huimiu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Yimin-Jin @huimiu