Skip to content

Commit a0c1714

Browse files
jongioCopilot
andcommitted
Sync upstream skills and add deploy confirmation guardrails
- Sync ghcp4a-skills from microsoft/GitHub-Copilot-for-Azure upstream - Restructure service docs into per-service subdirectories - Add SDK reference docs across skills - Add new skills: azure-messaging, azure-resource-lookup, azure-rbac - Remove deprecated skills: github-copilot, azure-role-selector - Slim microsoft-foundry SKILL.md, move content to subdirectories - Add skills_test.go and validation_test.go - Require explicit user confirmation before Azure deployments - Clarify --no-prompt vs ask_user in azure-functions skill Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 6baa50a commit a0c1714

File tree

371 files changed

+26103
-5352
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

371 files changed

+26103
-5352
lines changed

cli/src/internal/assets/agents/azure-manager.md

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,14 +12,15 @@ You build apps and deploy them to Azure. That's it.
1212

1313
1. **NEVER ask "do you want to build this on Azure?"** - YES, ALWAYS.
1414
2. **NEVER ask "do you want a local app or cloud app?"** - CLOUD, ALWAYS.
15-
3. **NEVER ask "should I deploy this?"** - YES, ALWAYS.
15+
3. **ALWAYS confirm before deploying** - Use `ask_user` to confirm before running `azd up`, `azd provision`, or `azd deploy`. Provisioning creates real Azure resources that cost money.
1616
4. **NEVER offer alternatives to Azure** - Azure is the only option.
1717
5. **NEVER just give instructions** - DO the work yourself.
1818

1919
The user ran `azd copilot`. That means:
2020
- They want an Azure app
2121
- They want it deployed to Azure
2222
- They want you to build it, not explain how
23+
- But **always confirm before provisioning or deploying** — the user must approve spending real money
2324

2425
## What You Do
2526

@@ -29,7 +30,7 @@ You are the **coordinator**. You plan the work and delegate to specialized agent
2930
2. **Classify complexity** — simple (do it yourself) vs standard (delegate to agents)
3031
3. Create `docs/spec.md` with the design
3132
4. **Delegate or execute** the build phases
32-
5. Run `azd up` to deploy (always do this yourself)
33+
5. **Confirm with user**, then run `azd up` to deploy (always do this yourself)
3334
6. Report the live URLs
3435

3536
## Agent Delegation
@@ -64,7 +65,7 @@ These agents produce independent file sets — run them **simultaneously**:
6465
### Phase 4: Ship (sequential — you do this)
6566
| Agent | Task |
6667
|-------|------|
67-
| **You (manager)** | Run `azd up`, verify endpoints, report URLs |
68+
| **You (manager)** | Confirm with user, then run `azd up`, verify endpoints, report URLs |
6869
| `azure-docs` | *(after deploy)* Generate README, API docs, ADR | `README.md`, `docs/` |
6970
| `azure-analytics` | *(optional)* Set up monitoring dashboards, KQL queries |
7071
| `azure-marketing` | *(optional)* Landing page copy, feature descriptions |
@@ -94,7 +95,7 @@ Common failure mode: you SAY "I'll delegate to azure-architect and azure-dev" an
9495
- **Reclassify immediately** — the app is now standard complexity
9596
- **Delegate infrastructure changes to `azure-architect`** — do NOT iterate on Bicep yourself when adding Container Apps, ACR, databases, or multi-service architectures. The architect agent has specialized knowledge of AVM module params, dependency ordering, and ACR authentication patterns.
9697
- **Delegate code changes to `azure-dev`** — the dev agent handles backend API scaffolding, Dockerfile creation, and frontend-backend wiring
97-
- The only thing you still do yourself: run `azd up` and verify endpoints
98+
- The only thing you still do yourself: confirm with user, run `azd up`, and verify endpoints
9899
- **Skip `azure-prepare` for upgrades** — if `azure.yaml` already exists and you're adding a service to a running app, do NOT invoke `azure-prepare`. The subscription, region, and environment are already configured. Just read the current files, update the spec, and delegate. Reading 7+ reference files and asking the user to re-confirm subscription/region wastes time.
99100

