sponsor-finder

작성자: github

프로젝트의 전체 의존성 트리에서 후원 가능한 오픈소스 유지관리자를 식별합니다. deps.dev API를 사용하여 npm, PyPI, Cargo, Go, RubyGems, Maven, NuGet의 전체 의존성 트리(직접 및 전이적)를 해결합니다. npm 메타데이터, FUNDING.yml 파일(저장소 및 조직 수준), 웹 검색을 통해 펀딩 링크를 발견하고, 모든 URL을 보고하기 전에 검증합니다. 유지관리자와 펀딩 대상별로 의존성을 그룹화하여 상태 지표(유지관리됨/부분 유지관리됨/유지관리되지 않음)를 표시합니다.

npx skills add https://github.com/github/awesome-copilot --skill sponsor-finder

Sponsor Finder

Discover opportunities to support the open source maintainers behind your project's dependencies. Accepts a GitHub owner/repo (e.g. /sponsor expressjs/express), uses the deps.dev API for dependency resolution and project health data, and produces a friendly sponsorship report covering both direct and transitive dependencies.

Your Workflow

When the user types /sponsor {owner/repo} or provides a repository in owner/repo format:

  1. Parse the input — Extract owner and repo.
  2. Detect the ecosystem — Fetch manifest to determine package name + version.
  3. Get full dependency tree — deps.dev GetDependencies (one call).
  4. Resolve repos — deps.dev GetVersion for each dep → relatedProjects gives GitHub repo.
  5. Get project health — deps.dev GetProject for unique repos → OSSF Scorecard.
  6. Find funding links — npm funding field, FUNDING.yml, web search fallback.
  7. Verify every link — fetch each URL to confirm it's live.
  8. Group and report — by funding destination, sorted by impact.

Step 1: Detect Ecosystem and Package

Use get_file_contents to fetch the manifest from the target repo. Determine the ecosystem and extract the package name + latest version:

FileEcosystemPackage name fromVersion from
package.jsonNPMname fieldversion field
requirements.txtPYPIlist of package namesuse latest (omit version in deps.dev call)
pyproject.tomlPYPI[project.dependencies]use latest
Cargo.tomlCARGO[package] name[package] version
go.modGOmodule pathextract from go.mod
GemfileRUBYGEMSgem namesuse latest
pom.xmlMAVENgroupId:artifactIdversion

Step 2: Get Full Dependency Tree (deps.dev)

This is the key step. Use web_fetch to call the deps.dev API:

https://api.deps.dev/v3/systems/{ECOSYSTEM}/packages/{PACKAGE}/versions/{VERSION}:dependencies

For example:

https://api.deps.dev/v3/systems/npm/packages/express/versions/5.2.1:dependencies

This returns a nodes array where each node has:

  • versionKey.name — package name
  • versionKey.version — resolved version
  • relation"SELF", "DIRECT", or "INDIRECT"

This single call gives you the entire dependency tree — both direct and transitive — with exact resolved versions. No need to parse lockfiles.

URL encoding

Package names containing special characters must be percent-encoded:

  • @colors/colors%40colors%2Fcolors
  • Encode @ as %40, / as %2F

For repos without a single root package

If the repo doesn't publish a package (e.g., it's an app not a library), fall back to reading package.json dependencies directly and calling deps.dev GetVersion for each.


Step 3: Resolve Each Dependency to a GitHub Repo (deps.dev)

For each dependency from the tree, call deps.dev GetVersion:

https://api.deps.dev/v3/systems/{ECOSYSTEM}/packages/{NAME}/versions/{VERSION}

From the response, extract:

  • relatedProjects → look for relationType: "SOURCE_REPO"projectKey.id gives github.com/{owner}/{repo}
  • links → look for label: "SOURCE_REPO"url field

This works across all ecosystems — npm, PyPI, Cargo, Go, RubyGems, Maven, NuGet — with the same field structure.

Efficiency rules

  • Process in batches of 10 at a time.
  • Deduplicate — multiple packages may map to the same repo.
  • Skip deps where no GitHub project is found (count as "unresolvable").

Step 4: Get Project Health Data (deps.dev)

For each unique GitHub repo, call deps.dev GetProject:

https://api.deps.dev/v3/projects/github.com%2F{owner}%2F{repo}

From the response, extract:

  • scorecard.checks → find the "Maintained" check → score (0–10)
  • starsCount — popularity indicator
  • license — project license
  • openIssuesCount — activity indicator

Use the Maintained score to label project health:

  • Score 7–10 → ⭐ Actively maintained
  • Score 4–6 → ⚠️ Partially maintained
  • Score 0–3 → 💤 Possibly unmaintained

Efficiency rules

  • Only fetch for unique repos (not per-package).
  • Process in batches of 10 at a time.
  • This step is optional — skip if rate-limited and note in output.

