Add Copilot review instructions for OSS license files#300954
Merged
benvillalobos merged 2 commits intomicrosoft:mainfrom Mar 12, 2026
Merged
Add Copilot review instructions for OSS license files#300954benvillalobos merged 2 commits intomicrosoft:mainfrom
benvillalobos merged 2 commits intomicrosoft:mainfrom
Conversation
Path-scoped instructions for ThirdPartyNotices.txt, cglicenses.json, and cgmanifest.json. Teaches Copilot code review what to verify when reviewing automated OSS tool PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a path-scoped Copilot instruction file to guide reviews of automated OSS compliance outputs (ThirdPartyNotices / CG manifest files) as part of OSS Tool Automation V0.
Changes:
- Add
.github/instructions/oss.instructions.mdwith review checks and red flags forThirdPartyNotices.txt,cli/ThirdPartyNotices.txt,cglicenses.json, andcgmanifest.json.
Comments suppressed due to low confidence (2)
.github/instructions/oss.instructions.md:26
- The cgmanifest.json checklist says license identifiers should use SPDX format, but
cgmanifest.jsonalready contains non‑SPDX values likeLGPL-2.1+,OTHER, and free-form strings (e.g. "MIT and Creative Commons Attribution 4.0"). As written, this will cause noisy reviews even when changes are unrelated. Suggest narrowing this to "ensure license values follow the schema/tool expectations" and/or only flag newly introduced unknown/placeholder license strings.
- Package versions match what's actually installed
- Repository URLs are valid and point to real source repositories
- License identifiers use SPDX format and match the corresponding ThirdPartyNotices.txt entries
.github/instructions/oss.instructions.md:31
- The "Any copyleft license (GPL, LGPL, AGPL) — flag immediately" red flag will always trigger for
cgmanifest.jsonbecause it already includes LGPL entries (e.g. ffmpeg). To avoid permanent false positives, this should be scoped to newly added/changed components or require checking against an allowlist/known exceptions.
- Any copyleft license (GPL, LGPL, AGPL) — flag immediately
- Any "UNKNOWN" or placeholder license text
You can also share your feedback on Copilot code review. Take the survey.
- Copyleft flag now only applies to newly added entries (existing LGPL entries like ffmpeg are pre-approved) - SPDX format check softened to 'where possible' since cgmanifest already contains non-SPDX values like OTHER Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TylerLeonhardt
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds path-scoped
.instructions.mdforThirdPartyNotices.txt,cglicenses.json, andcgmanifest.json. Teaches Copilot code review what to verify when reviewing automated OSS tool PRs.Part of the OSS Tool Automation V0 — see vscode-engineering#2023 for the full spec.
Related to #300158