Chore: [AEA-0000] - fix sync copilot workflow#1052
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
|
There was a problem hiding this comment.
Pull request overview
Updates repository automation around Copilot instruction syncing and devcontainer maintenance, alongside a few supporting workflow/config tweaks.
Changes:
- Update the Copilot instructions sync workflow to use a newer action revision and updated input naming.
- Rework the devcontainer version update workflow to run via a dedicated action instead of a reusable workflow.
- Adjust repo hygiene automation (new pre-commit commit-signing check, dependabot cooldown changes, and devcontainer attach command removal).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.pre-commit-config.yaml |
Adds a local hook to enforce commit signing configuration. |
.github/workflows/update_dev_container_version.yml |
Replaces reusable workflow usage with a job that runs an update action. |
.github/workflows/sync_copilot.yml |
Bumps the Copilot instructions sync action revision and updates inputs. |
.github/dependabot.yml |
Increases dependabot cooldown default days from 3 to 7 for multiple ecosystems. |
.devcontainer/devcontainer.json |
Removes postAttachCommand that registered git-secrets AWS/custom rules in the devcontainer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| args: | ||
| - -c | ||
| - | | ||
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then |
There was a problem hiding this comment.
The commit signing check only matches the literal string "true". Git boolean config values can be set as "1"/"yes"/"on" etc., which would incorrectly fail this hook even though signing is enabled. Consider using git config --bool --get commit.gpgsign (or equivalent) for a reliable boolean check instead of grepping the raw value.
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | |
| if [ "$(git config --bool --get commit.gpgsign 2>/dev/null)" != "true" ]; then |
| description: Ensures that commits are GPG signed | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - | | ||
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | ||
| echo "Error: Commit signing is not enabled." | ||
| echo "Please enable commit signing with:" | ||
| echo " git config commit.gpgsign true" | ||
| echo "" | ||
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" |
There was a problem hiding this comment.
The hook messaging says commits must be "GPG signed", but GitHub supports SSH commit signing as well; commit.gpgsign=true can be used with non-GPG signing formats depending on user config. To avoid misleading guidance, consider wording this as "commit signing" (or "signed commits") rather than specifically "GPG".
| }, | ||
| "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", | ||
| "mounts": [ | ||
| "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", |
There was a problem hiding this comment.
Removing the postAttachCommand drops the git-secrets --register-aws and custom deny rules setup. With no other references to these rules in the repo, developers using the devcontainer will no longer have those git-secrets patterns configured, reducing local secret-detection coverage. If this is intentional, consider migrating the rules setup into the pre-commit hook (or another repo-managed bootstrap step) so it remains consistently applied.
| commit-message: | ||
| prefix: "Upgrade: [dependabot] - " | ||
| cooldown: | ||
| default-days: 3 | ||
| default-days: 7 | ||
| ################################### |
There was a problem hiding this comment.
The PR description only mentions fixing the Copilot sync workflow, but this change set also adjusts dependabot cooldowns, adds a new pre-commit hook, updates the devcontainer update workflow, and removes a devcontainer hook. Please update the PR description to reflect these additional changes (or split into separate PRs) to keep review/audit context accurate.
Summary
Details