build(deps): update GitHub Actions dependencies#1084
Closed
dgee2 wants to merge 3 commits into
Closed
Conversation
…n agentic dependency update workflows - Add 'dotnet' and 'node' to network allowed list in dependency-update-github-actions.md so the validation step can run dotnet restore/build and pnpm install/build (fixes firewall blocking api.nuget.org during validation) - Add 'dotnet' to network allowed list in dependency-update-node.md so the backend can be built to generate the OpenAPI spec required for frontend type-check validation - Change protected-files policy from 'fallback-to-issue' to 'allowed' with .github/workflows/ and .github/actions/ excluded from the protected set in dependency-update-github-actions.md, since this workflow is explicitly designed to update workflow files - Add github-token: GH_AW_GITHUB_TOKEN to create-pull-request safe-output so a PAT with workflow scope is used when pushing changes to .github/workflows/*.yml files - Recompile all modified .lock.yml files via 'gh aw compile' Fixes #1077 and #1078 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ate workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- actions/checkout: v6 → v6.0.2 - actions/cache: v5 → v5.0.5 - actions/setup-dotnet: v5 → v5.2.0 - actions/setup-node: v6 → v6.4.0 - actions/upload-artifact: v7 → v7.0.1 - actions/download-artifact: v8 → v8.0.1 - actions/dependency-review-action: v4 → v5 - github/codeql-action/init: v4 → v4.36.0 - github/codeql-action/analyze: v4 → v4.36.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates GitHub Actions workflow dependencies to newer stable versions to keep CI/build/security workflows current. It also updates the repository’s gh-aw “dependency update” workflow configuration/compiled outputs to permit required tooling/network access for validation and workflow edits.
Changes:
- Bump action versions in primary CI workflow (
main.yml) and CodeQL workflow (codeql.yml). - Update gh-aw dependency update workflow source files (
dependency-update-*.md) and regenerate corresponding compiled lock workflows (dependency-update-*.lock.yml). - Expand gh-aw network allowlists (dotnet/node) and adjust safe-outputs configuration for GitHub Actions dependency updates.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/main.yml | Updates action references used by the main CI pipeline (checkout/cache/setup-dotnet/setup-node/artifacts/dependency-review). |
| .github/workflows/codeql.yml | Updates checkout and CodeQL init/analyze action versions for code scanning. |
| .github/workflows/dependency-update-node.md | Adds dotnet to allowed network groups for node dependency update workflow validation. |
| .github/workflows/dependency-update-node.lock.yml | Regenerated compiled workflow reflecting updated allowed domains/prompt IDs/etc. |
| .github/workflows/dependency-update-github-actions.md | Updates gh-aw config (allowed networks; safe-outputs allowed files/protected policy; token wiring). |
| .github/workflows/dependency-update-github-actions.lock.yml | Regenerated compiled workflow reflecting updated gh-aw config and updated allowlists/token usage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout | ||
| if: github.event_name == 'pull_request' | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v6.0.2 |
| exclude: | ||
| - .github/workflows/ | ||
| - .github/actions/ | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN }} |
| with: | ||
| ref: ${{ github.event.repository.default_branch }} | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| token: ${{ secrets.GH_AW_GITHUB_TOKEN }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency Updates
This pull request updates GitHub Actions dependencies to their latest stable versions.
Summary
Updated 9 GitHub Actions across 2 workflow files:
actions/checkoutactions/cacheactions/setup-dotnetactions/setup-nodeactions/upload-artifactactions/download-artifactactions/dependency-review-actiongithub/codeql-action/initgithub/codeql-action/analyzeModified Files
.github/workflows/main.yml.github/workflows/codeql.ymlNotable Changes
Major Update:
Minor Updates:
workloadsinput and optionalarchitectureinput for cross-architecture .NET installs.Patch Updates:
Validation
✅ YAML syntax validated
⚠️ Major update to dependency-review-action requires Actions Runner v2.327.1+
✅ All action references use published versions
✅ No breaking changes expected for minor and patch updates
This PR was automatically generated by the GitHub Actions dependency update workflow.