Step 5: Find Funding Links

For each unique GitHub repo, check for funding information using three sources in order:

5a: npm funding field (npm ecosystem only)

Use web_fetch on https://registry.npmjs.org/{package-name}/latest and check for a funding field:

  • String: "https://github.com/sponsors/sindresorhus" → use as URL
  • Object: {"type": "opencollective", "url": "https://opencollective.com/express"} → use url
  • Array: collect all URLs

5b: .github/FUNDING.yml (repo-level, then org-level fallback)

Step 5b-i — Per-repo check: Use get_file_contents to fetch {owner}/{repo} path .github/FUNDING.yml.

Step 5b-ii — Org/user-level fallback: If 5b-i returned 404 (no FUNDING.yml in the repo itself), check the owner's default community health repo: Use get_file_contents to fetch {owner}/.github path FUNDING.yml.

GitHub supports a default community health files convention: a .github repository at the user/org level provides defaults for all repos that lack their own. For example, isaacs/.github/FUNDING.yml applies to all isaacs/* repos.

Only look up each unique {owner}/.github repo once — reuse the result for all repos under that owner. Process in batches of 10 owners at a time.

Parse the YAML (same for both 5b-i and 5b-ii):

  • github: [username]https://github.com/sponsors/{username}
  • open_collective: slughttps://opencollective.com/{slug}
  • ko_fi: usernamehttps://ko-fi.com/{username}
  • patreon: usernamehttps://patreon.com/{username}
  • tidelift: platform/packagehttps://tidelift.com/subscription/pkg/{platform-package}
  • custom: [urls] → use as-is

5c: Web search fallback

For the top 10 unfunded dependencies (by number of transitive dependents), use web_search:

"{package name}" github sponsors OR open collective OR funding

Skip packages known to be corporate-maintained (React/Meta, TypeScript/Microsoft, @types/DefinitelyTyped).

Efficiency rules

  • Check 5a and 5b for all deps. Only use 5c for top unfunded ones.
  • Skip npm registry calls for non-npm ecosystems.
  • Deduplicate repos — check each repo only once.
  • One {owner}/.github check per unique owner — reuse the result for all their repos.
  • Process org-level lookups in batches of 10 owners at a time.

Step 6: Verify Every Link (CRITICAL)

Before including ANY funding link, verify it exists.

Use web_fetch on each funding URL:

  • Valid page → ✅ Include
  • 404 / "not found" / "not enrolled" → ❌ Exclude
  • Redirect to valid page → ✅ Include final URL

Verify in batches of 5 at a time. Never present unverified links.


Step 7: Output the Report

Output discipline

Minimize intermediate output during data gathering. Do NOT announce each batch ("Batch 3 of 7…", "Now checking funding…"). Instead:

  • Show one brief status line when starting each major phase (e.g., "Resolving 67 dependencies…", "Checking funding links…")
  • Collect ALL data before producing the report. Never drip-feed partial tables.
  • Output the final report as a single cohesive block at the end.

Report template

## 💜 Sponsor Finder Report

**Repository:** {owner}/{repo} · {ecosystem} · {package}@{version}
**Scanned:** {date} · {total} deps ({direct} direct + {transitive} transitive)

---

### 🎯 Ways to Give Back

Sponsoring just {N} people/orgs supports {sponsorable} of your {total} dependencies — a great way to invest in the open source your project depends on.

1. **💜 @{user}** — {N} direct + {M} transitive deps · ⭐ Maintained
   {dep1}, {dep2}, {dep3}, ...
   https://github.com/sponsors/{user}

2. **🟠 Open Collective: {name}** — {N} direct + {M} transitive deps · ⭐ Maintained
   {dep1}, {dep2}, {dep3}, ...
   https://opencollective.com/{name}

3. **💜 @{user2}** — {N} direct dep · 💤 Low activity
   {dep1}
   https://github.com/sponsors/{user2}

---

### 📊 Coverage

- **{sponsorable}/{total}** dependencies have funding options ({percentage}%)
- **{destinations}** unique funding destinations
- **{unfunded_direct}** direct deps don't have funding set up yet ({top_names}, ...)
- All links verified ✅

Report format rules

  • Lead with "🎯 Ways to Give Back" — this is the primary output. Numbered list, sorted by total deps covered (descending).
  • Bare URLs on their own line — not wrapped in markdown link syntax. This ensures they're clickable in any terminal emulator.
  • Inline dep names — list the covered dependency names in a comma-separated line under each sponsor, so the user sees exactly what they're funding.
  • Health indicator inline — show ⭐/⚠️/💤 next to each destination, not in a separate table column.
  • One "📊 Coverage" section — compact stats. No separate "Verified Funding Links" table, no "No Funding Found" table.
  • Unfunded deps as a brief note — just the count + top names. Frame as "don't have funding set up yet" rather than highlighting a gap. Never shame projects for not having funding — many maintainers prefer other forms of contribution.
  • 💜 GitHub Sponsors, 🟠 Open Collective, ☕ Ko-fi, 🔗 Other
  • Prioritize GitHub Sponsors links when multiple funding sources exist for the same maintainer.

