Merge remote-tracking branch 'microsoft/master'

Author: trueqbit

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,8 @@
 Checklist for Pull Requests
 - [ ] Have you signed the [Contributor License Agreement](https://cla.opensource.microsoft.com/microsoft/winget-pkgs)?
-- [ ] Is there a linked Issue?
+- [ ] Is there a linked Issue?  If so, fill in the Issue number below.
+   <!-- Example: Resolves #328283 -->
+  - Resolves #[Issue Number]
 
 Manifests
 - [ ] Have you checked that there aren't other open [pull requests](https://github.com/microsoft/winget-pkgs/pulls) for the same manifest update/change?

.github/instructions/manifests.instructions.md

@@ -0,0 +1,117 @@
+---
+applyTo: "manifests/**/*"
+---
+
+# Windows Package Manager Community Repository - Copilot Instructions
+
+## Repository Overview
+
+This is the **Windows Package Manager (WinGet)** community repository containing **~415,000+ manifest files** for software packages installable via `winget`. The repository is a **manifest-only** repository - no application code, just YAML metadata files describing how to install Windows applications.
+
+**Key Facts:**
+- **Primary Language:** YAML manifest files, PowerShell scripts for tooling
+- **Target Runtime:** Windows 10/11, Windows Package Manager client
+- **Size:** Large repository with alphabetically organized manifests
+- **Schema:** Uses multi-file YAML manifests (version 1.10.0 recommended, 1.9.0 also supported)
+- **Supported Installers:** MSIX, MSI, APPX, EXE only (scripts are not supported)
+
+## Critical: How This Repository Works
+
+**This is NOT a traditional code repository.** You typically work with **manifest files only**, not application source code. Each PR should modify **exactly one package** (one manifest set).
+
+### Manifest Structure (Multi-File Format Required)
+
+Manifests are located in: `manifests/<first-letter>/<Publisher>/<Package>/<Version>/`
+
+For example: `manifests/m/Microsoft/WindowsTerminal/1.0.1401.0/`
+
+**Required files per version:**
+1. `<PackageIdentifier>.yaml` - Version file (references other files)
+2. `<PackageIdentifier>.installer.yaml` - Installer details, URLs, SHA256
+3. `<PackageIdentifier>.locale.en-US.yaml` - Default locale metadata
+
+**File Naming:** Must match `PackageIdentifier` exactly (case-sensitive).
+
+## Instruction Priority
+
+The instructions in the **Performance Rules**, **Allowed Local Searches**, and **Explicit Required Behavior** sections are **mandatory**.  
+They override all other information in this file.
+
+Copilot must always follow these rules when performing PR reviews, even if other documentation in this file describes general repository behavior.
+
+## Performance Rules (Very Important)
+
+This repository contains a very large directory: `manifests/`.  
+Copilot must **never recursively scan or search the entire `manifests/` folder** during PR reviews.
+
+Large-scale searches cause severe performance issues and timeouts.
+
+## Allowed Local Searches (Package-Scoped Only)
+
+When Copilot needs to compare or validate manifest conventions (for example, `ReleaseDate`, `InstallerSha256`, or schema field placement):
+
+### Copilot is allowed to:
+- Search **ONLY within the package folder of the manifest being modified**.
+- This package folder follows the structure: `manifests/<first-letter>/<Publisher>/<Package>/<Version>/`
+
+### Copilot MUST NOT:
+- Search sibling publishers
+- Search unrelated packages
+- Search the entire `manifests/` directory
+- Perform global searches to find examples
+- Use `search_dir` on `manifests/` or any directory wider than the package root
+
+## Allowed Searches Outside the Manifests Directory
+
+Copilot is allowed to search in **documentation folders** to understand schema rules, authoring guidelines, and repository conventions. These include, but are not limited to:
+
+- `doc/`
+- `schemas/`
+- `README.md`
+- `CONTRIBUTING.md`
+- `PULL_REQUEST_TEMPLATE.md`
+- Any other non-manifest documentation files
+
+These locations are safe to search because they contain guidance, not large numbers of manifest files.
+
+However, **Copilot must still avoid recursive searches of the `manifests/` directory**, except for the package-scoped searches described earlier.
+
+---
+
+## Explicit Required Behavior
+
+When reviewing a PR:
+
+- Focus on **only the changed manifest files** and their immediate package folder.
+- If searching for "similar manifests" or examples:
+- Restrict the search scope to the **same package root**, e.g.:
+
+  For:
+  ```
+  manifests/m/Microsoft/WSL/2.6.2/
+  ```
+  Only search within:
+  ```
+  manifests/m/Microsoft/WSL/
+  manifests/m/Microsoft/
+  ```
+
+- DO NOT search:
+  ```
+  manifests/m/*
+  manifests/*
+  ```
+  or the entire repo for matching fields
+
+- If broader repo context seems needed:
+  - **Skip the global search** and exactly say: "Global search prevented by repository instructions."
+  - Continue the review using only local context
+
+---
+
+## Summary
+
+- Only analyze **diffs** and **local package manifests**.
+- Never run expensive global scans.
+- Never crawl the entire `manifests/` directory.
+- Keep all search operations **package-scoped** for reliability.

