fix: update dependency update workflows to fix #1075 and #1076#1079
Merged
Conversation
Issue #1075 (Dependency Update Node): - Add ui/menu-website/public/mockServiceWorker.js to the allowed-files list so PRs that update msw can include the regenerated worker file Issue #1076 (Dependency Update GitHub Actions): - Add protected-files: fallback-to-issue so workflow file updates in .github/ create a review issue instead of failing outright - Update SKILL.md to exclude auto-generated *.lock.yml files from GitHub Actions discovery scope (they are compiled outputs from gh aw compile and must not be edited directly) Recompiled both .lock.yml files via gh aw compile after the .md changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes two failures in the repo’s agentic dependency-update workflows by adjusting safe-output allowlists and tightening GitHub Actions workflow discovery so generated lock workflows aren’t treated as update targets.
Changes:
- Allow
ui/menu-website/public/mockServiceWorker.jsto be modified by the Node dependency-update workflow safe-output gate. - Configure the GitHub Actions dependency-update workflow to fall back to creating a review issue when protected
.github/files are touched. - Update the GitHub Actions dependency-update skill to exclude
*.lock.ymlworkflow outputs from discovery; regenerate the corresponding compiled.lock.ymlworkflows.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/dependency-update-node.md | Adds mockServiceWorker.js to safe-output allowed files to prevent PR creation failures when msw regenerates it. |
| .github/workflows/dependency-update-node.lock.yml | Regenerated compiled workflow reflecting the updated safe-output allowlist. |
| .github/workflows/dependency-update-github-actions.md | Sets protected-files: fallback-to-issue to avoid hard failures when updates touch protected .github/ workflow files. |
| .github/workflows/dependency-update-github-actions.lock.yml | Regenerated compiled workflow reflecting the protected-files fallback policy. |
| .github/skills/dependency-update-github-actions/SKILL.md | Excludes *.lock.yml from workflow discovery so the agent doesn’t attempt to update compiled outputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…e PRs ui/menu-website/src/** and ui/menu-website/e2e/** are now in the allowed-files list so that code-changing Node updates (e.g. TypeScript or Vue fixes required by a package bump) can create PRs without being blocked by the safe-outputs allowed-files check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Scope the .NET dependency updater to backend/** only, applying the principle of least privilege. Without this, the agent could include any repo file in a PR. Covers all legitimate update scenarios: - .csproj for simple NuGet version bumps - .cs for code-changing updates - .props/.targets for Aspire tool-driven updates Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… PRs Replaces the three separate entries (mockServiceWorker.js, src/**, e2e/**) with a single ui/menu-website/** pattern. This also covers config files (.storybook/**, vite.config.ts, eslint.config.ts, tsconfig*.json, playwright.config.ts) that may need changes during code-changing dependency updates, preventing future safe-output rejections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two GitHub Actions agentic workflow failures, and adds missing source-file coverage for future Node code-changing updates.
Issue #1075 - Dependency Update Node
Root cause: When msw is updated,
pnpm dlx msw init public/ --saveregeneratesui/menu-website/public/mockServiceWorker.js. This file was not in theallowed-fileslist, so the safe-output system rejected the PR.Fix: Added
ui/menu-website/**to theallowed-fileslist independency-update-node.md, covering all UI source, config, and generated files.Issue #1076 - Dependency Update GitHub Actions
Root cause (two parts):
dependency-update-github-actionsskill was parsing*.lock.ymlfiles (auto-generated bygh aw compile) as valid update targets - these should never be directly edited.protect_top_level_dot_foldersdefault in gh-aw blocks any.github/file edits, causing hard failures when attempting to updatemain.ymlandcodeql.yml.Fix:
SKILL.mdto explicitly exclude*.lock.ymlfiles from discovery (they are compiled outputs, not source files).protected-files: fallback-to-issuetodependency-update-github-actions.mdso that workflow files in.github/create a review issue instead of hard-failing.Proactive fix - Node code-changing update PRs
Root cause: If a Node package bump requires source code changes (TypeScript type fixes, Vue component updates, config file changes, etc.), the safe-output would block the PR because
ui/menu-website/**was not in theallowed-fileslist.Fix: Added
ui/menu-website/**to theallowed-filesindependency-update-node.md, coveringsrc/**,e2e/**,.storybook/**,vite.config.ts,eslint.config.ts,tsconfig*.json,playwright.config.ts, and any other UI files..NET workflow - proactive fix
Added
allowed-files: backend/**to the .NET dependency update workflow, applying the principle of least privilege. This covers all legitimate update scenarios (.csprojfor simple bumps,.csfor code-changing updates,.props/.targetsfor Aspire tool-driven updates) while preventing the agent from accidentally touching frontend or workflow files.All three
.lock.ymlfiles were regenerated viagh aw compileafter the.mdchanges.Verification
Both originally-failing workflows were triggered on this branch and completed successfully:
Closes #1075
Closes #1076