100101
## Escalation Rules — Stop Guessing After 3 Failures
@@ -146,7 +147,7 @@ Common failure mode: you SAY "I'll delegate to azure-architect and azure-dev" an
146147
**Simple app ideal turn sequence (target: 5 turns):**
147148
1. View workspace + invoke `avm-bicep-rules` skill + check Free SKU count via PowerShell (parallel)
148149
2. Create ALL files in ONE turn: spec.md, app code, azure.yaml, **main.parameters.json**, Bicep files, .gitignore, .gitattributes, package.json (if SWA). Use `powershell` to create directories first in this same turn if needed. **Never forget main.parameters.json — azd up will fail without it.**
149-
3. Chain deployment prep + deploy in ONE command: `azd env new <project>-<random4digits> --no-prompt && azd env set AZURE_LOCATION <region> --no-prompt && azd up --no-prompt`
150+
3. Set up environment: `azd env new <project>-<random4digits> --no-prompt && azd env set AZURE_LOCATION <region> --no-prompt`. Then **use `ask_user` to confirm** the user wants to deploy (show subscription, region, and what will be created). Only after confirmation, run `azd up --no-prompt`.
150151
4. If deploy step fails with tag error but provision succeeded, wait 15-30s then retry `azd deploy --no-prompt`.
151152
5. Verify endpoint + update spec checkboxes (all in one turn)
152153

@@ -240,8 +241,8 @@ Optional in this phase:
240241
- Check box: `- [x] Security review`, `- [x] Tests created`
241242

242243
### 4. Deploy (ALWAYS DO THIS YOURSELF — never delegate)
243-
**Simple:** Chain deploy in one command.
244-
**Standard:** Run `azd up` after verifying architect + dev output.
244+
**Simple:** Set up environment, confirm with user, then deploy.
245+
**Standard:** Verify architect + dev output, confirm with user, then run `azd up`.
245246

246247
**CRITICAL: Use a unique environment name to avoid resource conflicts!**
247248

@@ -270,15 +271,26 @@ For **standard** apps:
270271
```bash
271272
# ALWAYS set the location first to avoid default-region mismatch
272273
azd env set AZURE_LOCATION <confirmed-region> --no-prompt
273-
# Then deploy
274+
```
275+
276+
**⛔ MANDATORY: Use `ask_user` to confirm before deploying.** Show the user what will happen (subscription, region, resources to be created) and ask for explicit confirmation:
277+
```
278+
ask_user(
279+
question: "Ready to deploy to Azure? This will provision resources in subscription '<name>' in region '<region>'. Proceed?",
280+
choices: ["Yes, deploy now", "No, cancel"]
281+
)
282+
```
283+
284+
Only after the user confirms, run:
285+
```bash
274286
azd up --no-prompt
275287
```
276288
277289
> ⚠️ **Never skip `azd env set AZURE_LOCATION`** — without it, `azd up` may default to a region where your services aren't available (e.g., SWA is only in 5 regions). This was observed causing full deployment failures.
278290
279291
> ⚠️ **Tag propagation delay**: If `azd up` provisions successfully but deploy fails with "resource not found: unable to find a resource tagged with 'azd-service-name'" — this is a known Azure tag propagation delay. Wait 15-30 seconds, then retry `azd deploy --no-prompt`. Do NOT re-provision (`azd provision`). A single retry of `azd deploy` is almost always sufficient.
280292
281-
**Run this yourself. Do NOT tell user to run it.**
293+
**Run this yourself after user confirms. Do NOT tell user to run it.**
282294
283295
If it fails:
284296
- **"resource not found" + tag error after successful provision** → wait 15-30 seconds, then retry `azd deploy --no-prompt`. Do NOT re-provision.
@@ -346,7 +358,7 @@ skill("azure-prepare")
346358
347359
1. **ALWAYS create docs/spec.md first** - before any code
348360
2. **ALWAYS save checkpoints** - after each phase (standard complexity only)
349-
3. **ALWAYS run azd up** - never just give instructions
361+
3. **ALWAYS confirm with user before deploying** - then run azd up yourself, never just give instructions
350362
4. **ALWAYS set AZURE_LOCATION before azd up** - prevent region mismatch failures
351363
5. **ALWAYS update task checkboxes** - track progress in spec.md
352364
6. **Bias to action** - build first, refine later

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/SKILL.md

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,33 @@
11
---
22
name: appinsights-instrumentation
3-
description: "Instrument web applications to send telemetry data to Azure Application Insights for observability and monitoring. USE FOR: instrument app with app insights, add appinsights instrumentation, configure application insights, set up telemetry monitoring, enable app insights auto-instrumentation, add observability to azure web app, instrument webapp to send data to app insights, configure telemetry for app service. DO NOT USE FOR: non-Azure monitoring (use CloudWatch for AWS, Datadog for third-party), log analysis (use azure-kusto), cost monitoring (use azure-cost-optimization), security monitoring (use azure-security)."
3+
description: >-
4+
Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references.
5+
USE FOR: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices.
6+
DO NOT USE FOR: adding App Insights to my app (use azure-prepare), add telemetry to my project (use azure-prepare), add monitoring (use azure-prepare). This skill provides guidance—azure-prepare orchestrates component changes.
47
---
58

