Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in a40aa23. All manifest file references now use full relative paths ( |
There was a problem hiding this comment.
Pull request overview
Adds internal agent guidance for handling Dependabot PRs that touch generated dependency manifests produced by gh aw compile --dependabot, and wires that guidance into the dispatcher agent.
Changes:
- Added a new prompt file
.github/aw/dependabot.mdwith a recommended strategy for fixing Dependabot PRs by editing source workflow.mdfiles and regenerating manifests. - Updated
.github/agents/agentic-workflows.agent.mdto route “Fixing Dependabot PRs” requests to the new prompt and document when to load it.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/aw/dependabot.md | New instructions for addressing Dependabot PRs against generated workflow dependency manifests via source .md updates + recompilation. |
| .github/agents/agentic-workflows.agent.md | Dispatcher update to include a Dependabot-fix route and a “Load when” section pointing to the new prompt. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **Debugging workflows**: Routes to `debug` prompt | ||
| - **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt | ||
| - **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt | ||
| - **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`) or `.github/aw/actions-lock.json`. Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes |
There was a problem hiding this comment.
This dispatcher description says Dependabot PRs may modify .github/aw/actions-lock.json, but .github/dependabot.yml does not configure Dependabot for GitHub Actions updates and Dependabot won’t update that file. Either drop actions-lock.json here or clarify it’s handled by gh aw update/other automation rather than Dependabot.
| - **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`) or `.github/aw/actions-lock.json`. Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes | |
| - **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). For changes to `.github/aw/actions-lock.json` (which are made by `gh aw update` / `gh aw compile` or other automation, not by Dependabot), also use this prompt to update the source `.md` files and rerun `gh aw compile --dependabot` to regenerate the lockfile. Never merge changes to generated files directly; always update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes |
| @@ -96,6 +97,16 @@ When you interact with this agent, it will: | |||
| - "Wrap the Slack MCP server as a reusable component" | |||
| - "Design a shared workflow for database queries" | |||
|
|
|||
There was a problem hiding this comment.
There’s an extra trailing backtick after .github/aw/actions-lock.json which breaks inline-code formatting. Remove the extra backtick so the Markdown renders correctly.
| **Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`) or `.github/aw/actions-lock.json` |
| > [!WARNING] | ||
| > **Never directly merge Dependabot PRs that modify generated files** such as `.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`, or `.github/aw/actions-lock.json`. These files are generated by the `gh aw` compiler and any direct changes will be overwritten on the next compilation. | ||
|
|
||
| ## Background | ||
|
|
||
| The `gh aw compile --dependabot` command scans all agentic workflow files (`.github/workflows/*.md`) for runtime tool dependencies and generates manifest files: | ||
|
|
||
| | Manifest | Ecosystem | Full Path | | ||
| |----------|-----------|-----------| | ||
| | `package.json` / `package-lock.json` | npm | `.github/workflows/package.json` / `.github/workflows/package-lock.json` | | ||
| | `requirements.txt` | pip | `.github/workflows/requirements.txt` | | ||
| | `go.mod` | Go | `.github/workflows/go.mod` | | ||
|
|
||
| The `.github/aw/actions-lock.json` file is also managed by the compiler and tracks pinned GitHub Actions versions used in all compiled workflows. |
There was a problem hiding this comment.
.github/aw/actions-lock.json is described here as a Dependabot-updated/generated manifest, but this repo’s .github/dependabot.yml only configures gomod/npm/pip updates (no GitHub Actions ecosystem) and Dependabot will not open PRs against actions-lock.json. Either remove actions-lock.json from the Dependabot guidance or explicitly scope it as "other automation/gh aw update" so readers don’t go looking for non-existent Dependabot PRs.
| gh pr list --author "app/dependabot" --state open | ||
| ``` | ||
|
|
||
| Filter for PRs affecting generated workflow manifests (title contains `Bump` or similar, files include `.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`, or `.github/aw/actions-lock.json`). |
There was a problem hiding this comment.
The PR-filtering guidance doesn’t mention .github/workflows/package-lock.json, but Dependabot PRs for the npm ecosystem in /.github/workflows will typically include changes to both package.json and package-lock.json. Consider including package-lock.json in this list so the instructions reliably catch the intended PRs.
.github/aw/dependabot.mdinstruction file with specific instructions for fixing Dependabot PRs targeting generated manifest files (package.json, requirements.txt, go.mod, actions-lock.json).github/agents/agentic-workflows.agent.mdexplaining when to use the dependabot fix strategy.github/workflows/package.json,.github/workflows/requirements.txt,.github/workflows/go.mod,.github/aw/actions-lock.json) throughout both files to avoid ambiguityOriginal prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.