Skip to content

fix: replace actions/setup-copilot with npm install for Copilot CLI #1062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgee2 merged 3 commits into from
May 23, 2026
Merged

fix: replace actions/setup-copilot with npm install for Copilot CLI #1062

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a76c21a
fix: replace actions/setup-copilot with npm install for Copilot CLI
dgee2 May 23, 2026
c86fb08
fix: pin @github/copilot version and add --ignore-scripts flag
dgee2 May 23, 2026
3729cfa
chore: pin @github/copilot to major version only
dgee2 May 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/dependency-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,8 @@
- name: Enable pnpm via Corepack
run: corepack enable pnpm

- name: Setup Copilot CLI
uses: actions/setup-copilot@v0.0.5
- name: Install Copilot CLI
run: npm install -g --ignore-scripts @github/copilot@1

Check warning

Code scanning / SonarCloud

JavaScript dependencies should be locked to verified versions Medium

Using dependencies without locking resolved versions is security-sensitive. See more on SonarQube Cloud

Check warning on line 88 in .github/workflows/dependency-update.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Using dependencies without locking resolved versions is security-sensitive. 


See more on https://sonarcloud.io/project/issues?id=dgee2_Menu&issues=AZ5WvMjw-AUzBe-lCWH_&open=AZ5WvMjw-AUzBe-lCWH_&pullRequest=1062
Comment thread
sonarqubecloud[bot] marked this conversation as resolved.
Dismissed
Comment thread
dgee2 marked this conversation as resolved.

Comment thread
dgee2 marked this conversation as resolved.
- name: Create or update dependency PRs with Copilot
env:
Expand All @@ -103,7 +103,7 @@
PROMPT_GHA_DISCOVERY_SCOPE: actions and reusable workflows
PROMPT_PRERELEASE_POLICY: Consider prerelease versions only when the current version is prerelease; otherwise prefer stable releases.
run: |
cat > /tmp/copilot-prompt.txt <<EOF
cat > "$RUNNER_TEMP/copilot-prompt.txt" <<EOF
Read ".github/prompts/dependency-update.prompt.md" and apply these repository skills:
- ${PROMPT_ECOSYSTEM_SKILL}
- dependency-update-pr-description
Expand All @@ -128,4 +128,4 @@
--enable-all-github-mcp-tools \
--autopilot \
--no-ask-user \
-p "$(cat /tmp/copilot-prompt.txt)"
-p "$(cat "$RUNNER_TEMP/copilot-prompt.txt")"
Loading