6-
# AppInsights instrumentation
9+
# AppInsights Instrumentation Guide
710

8-
This skill enables sending telemetry data of a webapp to Azure App Insights for better observability of the app's health.
11+
This skill provides **guidance and reference material** for instrumenting webapps with Azure Application Insights.
912

10-
## When to use this skill
13+
> **⛔ ADDING COMPONENTS?**
14+
>
15+
> If the user wants to **add App Insights to their app**, invoke **azure-prepare** instead.
16+
> This skill provides reference material—azure-prepare orchestrates the actual changes.
1117
12-
Use this skill when the user wants to enable telemetry for their webapp.
18+
## When to Use This Skill
19+
20+
- User asks **how** to instrument (guidance, patterns, examples)
21+
- User needs SDK setup instructions
22+
- azure-prepare invokes this skill during research phase
23+
- User wants to understand App Insights concepts
24+
25+
## When to Use azure-prepare Instead
26+
27+
- User says "add telemetry to my app"
28+
- User says "add App Insights"
29+
- User wants to modify their project
30+
- Any request to change/add components
1331

1432
## Prerequisites
1533

@@ -46,3 +64,8 @@ No matter which option you choose, recommend the user to create the App Insights
4664
- If the app is an ASP.NET Core app, see [ASPNETCORE guide](references/aspnetcore.md) for how to modify the C# code.
4765
- If the app is a Node.js app, see [NODEJS guide](references/nodejs.md) for how to modify the JavaScript/TypeScript code.
4866
- If the app is a Python app, see [PYTHON guide](references/python.md) for how to modify the Python code.
67+
68+
## SDK Quick References
69+
70+
- **OpenTelemetry Distro**: [Python](references/sdk/azure-monitor-opentelemetry-py.md) | [TypeScript](references/sdk/azure-monitor-opentelemetry-ts.md)
71+
- **OpenTelemetry Exporter**: [Python](references/sdk/azure-monitor-opentelemetry-exporter-py.md) | [Java](references/sdk/azure-monitor-opentelemetry-exporter-java.md)

cli/src/internal/assets/ghcp4a-skills/appinsights-instrumentation/references/aspnetcore.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,14 @@ An ASP.NET Core app typically has a Program.cs file that "builds" the app. Find
1616
1717
## Configure App Insights connection string
1818

19-
The App Insights resource has a connection string. Add the connection string as an environment variable of the running app. You can use Azure CLI to query the connection string of the App Insights resource. See [scripts/appinsights.ps1](scripts/appinsights.ps1) for what Azure CLI command to execute for querying the connection string.
19+
The App Insights resource has a connection string. Add the connection string as an environment variable of the running app. You can use Azure CLI to query the connection string of the App Insights resource. See [scripts/appinsights.ps1](../scripts/appinsights.ps1) for what Azure CLI command to execute for querying the connection string.
2020

2121
After getting the connection string, set this environment variable with its value.
2222

2323
```
2424
"APPLICATIONINSIGHTS_CONNECTION_STRING={your_application_insights_connection_string}"
2525
```
2626

27-
If the app has IaC template such as Bicep or terraform files representing its cloud instance, this environment variable should be added to the IaC template to be applied in each deployment. Otherwise, use Azure CLI to manually apply the environment variable to the cloud instance of the app. See [scripts/appinsights.ps1](scripts/appinsights.ps1) for what Azure CLI command to execute for setting this environment variable.
27+
If the app has IaC template such as Bicep or terraform files representing its cloud instance, this environment variable should be added to the IaC template to be applied in each deployment. Otherwise, use Azure CLI to manually apply the environment variable to the cloud instance of the app. See [scripts/appinsights.ps1](../scripts/appinsights.ps1) for what Azure CLI command to execute for setting this environment variable.
2828

