github · Copilot · Sep 9, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
@@ -51,6 +51,10 @@ jobs:
       - name: Run unit tests
         run: npm test
 
+      - name: Run pr-checks tests
+        working-directory: pr-checks
+        run: python -m unittest discover
+
       - name: Lint
         if: matrix.os != 'windows-latest'
         run: npm run lint-ci

@@ -72,9 +72,14 @@ jobs:
         with:
           python-version: 3.11
 
+      - name: Sync back version updates to generated workflows
+        working-directory: pr-checks
+        run: |
+          python3 sync_back.py -v
+
       - name: Generate workflows
+        working-directory: pr-checks
         run: |
-          cd pr-checks
           python -m pip install --upgrade pip
           pip install ruamel.yaml==0.17.31
           python3 sync.py

@@ -1 +1,3 @@
 env
+__pycache__/
+*.pyc
@@ -8,7 +8,7 @@ operatingSystems:
   - windows
 steps:
   - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     with:
       script: |
         const fs = require('fs');
@@ -18,7 +18,7 @@ steps:
   - name: Install @actions/tool-cache
     run: npm install @actions/tool-cache
   - name: Check toolcache does not contain CodeQL
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     with:
       script: |
         const toolcache = require('@actions/tool-cache');
@@ -37,7 +37,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     with:
       script: |
         const toolcache = require('@actions/tool-cache');

@@ -8,7 +8,7 @@ operatingSystems:
   - windows
 steps:
   - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     with:
       script: |
         const fs = require('fs');
@@ -33,7 +33,7 @@ steps:
       path: ${{ runner.temp }}/results/javascript.sarif
       retention-days: 7
   - name: Check diagnostic with expected tools URL appears in SARIF
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
     with:

@@ -18,7 +18,7 @@ steps:
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Check config properties appear in SARIF
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
     with:

@@ -32,7 +32,7 @@ steps:
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Check diagnostics appear in SARIF
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
     with:

@@ -12,7 +12,7 @@ steps:
       languages: go
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   # Deliberately change Go after the `init` step
-  - uses: actions/setup-go@v5
+  - uses: actions/setup-go@v6
     with:
       go-version: "1.20"
   - name: Build code
@@ -23,7 +23,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
     with:

@@ -24,7 +24,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
     with:

@@ -54,15 +54,15 @@ steps:
       retention-days: 7
   - name: Check quality query does not appear in security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
       EXPECT_PRESENT: "false"
     with:
       script: ${{ env.CHECK_SCRIPT }}
   - name: Check quality query appears in quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/github-script@v7
+    uses: actions/github-script@v8
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"
       EXPECT_PRESENT: "true"

@@ -12,3 +12,39 @@ to one of the files in this directory.
 ### If you don't want to intall `just`
 
 Manually run each step in the `justfile`.
+
+## Sync-back automation
+
+When Dependabot updates action versions in the generated workflow files (`.github/workflows/__*.yml`), 
+the sync-back automation ensures those changes are properly reflected in the source templates.
+
+The sync-back script automatically detects all actions used in generated workflows and preserves
+version comments (e.g., `# v1.2.3`) when syncing versions between files.
+
+### Running sync-back manually
+
+To sync action versions from generated workflows back to source templates:
+
+```bash
+# Dry run to see what would be changed
+python3 pr-checks/sync_back.py --dry-run --verbose
+
+# Actually apply the changes
+python3 pr-checks/sync_back.py
+```
+
+The sync-back script automatically updates:
+- Hardcoded action versions in `pr-checks/sync.py`
+- Action version references in template files in `pr-checks/checks/`
+
+Regular workflow files are updated directly by Dependabot and don't need sync-back.
+
+This ensures that the `verify-pr-checks.sh` test always passes after Dependabot PRs.
+
+### Testing
+
+The sync-back script includes comprehensive tests that can be run with:
+
+```bash
+python3 pr-checks/test_sync_back.py -v
+```
@@ -127,7 +127,7 @@ def writeHeader(checkStream):
         steps.extend([
             {
                 'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v4',
+                'uses': 'actions/setup-node@v5',
                 'with': {
                     'node-version': '20.x',
                     'cache': 'npm',
@@ -165,7 +165,7 @@ def writeHeader(checkStream):
 
         steps.append({
             'name': 'Install Go',
-            'uses': 'actions/setup-go@v5',
+            'uses': 'actions/setup-go@v6',
             'with': {
                 'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}',
                 # to avoid potentially misleading autobuilder results where we expect it to download

