Chore: [AEA-0000] - use actions for sync copilot#122
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
|
There was a problem hiding this comment.
Pull request overview
This PR refactors repo automation by replacing in-workflow scripting for Copilot-instruction sync and devcontainer version updates with dedicated GitHub Actions, and makes a few supporting maintenance tweaks.
Changes:
- Replace the existing sync-copilot and devcontainer-update reusable workflow implementations with calls to NHSDigital actions, and add scheduled triggers.
- Add a new local pre-commit hook to check
commit.gpgsignis enabled, and adjust Dependabot cooldown defaults. - Remove the devcontainer
postAttachCommandthat previously configuredgit-secrets, and delete the separate scheduled devcontainer update workflow.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
.pre-commit-config.yaml |
Adds a local hook to verify commit signing is enabled in git config. |
.github/workflows/update-dev-container-version.yml |
Replaces prior reusable-workflow logic with a single action step; adds schedule/dispatch. |
.github/workflows/sync_copilot.yml |
Replaces prior reusable-workflow logic with a single action step; adds schedule/dispatch. |
.github/workflows/schedule_dev_container_update.yml |
Removes the standalone scheduler workflow for devcontainer updates. |
.github/dependabot.yaml |
Increases Dependabot cooldown default days from 3 to 7 across ecosystems. |
.devcontainer/devcontainer.json |
Removes the postAttachCommand that configured git-secrets providers/rules. |
| name: Sync copilot instructions | ||
| name: Sync Copilot Instructions | ||
|
|
||
| on: |
There was a problem hiding this comment.
This workflow is documented and used as a reusable workflow (called via uses: NHSDigital/eps-common-workflows/.github/workflows/sync_copilot.yml@...). Removing the workflow_call trigger means other repos can no longer call it, which is a breaking change and also conflicts with the project guidance that reusable workflows should expose workflow_call (see .github/instructions/project/instructions.md). Reintroduce workflow_call (inputs/secrets as needed), and optionally keep workflow_dispatch/schedule alongside it if you still want ad-hoc/scheduled runs in this repo.
| on: | |
| on: | |
| workflow_call: | |
| secrets: | |
| CREATE_PULL_REQUEST_APP_ID: | |
| required: true | |
| CREATE_PULL_REQUEST_PEM: | |
| required: true |
| on: | ||
| workflow_call: | ||
| inputs: | ||
| base_branch: | ||
| required: false | ||
| type: string | ||
| default: main | ||
| secrets: | ||
| CREATE_PULL_REQUEST_APP_ID: | ||
| required: true | ||
| CREATE_PULL_REQUEST_PEM: | ||
| required: true | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 6 * * 4" | ||
| permissions: {} |
There was a problem hiding this comment.
This workflow is documented as a reusable workflow (README section “Update Dev Container Version” shows other repos calling it via uses:). Replacing workflow_call with only workflow_dispatch/schedule breaks that contract for consumers and contradicts the project guidance that workflows designed to be called from other repos should use workflow_call (see .github/instructions/project/instructions.md). Consider restoring workflow_call (and its inputs/secrets), and keep workflow_dispatch/schedule in addition if required.
| name: Update devcontainer version | ||
|
|
There was a problem hiding this comment.
PR description only mentions “use action for sync copilot”, but this change also modifies the devcontainer update workflow, dependabot cooldown timings, adds a new pre-commit hook enforcing commit-signing config, and removes a devcontainer postAttachCommand. Please update the PR description (or split into separate PRs) so reviewers and downstream consumers understand the full scope and intent.
| name: Check commit signing | ||
| description: Ensures that commits are GPG signed | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - | | ||
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | ||
| echo "Error: Commit signing is not enabled." | ||
| echo "Please enable commit signing with:" | ||
| echo " git config commit.gpgsign true" | ||
| echo "" | ||
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" | ||
| exit 1 | ||
| fi | ||
| echo "Commit signing is properly configured." |
There was a problem hiding this comment.
The hook name/description says it “ensures that commits are GPG signed”, but the script only checks whether commit.gpgsign is set to true; it doesn’t verify that a commit will actually be signed (e.g., key configured/available) or that existing commits are signed. Consider rewording the name/description to reflect what’s actually enforced (e.g., “Check commit.gpgsign is enabled”) to avoid a false sense of security.
| name: Check commit signing | |
| description: Ensures that commits are GPG signed | |
| entry: bash | |
| args: | |
| - -c | |
| - | | |
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | |
| echo "Error: Commit signing is not enabled." | |
| echo "Please enable commit signing with:" | |
| echo " git config commit.gpgsign true" | |
| echo "" | |
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" | |
| exit 1 | |
| fi | |
| echo "Commit signing is properly configured." | |
| name: Check commit.gpgsign is enabled | |
| description: Checks that Git is configured to attempt GPG signing (commit.gpgsign=true) | |
| entry: bash | |
| args: | |
| - -c | |
| - | | |
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | |
| echo "Error: Commit signing is not configured via commit.gpgsign=true." | |
| echo "Please enable commit signing with:" | |
| echo " git config commit.gpgsign true" | |
| echo "" | |
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" | |
| exit 1 | |
| fi | |
| echo "Commit signing is enabled via commit.gpgsign=true." |
| }, | ||
| "updateRemoteUserUID": false | ||
| }, | ||
| "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", | ||
| "mounts": [ | ||
| "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", |
There was a problem hiding this comment.
Removing the postAttachCommand appears to drop the only repo-local setup that registers git-secrets patterns/providers (no other occurrences of git-secrets --register-aws / --add-provider remain in the repo). With the current pre-commit hook calling git-secrets --pre_commit_hook, this may cause secret scanning to become ineffective for new clones/devcontainers. If the devcontainer image no longer sets this up globally, consider restoring this setup or moving it into a dedicated bootstrap script that’s invoked from postAttachCommand.
| required: true | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 6 * * 4" |
There was a problem hiding this comment.
The scheduled devcontainer update time has changed (previously the separate scheduler workflow ran at 18:00 UTC Thursdays; this workflow now schedules at 06:00 UTC Thursdays). If this timing change isn’t intentional, keep the previous cron; otherwise it would be good to call out the new schedule in the PR description so it’s not a silent operational change.
| - cron: "0 6 * * 4" | |
| - cron: "0 18 * * 4" |
Summary
Details