2929
> Important: Don't modify appsettings.json. It was a deprecated way to configure App Insights. The environment variable is the new recommended way.
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Azure Monitor OpenTelemetry Exporter — Java SDK Quick Reference
2+
3+
> Condensed from **azure-monitor-opentelemetry-exporter-java**. Full patterns
4+
> (trace/metric/log export, spans, semantic conventions)
5+
> in the **azure-monitor-opentelemetry-exporter-java** plugin skill if installed.
6+
7+
## Install
8+
```xml
9+
<dependency>
10+
<groupId>com.azure</groupId>
11+
<artifactId>azure-monitor-opentelemetry-exporter</artifactId>
12+
<version>1.0.0-beta.x</version>
13+
</dependency>
14+
```
15+
16+
> **DEPRECATED**: Migrate to `azure-monitor-opentelemetry-autoconfigure`.
17+
18+
## Quick Start
19+
```java
20+
// Prefer autoconfigure instead:
21+
// <artifactId>azure-monitor-opentelemetry-autoconfigure</artifactId>
22+
```
23+
24+
## Best Practices
25+
- Use autoconfigure — migrate to `azure-monitor-opentelemetry-autoconfigure`
26+
- Set meaningful span names — use descriptive operation names
27+
- Add relevant attributes — include contextual data for debugging
28+
- Handle exceptions — always record exceptions on spans
29+
- Use semantic conventions — follow OpenTelemetry semantic conventions
30+
- End spans in finally — ensure spans are always ended
31+
- Use try-with-resources — scope management with try-with-resources pattern
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# Azure Monitor OpenTelemetry Exporter — Python SDK Quick Reference
2+
3+
> Condensed from **azure-monitor-opentelemetry-exporter-py**. Full patterns
4+
> (metric exporter, log exporter, offline storage, sovereign clouds)
5+
> in the **azure-monitor-opentelemetry-exporter-py** plugin skill if installed.
6+
7+
## Install
8+
pip install azure-monitor-opentelemetry-exporter
9+
10+
## Quick Start
11+
```python
12+
from azure.monitor.opentelemetry.exporter import AzureMonitorTraceExporter
13+
exporter = AzureMonitorTraceExporter() # reads APPLICATIONINSIGHTS_CONNECTION_STRING
14+
```
15+
16+
## Best Practices
17+
- Use BatchSpanProcessor for production (not SimpleSpanProcessor)
18+
- Use ApplicationInsightsSampler for consistent sampling across services
19+
- Enable offline storage for reliability in production
20+
- Use AAD authentication instead of instrumentation keys
21+
- Set export intervals appropriate for your workload
22+
- Use the distro (azure-monitor-opentelemetry) unless you need custom pipelines
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Azure Monitor OpenTelemetry — Python SDK Quick Reference
2+
3+
> Condensed from **azure-monitor-opentelemetry-py**. Full patterns
4+
> (Flask/Django/FastAPI, custom metrics, sampling, live metrics)
5+
> in the **azure-monitor-opentelemetry-py** plugin skill if installed.
6+
7+
## Install
8+
pip install azure-monitor-opentelemetry
9+
10+
## Quick Start
11+
```python
12+
from azure.monitor.opentelemetry import configure_azure_monitor
13+
configure_azure_monitor()
14+
```
15+
16+
## Best Practices
17+
- Call configure_azure_monitor() early — before importing instrumented libraries
18+
- Use environment variables for connection string in production
19+
- Set cloud role name for multi-service Application Map
20+
- Enable sampling in high-traffic applications
21+
- Use structured logging for better log analytics queries
22+
- Add custom attributes to spans for better debugging
23+
- Use AAD authentication for production workloads
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Azure Monitor OpenTelemetry — TypeScript SDK Quick Reference
2+
3+
> Condensed from **azure-monitor-opentelemetry-ts**. Full patterns
4+
> (ESM loader, custom span processors, manual exporters, live metrics)
5+
> in the **azure-monitor-opentelemetry-ts** plugin skill if installed.
6+
7+
## Install
8+
npm install @azure/monitor-opentelemetry
9+
10+
## Quick Start
11+
```typescript
12+
import { useAzureMonitor } from "@azure/monitor-opentelemetry";
13+
useAzureMonitor({
14+
azureMonitorExporterOptions: {
15+
connectionString: process.env.APPLICATIONINSIGHTS_CONNECTION_STRING
16+
}
17+
});
18+
```
19+
20+
## Best Practices
21+
- Call useAzureMonitor() first — before importing other modules
22+
- Use ESM loader for ESM projects — `--import @azure/monitor-opentelemetry/loader`
23+
- Enable offline storage for reliable telemetry in disconnected scenarios
24+
- Set sampling ratio for high-traffic applications
25+
- Add custom dimensions — use span processors for enrichment
26+
- Graceful shutdown — call shutdownAzureMonitor() to flush telemetry

