Restrict runtime-import to .github folder with automatic prefix trimming

[Copilot]

The runtime-import macro now only imports files from the .github folder to prevent access to arbitrary repository files. Paths are automatically normalized: both file.md and .github/file.md resolve to .github/file.md.

Changes

• Path Resolution: All file paths resolve within .github folder relative to git root
• Prefix Normalization: Automatic trimming of .github/, ./, and .\\ prefixes
• Security Validation: Path traversal attempts (../../../etc/passwd) rejected with clear error messages
• URL Behavior: HTTP/HTTPS URLs remain unrestricted

Usage

# All equivalent - resolve to .github/coding-standards.md
{{#runtime-import coding-standards.md}}
{{#runtime-import .github/coding-standards.md}}
@./coding-standards.md

# Subdirectories work within .github
{{#runtime-import workflows/shared/template.md}}

# URLs unrestricted
{{#runtime-import https://example.com/external.md}}

# Outside .github rejected
{{#runtime-import ../src/config.go}}  # Error: must be within .github folder

Test Coverage

• 88 runtime import tests updated for .github folder structure
• Added tests for prefix trimming, security validation, subdirectory navigation
• All 2,531 JavaScript tests passing

Original prompt

Restrict the runtime-import macro to only import files from the .github folder (from the git root). When resolving files, trim .github/ folder if needed.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.