fix: only touch dependabot.yml when --dependabot flag is used#39909
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to ensure gh aw compile does not modify .github/dependabot.yml unless the user explicitly opts in with --dependabot, preventing unintended YAML round-trips that strip comments/reorder keys.
Changes:
- Gate
ReconcileManagedDependabotIgnoresInRepo(...)behindconfig.Dependabot && !config.NoEmitin both post-processing paths. - Add an integration test asserting an existing
dependabot.yml(including comments) remains byte-identical when compiling without--dependabot. - Includes additional updates to an installer script comment and a compiled workflow lockfile.
Show a summary per file
| File | Description |
|---|---|
| pkg/cli/compile_pipeline.go | Gates Dependabot ignore reconciliation so it only runs when --dependabot is requested. |
| pkg/cli/compile_dependabot_test.go | Adds an integration test to ensure compile without --dependabot does not touch .github/dependabot.yml. |
| actions/setup-cli/install.sh | Updates the “kept in sync” note (currently appears incorrect/self-referential). |
| .github/workflows/daily-formal-spec-verifier.lock.yml | Regenerates part of a compiled workflow lockfile (unrelated to stated PR scope). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 2
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #39909 does not have the 'implementation' label and has 76 new lines of code in business logic directories (≤100 threshold). |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
✅ PR Code Quality Reviewer completed the code quality review. |
🧪 Test Quality Sentinel Report✅ Test Quality Score: 90/100 — Excellent
📊 Metrics & Test Classification (1 test analyzed)
Go: 1 ( Verdict
|
There was a problem hiding this comment.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer
| } | ||
|
|
||
| // TestCompileWithoutDependabotFlagDoesNotTouchDependabotYML verifies that compiling | ||
| // without --dependabot does not modify an existing dependabot.yml file. |
There was a problem hiding this comment.
[/diagnose] The test pins the "no-touch" invariant but has no counterpart confirming the file IS reconciled when Dependabot: true. Without a positive-case test, a future regression that accidentally removes both guards would still pass the suite.
💡 Companion test sketch
func TestCompileWithDependabotFlagReconcilesDependabotYML(t *testing.T) {
// ... same setup as existing test ...
config := CompileConfig{
WorkflowDir: ".github/workflows",
Dependabot: true, // flag ON this time
}
_, err := CompileWorkflows(context.Background(), config)
require.NoError(t, err)
after, _ := os.ReadFile(dependabotPath)
if string(after) == dependabotContent {
t.Error("dependabot.yml should have been reconciled with --dependabot set")
}
}Together the two tests make the flag contract self-documenting and prevent regressions in both directions.
| t.Fatalf("failed to create workflows directory: %v", err) | ||
| } | ||
|
|
||
| // Change to temp directory |
There was a problem hiding this comment.
[/tdd] The error from os.Getwd() is silently discarded. If it fails, origDir is "" and defer os.Chdir("") will corrupt the working directory for any test that runs afterwards in the same package.
💡 Safer pattern
origDir, err := os.Getwd()
if err != nil {
t.Fatalf("failed to get working directory: %v", err)
}
t.Cleanup(func() { _ = os.Chdir(origDir) })
if err := os.Chdir(tempDir); err != nil {
t.Fatalf("failed to chdir to temp dir: %v", err)
}On Go 1.24+ t.Chdir(tempDir) handles setup, restore, and error handling automatically.
There was a problem hiding this comment.
Core fix is correct — gating ReconcileManagedDependabotIgnoresInRepo on config.Dependabot is the right call and matches the existing guard already in place for GenerateDependabotManifests. Two non-blocking observations left as inline comments.
Findings summary
Test coverage gap (medium)
The new test routes through compileAllFilesInDirectory → runPostProcessingForDirectory (MarkdownFiles: nil). The symmetric fix in runPostProcessing (specific-file compilation path) has no test. A regression there would be invisible to CI.
Duplicate identical guard in runPostProcessing (minor)
After the fix, runPostProcessing has two back-to-back if config.Dependabot && !config.NoEmit blocks, each with its own FindGitRoot() call. Pre-fix, the conditions differed; now they're identical and should be merged into one block — consistent with how runPostProcessingForDirectory already handles it.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
patchdiff.githubusercontent.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "patchdiff.githubusercontent.com"See Network Configuration for more information.
🔎 Code quality review by PR Code Quality Reviewer
|
|
||
| // Compile WITHOUT the Dependabot flag | ||
| config := CompileConfig{ | ||
| MarkdownFiles: nil, |
There was a problem hiding this comment.
Test only covers the runPostProcessingForDirectory path; the runPostProcessing fix is untested.
💡 Details
With MarkdownFiles: nil, CompileWorkflows routes to compileAllFilesInDirectory → runPostProcessingForDirectory, exercising the fix at compile_pipeline.go:579. The symmetric fix at compile_pipeline.go:525 (inside runPostProcessing, taken when MarkdownFiles != nil) has no corresponding test.
If that guard is accidentally reverted or diverged later, CI will not catch it. A second test that sets MarkdownFiles to the compiled .md file would cover this path:
config := CompileConfig{
MarkdownFiles: []string{workflowPath},
Dependabot: false,
...
}|
|
||
| // Reconcile compiler-managed Dependabot ignore entries for compiler-emitted action refs. | ||
| if !config.NoEmit { | ||
| if config.Dependabot && !config.NoEmit { |
There was a problem hiding this comment.
Two consecutive if config.Dependabot && !config.NoEmit blocks now exist here, each calling FindGitRoot() independently — merge them into one.
💡 Suggested fix
Before this PR, the two blocks had different conditions (config.Dependabot && !config.NoEmit vs !config.NoEmit). After the fix they are identical, but remain as two separate if statements with separate gitutil.FindGitRoot() calls. Merging eliminates the redundant filesystem walk:
if config.Dependabot && !config.NoEmit {
if gitRoot, err := gitutil.FindGitRoot(); err == nil {
absWorkflowDir := filepath.Join(gitRoot, config.WorkflowDir)
if err := generateDependabotManifestsWrapper(compiler, workflowDataList, absWorkflowDir, config.ForceOverwrite, config.Strict); err != nil {
if config.Strict {
return err
}
}
if err := compiler.ReconcileManagedDependabotIgnoresInRepo(gitRoot); err != nil {
if config.Strict {
return err
}
fmt.Fprintln(os.Stderr, console.FormatWarningMessage(...))
}
}
}This also makes it structurally consistent with runPostProcessingForDirectory, which already shares gitRoot across both calls.
|
``
|
|
@copilot run pr-finisher skill |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Ran pr-finisher pass and pushed updates in |
gh aw compilewas rewriting.github/dependabot.ymlon every run as a side effect, stripping comments and reordering keys (non-prettier-compliant) via YAML round-trip marshal/unmarshal — even when--dependabotwas never passed.Changes
pkg/cli/compile_pipeline.go: Gate bothReconcileManagedDependabotIgnorescall sites (runPostProcessingandrunPostProcessingForDirectory) onconfig.Dependabot, matching the existing guard already in place forGenerateDependabotManifests:pkg/cli/compile_dependabot_test.go: Add integration testTestCompileWithoutDependabotFlagDoesNotTouchDependabotYMLverifying that adependabot.ymlwith comments is byte-identical after compile without--dependabot.``
pr-sous-chef: update branch requested in run 27724831557