@@ -0,0 +1,189 @@
+#!/usr/bin/env python3
+"""
+Sync-back script to automatically update action versions in source templates
+from the generated workflow files after Dependabot updates.
+
+This script scans the generated workflow files (.github/workflows/__*.yml) to find
+all external action versions used, then updates:
+1. Hardcoded action versions in pr-checks/sync.py
+2. Action version references in template files in pr-checks/checks/
+
+The script automatically detects all actions used in generated workflows and
+preserves version comments (e.g., # v1.2.3) when syncing versions.
+
+This ensures that when Dependabot updates action versions in generated workflows,
+those changes are properly synced back to the source templates. Regular workflow
+files are updated directly by Dependabot and don't need sync-back.
+"""
+
+import os
+import re
+import glob
+import argparse
+import sys
+from pathlib import Path
+from typing import Dict, List
+
+
+def scan_generated_workflows(workflow_dir: str) -> Dict[str, str]:
+    """
+    Scan generated workflow files to extract the latest action versions.
+
+    Args:
+        workflow_dir: Path to .github/workflows directory
+
+    Returns:
+        Dictionary mapping action names to their latest versions (including comments)
+    """
+    action_versions = {}
+    generated_files = glob.glob(os.path.join(workflow_dir, "__*.yml"))
+
+    for file_path in generated_files:
+        with open(file_path, 'r') as f:
+            content = f.read()
+
+        # Find all action uses in the file, including potential comments
+        # This pattern captures: action_name@version_with_possible_comment
+        pattern = r'uses:\s+([^/\s]+/[^@\s]+)@([^@\n]+)'
+        matches = re.findall(pattern, content)
+
+        for action_name, version_with_comment in matches:
+            # Only track non-local actions (those with / but not starting with ./)
+            if '/' in action_name and not action_name.startswith('./'):
+                # Take the latest version seen (they should all be the same after Dependabot)
+                action_versions[action_name] = version_with_comment.rstrip()
+
+    return action_versions
+
+
+def update_sync_py(sync_py_path: str, action_versions: Dict[str, str]) -> bool:
+    """
+    Update hardcoded action versions in pr-checks/sync.py
+
+    Args:
+        sync_py_path: Path to sync.py file
+        action_versions: Dictionary of action names to versions (may include comments)
+
+    Returns:
+        True if file was modified, False otherwise
+    """
+    if not os.path.exists(sync_py_path):
+        print(f"Warning: {sync_py_path} not found")
+        return False
+
+    with open(sync_py_path, 'r') as f:
+        content = f.read()
+
+    original_content = content
+
+    # Update hardcoded action versions 
+    for action_name, version_with_comment in action_versions.items():
+        # Extract just the version part (before any comment) for sync.py
+        version = version_with_comment.split('#')[0].strip() if '#' in version_with_comment else version_with_comment.strip()
+
+        # Look for patterns like 'uses': 'actions/setup-node@v4'
+        pattern = rf"('uses':\s*'){re.escape(action_name)}@(?:[^']+)(')"
+        replacement = rf"\1{action_name}@{version}\2"
+        content = re.sub(pattern, replacement, content)
+
+    if content != original_content:
+        with open(sync_py_path, 'w') as f:
+            f.write(content)
+        print(f"Updated {sync_py_path}")
+        return True
+    else:
+        print(f"No changes needed in {sync_py_path}")
+        return False
+
+
+def update_template_files(checks_dir: str, action_versions: Dict[str, str]) -> List[str]:
+    """
+    Update action versions in template files in pr-checks/checks/
+
+    Args:
+        checks_dir: Path to pr-checks/checks directory
+        action_versions: Dictionary of action names to versions (may include comments)
+
+    Returns:
+        List of files that were modified
+    """
+    modified_files = []
+    template_files = glob.glob(os.path.join(checks_dir, "*.yml"))
+
+    for file_path in template_files:
+        with open(file_path, 'r') as f:
+            content = f.read()
+
+        original_content = content
+
+        # Update action versions
+        for action_name, version_with_comment in action_versions.items():
+            # Look for patterns like 'uses: actions/setup-node@v4' or 'uses: actions/setup-node@sha # comment'
+            pattern = rf"(uses:\s+{re.escape(action_name)})@(?:[^@\n]+)"
+            replacement = rf"\1@{version_with_comment}"
+            content = re.sub(pattern, replacement, content)
+
+        if content != original_content:
+            with open(file_path, 'w') as f:
+                f.write(content)
+            modified_files.append(file_path)
+            print(f"Updated {file_path}")
+
+    return modified_files
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Sync action versions from generated workflows back to templates")
+    parser.add_argument("--dry-run", action="store_true", help="Show what would be changed without making changes")
+    parser.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
+    args = parser.parse_args()
+
+    # Get the repository root (assuming script is in pr-checks/)
+    script_dir = Path(__file__).parent
+    repo_root = script_dir.parent
+
+    workflow_dir = repo_root / ".github" / "workflows"
+    checks_dir = script_dir / "checks"
+    sync_py_path = script_dir / "sync.py"
+
+    print("Scanning generated workflows for latest action versions...")
+    action_versions = scan_generated_workflows(str(workflow_dir))
+
+    if args.verbose:
+        print("Found action versions:")
+        for action, version in action_versions.items():
+            print(f"  {action}@{version}")
+
+    if not action_versions:
+        print("No action versions found in generated workflows")
+        return 1
+
+    if args.dry_run:
+        print("\nDRY RUN - Would make the following changes:")
+        print(f"Action versions to sync: {action_versions}")
+        return 0
+
+    # Update files
+    print("\nUpdating source files...")
+    modified_files = []
+
+    # Update sync.py
+    if update_sync_py(str(sync_py_path), action_versions):
+        modified_files.append(str(sync_py_path))
+
+    # Update template files 
+    template_modified = update_template_files(str(checks_dir), action_versions)
+    modified_files.extend(template_modified)
+
+    if modified_files:
+        print(f"\nSync completed. Modified {len(modified_files)} files:")
+        for file_path in modified_files:
+            print(f"  {file_path}")
+    else:
+        print("\nNo files needed updating - all action versions are already in sync")
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())