From eb75e338304ec465c56028e2ef78d4a3781452a8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 18 Mar 2026 15:36:35 +0000 Subject: [PATCH] Update guide: subagentStart hook, MCP_ALLOWLIST, SDK session APIs, GHAS Pack - Hooks: add subagentStart hook type (v1.0.7), hooks-in-settings.json support (v1.0.8) - MCP Servers: add MCP_ALLOWLIST experimental registry validation (v1.0.8) - Copilot SDK: add experimental SDK session APIs for skills/MCP/plugins (v1.0.7) - awesome-copilot: mention new GHAS Pack (CodeQL, Dependabot, Secret Scanning skills) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 23c1a8c..90f45ee 100644 --- a/README.md +++ b/README.md @@ -306,6 +306,7 @@ When creating or modifying database tables. | **Discovery** | VS Code has a built-in MCP server gallery (search `@mcp` in Extensions) | | **Security** | Servers run locally — your credentials stay on your machine | | **OAuth / API keys** | MCP servers can request you to visit a URL for out-of-band auth flows (e.g. OAuth, API key entry) | +| **Registry validation** | Enable the experimental `MCP_ALLOWLIST` feature flag to validate servers against configured registries before they are loaded | --- @@ -315,7 +316,7 @@ Custom scripts that run automatically at specific lifecycle events — like pre- > **When you need it:** You want every code generation to be auto-formatted with Prettier, or every commit to run lint checks, without remembering to do it manually. -**📁 Location:** `.github/hooks/` (repo-level) or `~/.copilot/hooks/` (personal, user-level) +**📁 Location:** `.github/hooks/` (repo-level) or `~/.copilot/hooks/` (personal, user-level). Hooks can also be defined inline in `settings.json`, `settings.local.json`, or `config.json`.
Example — repo-level .github/hooks/hooks.json @@ -332,6 +333,9 @@ Custom scripts that run automatically at specific lifecycle events — like pre- }, "startup": { "prompt": "/compact Summarize recent changes in RecipeShare" + }, + "subagentStart": { + "prompt": "You are working on RecipeShare. Always check CONTRIBUTING.md before making changes." } } } @@ -346,17 +350,20 @@ Custom scripts that run automatically at specific lifecycle events — like pre- | `post-edit` | After Copilot edits a file | | `pre-commit` | Before a git commit | | `startup` | When a CLI session starts — auto-submits a prompt or slash command | +| `subagentStart` | When a subagent is spawned — injects additional context into the subagent's prompt | **Config notes:** - Use `"command"` as a **cross-platform alias** for `bash`/`powershell` shell commands — works on all platforms without separate entries - `"timeout"` is accepted as an alias for `"timeoutSec"` for readable config - Personal hooks (`~/.copilot/hooks/`) apply across all repos; repo-level hooks (`.github/hooks/`) are scoped to that repo +- Hooks can also be defined directly in `settings.json`, `settings.local.json`, or `config.json` under a `"hooks"` key — useful for user-level overrides without a separate file | | | |---|---| | **Scope** | Runs automatically at lifecycle events — no manual invocation | | **Personal hooks** | `~/.copilot/hooks/` — applies to all repos on your machine | +| **`subagentStart`** | New in v1.0.7 — fires when a `/fleet` subagent is spawned; use to inject project-wide context | | **Difference from skills** | Skills are knowledge Copilot reads; hooks are scripts Copilot runs | --- @@ -802,6 +809,7 @@ npm install @github/copilot-sdk | **Status** | Technical preview | | **Languages** | Node.js, Python, Go, .NET | | **Repository** | [github.com/github/copilot-sdk](https://github.com/github/copilot-sdk) | +| **Session APIs** | Experimental session APIs (v1.0.7+) let you list and manage skills, MCP servers, and plugins with optional auto-discovery from the working directory | | **Difference from agents** | Agents are markdown prompts; SDK is programmatic code | --- @@ -897,6 +905,8 @@ A curated collection of Copilot resources, customizations, and advanced patterns Includes custom instructions examples, agent patterns, orchestration strategies, MCP configs, community skills, and guides for maximizing agentic workflows. A great starting point for seeing how others use these features in practice. +Recent community additions include a **GHAS Pack** — a set of skills for GitHub Advanced Security covering **CodeQL** (static analysis), **Dependabot** (dependency security), and **Secret Scanning**, contributed by the community on 2026-03-18. + --- ## Best Practices