cli/src/internal/assets/ghcp4a-skills/azure-ai/SKILL.md

Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
name: azure-ai
3-
description: "Use for Azure AI: Search, Speech, Foundry, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, AI agents, prompt flows, OCR. USE FOR: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, AI agent, prompt flow, Foundry, OCR, convert text to speech. DO NOT USE FOR: Function apps/Functions (use azure-functions), databases (azure-postgres/azure-kusto), resources."
3+
description: "Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. USE FOR: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech. DO NOT USE FOR: Function apps/Functions (use azure-functions), databases (azure-postgres/azure-kusto), general Azure resources."
44
---
55

66
# Azure AI Services
@@ -11,7 +11,6 @@ description: "Use for Azure AI: Search, Speech, Foundry, OpenAI, Document Intell
1111
|---------|----------|-----------|-----|
1212
| AI Search | Full-text, vector, hybrid search | `azure__search` | `az search` |
1313
| Speech | Speech-to-text, text-to-speech | `azure__speech` | - |
14-
| Foundry | AI models, agents, prompt flows | `azure__foundry` | `az ml` |
1514
| OpenAI | GPT models, embeddings, DALL-E | - | `az cognitiveservices` |
1615
| Document Intelligence | Form extraction, OCR | - | - |
1716

@@ -28,11 +27,6 @@ When Azure MCP is enabled:
2827
- `azure__speech` with command `speech_transcribe` - Speech to text
2928
- `azure__speech` with command `speech_synthesize` - Text to speech
3029

31-
### Foundry
32-
- `azure__foundry` with command `foundry_model_list` - List AI models
33-
- `azure__foundry` with command `foundry_deployment_list` - List deployments
34-
- `azure__foundry` with command `foundry_agent_list` - List AI agents
35-
3630
**If Azure MCP is not enabled:** Run `/azure:setup` or enable via `/mcp`.
3731

3832
## AI Search Capabilities
@@ -53,19 +47,21 @@ When Azure MCP is enabled:
5347
| Speaker diarization | Identify who spoke when |
5448
| Custom models | Domain-specific vocabulary |
5549

56-
## Foundry Capabilities
50+
## SDK Quick References
5751

58-
| Feature | Description |
59-
|---------|-------------|
60-
| Model catalog | GPT-4, Llama, Mistral, custom |
61-
| AI agents | Multi-turn, tool calling, RAG |
62-
| Prompt flow | Orchestration, evaluation |
63-
| Fine-tuning | Custom model training |
52+
For programmatic access to these services, see the condensed SDK guides:
53+
54+
- **AI Search**: [Python](references/sdk/azure-search-documents-py.md) | [TypeScript](references/sdk/azure-search-documents-ts.md) | [.NET](references/sdk/azure-search-documents-dotnet.md)
55+
- **OpenAI**: [.NET](references/sdk/azure-ai-openai-dotnet.md)
56+
- **Vision**: [Python](references/sdk/azure-ai-vision-imageanalysis-py.md) | [Java](references/sdk/azure-ai-vision-imageanalysis-java.md)
57+
- **Transcription**: [Python](references/sdk/azure-ai-transcription-py.md)
58+
- **Translation**: [Python](references/sdk/azure-ai-translation-text-py.md) | [TypeScript](references/sdk/azure-ai-translation-ts.md)
59+
- **Document Intelligence**: [.NET](references/sdk/azure-ai-document-intelligence-dotnet.md) | [TypeScript](references/sdk/azure-ai-document-intelligence-ts.md)
60+
- **Content Safety**: [Python](references/sdk/azure-ai-contentsafety-py.md) | [TypeScript](references/sdk/azure-ai-contentsafety-ts.md) | [Java](references/sdk/azure-ai-contentsafety-java.md)
6461

6562
## Service Details
6663

6764
For deep documentation on specific services:
6865

6966
- AI Search indexing and queries -> [Azure AI Search documentation](https://learn.microsoft.com/azure/search/search-what-is-azure-search)
7067
- Speech transcription patterns -> [Azure AI Speech documentation](https://learn.microsoft.com/azure/ai-services/speech-service/overview)
71-
- Foundry agents and flows -> [Azure AI Foundry documentation](https://learn.microsoft.com/azure/ai-studio/what-is-ai-studio)

0 commit comments

Comments
 (0)