Error Handling

  • If deps.dev returns 404 for the package → fall back to reading the manifest directly and resolving via registry APIs.
  • If deps.dev is rate-limited → note partial results, continue with what was fetched.
  • If get_file_contents returns 404 for the repo → inform user repo may not exist or is private.
  • If link verification fails → exclude the link silently.
  • Always produce a report even if partial — never fail silently.

Critical Rules

  1. NEVER present unverified links. Fetch every URL before showing it. 5 verified links > 20 guessed links.
  2. NEVER guess from training knowledge. Always check — funding pages change over time.
  3. Always be encouraging, never shaming. Frame results positively — celebrate what IS funded, and treat unfunded deps as an opportunity, not a failing. Not every project needs or wants financial sponsorship.
  4. Lead with action. The "🎯 Ways to Give Back" section is the primary output — bare clickable URLs, grouped by destination.
  5. Use deps.dev as primary resolver. Fall back to registry APIs only if deps.dev is unavailable.
  6. Always use GitHub MCP tools (get_file_contents), web_fetch, and web_search — never clone or shell out.
  7. Be efficient. Batch API calls, deduplicate repos, check each owner's .github repo only once.
  8. Focus on GitHub Sponsors. Most actionable platform — show others but prioritize GitHub.
  9. Deduplicate by maintainer. Group to show real impact of sponsoring one person.
  10. Show the actionable minimum. Tell users the fewest sponsorships to support the most deps.
  11. Minimize intermediate output. Don't announce each batch. Collect all data, then output one cohesive report.

github의 다른 스킬

console-rendering
github
Go에서 struct 태그 기반 콘솔 렌더링 시스템 사용 지침
official
acquire-codebase-knowledge
github
사용자가 기존 코드베이스에 대한 매핑, 문서화, 또는 온보딩을 명시적으로 요청할 때 이 스킬을 사용하세요. "이 코드베이스를 매핑해줘", "문서화해줘"와 같은 프롬프트에서 트리거됩니다.
official
acreadiness-assess
github
현재 리포
official
acreadiness-generate-instructions
github
AgentRC 명령어를 통해 맞춤형 AI 에이전트 지침 파일을 생성합니다. .github/copilot-instructions.md 파일을 생성합니다(기본값, VS Code의 Copilot에 권장됨).
official
acreadiness-policy
github
사용자가 AgentRC 정책을 선택, 작성 또는 적용할 수 있도록 지원합니다. 정책은 관련 없는 검사를 비활성화하고, 영향/수준을 재정의하며, 설정을 통해 준비 상태 점수를 사용자 지정합니다.
official
add-educational-comments
github
코드 파일에 교육용 주석을 추가하여 효과적인 학습 자료로 변환합니다. 설명의 깊이와 어조를 세 가지 설정 가능한 지식 수준(초급, 중급, 고급)에 맞게 조정합니다. 파일이 제공되지 않으면 자동으로 요청하며, 빠른 선택을 위해 번호 목록 매칭을 제공합니다. 교육용 주석만을 사용하여 파일을 최대 125%까지 확장합니다(엄격한 제한: 새 줄 400개, 1,000줄 초과 파일의 경우 300개). 파일 인코딩, 들여쓰기 스타일, 구문 정확성 등을 유지합니다.
official
adobe-illustrator-scripting
github
Adobe Illustrator 자동화 스크립트를 ExtendScript(JavaScript/JSX)로 작성, 디버깅 및 최적화합니다. 스크립트를 생성하거나 수정하여 조작할 때 사용합니다.
official
agent-governance
github
선언적 정책, 의도 분류, AI 에이전트 도구 접근 및 행동 제어를 위한 감사 추적. 구성 가능한 거버넌스 정책은 허용/차단된 도구, 콘텐츠 필터, 속도 제한, 승인 요구 사항을 정의하며, 코드가 아닌 구성으로 저장됨. 의미론적 의도 분류는 패턴 기반 신호를 사용하여 도구 실행 전에 위험한 프롬프트(데이터 유출, 권한 상승, 프롬프트 인젝션)를 탐지함. 도구 수준 거버넌스 데코레이터는 함수에서 정책을 적용함...
official