.github/instructions/non-manifests.instructions.md

@@ -0,0 +1,74 @@
+---
+applyTo: "!manifests/**/*"
+---
+
+# Windows Package Manager Community Repository - Copilot Instructions
+
+## Repository Overview
+
+This is the **Windows Package Manager (WinGet)** community repository containing **~415,000+ manifest files** for software packages installable via `winget`. This repository primarily contains Windows Package Manager manifests, but also includes tooling, documentation, schemas, and CI configuration.
+
+**Key Facts:**
+- **Primary Language:** YAML manifest files, PowerShell scripts for tooling
+- **Target Runtime:** Windows 10/11, Windows Package Manager client
+- **Size:** Large repository with alphabetically organized manifests
+- **Schema:** Uses multi-file YAML manifests (version 1.10.0 recommended, 1.9.0 also supported)
+- **Supported Installers:** MSIX, MSI, APPX, EXE only (scripts are not supported)
+
+## Critical: How This Repository Works
+
+**This is NOT a traditional code repository.** You typically work with manifest files only **or modifying tooling, documentation, or infrastructure files**, not application source code.
+
+## Instruction Priority
+
+The instructions in the **Performance Rules**, **Allowed Local Searches**, and **Explicit Required Behavior** sections are **mandatory**.  
+They override all other information in this file.
+
+Copilot must always follow these rules when performing PR reviews, even if other documentation in this file describes general repository behavior.
+
+## Performance Rules (Very Important)
+
+This repository contains a very large directory: `manifests/`.  
+Copilot must **never recursively scan or search the entire `manifests/` folder** during PR reviews. This rule applies even when the pull request does not modify any manifest files.
+
+Large-scale searches cause severe performance issues and timeouts.
+
+## Allowed Searches Outside the Manifests Directory
+
+Copilot is allowed to search in **documentation folders** to understand schema rules, authoring guidelines, and repository conventions. These include, but are not limited to:
+
+- `doc/`
+- `schemas/`
+- `README.md`
+- `CONTRIBUTING.md`
+- `PULL_REQUEST_TEMPLATE.md`
+- Any other non-manifest documentation files
+
+These locations are safe to search because they contain guidance, not large numbers of manifest files.
+
+However, **Copilot must still avoid recursive searches of the `manifests/` directory**, except for the package-scoped searches described earlier.
+
+---
+
+## Explicit Required Behavior
+
+When reviewing a non-manifest PR:
+
+- Focus on the files changed in the pull request.
+- Use nearby documentation, tooling, or configuration files for context when helpful.
+- Avoid unnecessary repository-wide searches.
+
+If broader repository context seems needed:
+
+- **Skip the global search** and exactly say: "Global search prevented by repository instructions."
+- Continue the review using only the available non-manifest context.
+- Do not attempt to search the `manifests/` directory under any circumstances.
+
+---
+
+## Summary
+
+- Only analyze **diffs** and **relevant non-manifest files.**
+- Never run expensive global scans.
+- Never crawl the entire `manifests/` directory.
+- Keep all search operations **package-scoped** for reliability.

.github/policies/labelAdded.manualValidationCompleted.yml

@@ -0,0 +1,38 @@
+id: labelAdded.manualValidationCompleted
+name: GitOps.PullRequestIssueManagement
+description: Handlers when "Manual-Validation-Completed" label is added
+owner:
+resource: repository
+disabled: false
+where:
+configuration:
+  resourceManagementConfiguration:
+    eventResponderTasks:
+      - description: >-
+          When the label "Manual-Validation-Completed" is added to a pull request
+          * Add the PR specific reply notifying the issue author
+          * Remove the Internal-Error-Dynamic-Scan label
+          * Remove the Validation-No-Executables label
+          * Remove the Validation-Executable-Error label
+        if:
+          - payloadType: Pull_Request
+          - labelAdded:
+              label: Manual-Validation-Completed
+        then:
+          - addReply:
+              reply: >-
+                This pull request has been marked as "Manual-Validation-Completed".
+                A microsoft employee still needs to review and approve the changes before it can be merged.
+
+
+                Template: msftbot/microsoft/mvpValidated
+          - removeLabel:
+              label: Internal-Error-Dynamic-Scan
+          - removeLabel:
+              label: Validation-No-Executables
+          - removeLabel:
+              label: Validation-Executable-Error
+        # The policy service should trigger even when the label was added by the policy service
+        triggerOnOwnActions: true
+onFailure:
+onSuccess:

.github/policies/labelManagement.issueOpened.yml

@@ -103,6 +103,9 @@ configuration:
           - not:
               filesMatchPattern:
                 pattern: ^manifests/*
+          - not:
+              filesMatchPattern:
+                pattern: ^fonts/*
           - not:
               filesMatchPattern:
                 pattern: DevOpsPipelineDefinitions
@@ -196,7 +199,7 @@ configuration:
           - addLabel:
               label: Project-File
       - description: >-
-          When a PR is opened/updated, if the content contains .validation and user is not repo admin
+          When a PR is opened/updated, if the content contains .validation and user is not repo admin or authorized bot
           * Add Author-Not-Authorized label
         if:
           - payloadType: Pull_Request
@@ -209,6 +212,9 @@ configuration:
           - not:
               activitySenderHasPermission:
                 permission: Admin
+          - not:
+              isActivitySender:
+                user: wingetbot
         then:
           - addLabel:
               label: Author-Not-Authorized
@@ -227,6 +233,18 @@ configuration:
           - not:
               activitySenderHasPermission:
                 permission: Admin
+          - not:
+              isActivitySender:
+                user: dkbennett
+          - not:
+              isActivitySender:
+                user: denelon
+          - not:
+              isActivitySender:
+                user: Trenly
+          - not:
+              isActivitySender:
+                user: mdanish-kh
         then:
           - addReply:
               reply: >-

.github/policies/labelManagement.issueUpdated.yml

@@ -295,6 +295,8 @@ configuration:
               label: Manifest-Version-Deprecated
           - removeLabel:
               label: Manifest-Version-Error
+          - removeLabel:
+              label: Manual-Validation-Completed
           - removeLabel:
               label: Moderator-Approved
           - removeLabel:
@@ -419,6 +421,7 @@ configuration:
                   user: russellbanks
         then:
           # Don't remove Changes-Requested here because it is just a re-run, no new commits have been added
+          # Don't remove Manual-Validation-Completed here because it is just a re-run, no new commits have been added
           - removeLabel:
               label: Author-Not-Authorized
           - removeLabel:

.github/policies/microsoftMVPTriggers.yml

@@ -0,0 +1,38 @@
+id: microsoftMVPTriggers
+name: GitOps.PullRequestIssueManagement
+description: Defines the users and permissions available to Microsoft MVPs
+owner:
+resource: repository
+disabled: false
+where:
+configuration:
+  resourceManagementConfiguration:
+    eventResponderTasks:
+      - if:
+          # If the activity sender is a microsoft MVP and not the issue author
+          - or:
+              - isActivitySender:
+                  user: Trenly
+                  issueAuthor: False
+              - isActivitySender:
+                  user: mdanish-kh
+                  issueAuthor: False
+        then:
+          # If the payload is an issue_Comment or a Pull_Request_Review_Comment
+          - if:
+              - or:
+                  - payloadType: Issue_Comment
+                  - payloadType: Pull_Request_Review_Comment
+            # Remove the Needs-Triage label
+            # Take different actions based on the comment pattern
+            then:
+              # Manual-Validation-Completed
+              - if:
+                  - commentContains:
+                      pattern: '\[[Pp]olicy\]\s+[mM]anual[\s-][vV]alidation[\s-][cC]ompleted'
+                      isRegex: True
+                then:
+                  - addLabel:
+                      label: Manual-Validation-Completed
+onFailure:
+onSuccess:

.github/policies/moderatorTriggers.yml

@@ -574,6 +574,8 @@ configuration:
                       label: Manifest-Singleton-Deprecated
                   - removeLabel:
                       label: Manifest-Version-Deprecated
+                  - removeLabel:
+                      label: Manual-Validation-Completed
                   - removeLabel:
                       label: Moderator-Approved
                   - removeLabel:

.github/workflows/scriptAnalyzer.yaml

@@ -1,14 +1,16 @@
 name: PSScriptAnalyzer
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - master
     paths:
       - "**/*.ps1"
+      - "**/*.psm1"
   push:
     paths:
       - "**/*.ps1"
+      - "**/*.psm1"
 
 permissions:
   contents: read # Needed to check out the code
@@ -19,14 +21,17 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install PSScriptAnalyzer
         run: |
           Install-Module -Name PSScriptAnalyzer -Force -SkipPublisherCheck -Scope CurrentUser
       - name: Run PSScriptAnalyzer
         run: |
           # Run PSScriptAnalyzer on all PowerShell scripts
-          $results = Get-ChildItem -Recurse -Filter *.ps1 | Invoke-ScriptAnalyzer
+          $results = @(Get-ChildItem -Recurse -Filter *.ps1 | Invoke-ScriptAnalyzer)
+          $results += @(Get-ChildItem -Recurse -Filter *.psm1 | Invoke-ScriptAnalyzer)
           if ($results) {
             Write-Output $results | Format-List -GroupBy ScriptName
           }