Replace dotnet/actions-create-pull-request with local composite action

[joperezr]

Description

Replace the external dotnet/actions-create-pull-request GitHub Action with a local composite action at .github/actions/create-pull-request/action.yml.

Motivation

The dotnet/actions-create-pull-request fork is 482 commits behind upstream peter-evans/create-pull-request, still declares node16 in its action.yml, and has not incorporated the fix for actions/checkout@v6 compatibility (peter-evans#4230). This causes all workflows using it to fail with The process '/usr/bin/git' failed with exit code 128 due to duplicate Authorization headers.

Changes

• New: .github/actions/create-pull-request/action.yml — a composite action using git and gh CLI (pre-installed on all runners). No external dependencies, no Node.js version concerns.
• Updated 8 workflow files (9 usages) to reference ./.github/actions/create-pull-request instead of dotnet/actions-create-pull-request@e8d799aa1f8b17f324f9513832811b0a62f1e0b1:
  • generate-api-diffs.yml
  • generate-ats-diffs.yml
  • refresh-manifests.yml
  • refresh-typescript-sdks.yml
  • update-ai-foundry-models.yml
  • update-dependencies.yml
  • update-github-models.yml
  • release-github-tasks.yml (2 usages, using branch-already-exists: 'true')
• Updated: docs/release-process.md to reflect the new action reference.

Security

A threat model was performed on the composite action:

• All inputs flow through env: variables (never ${{ }} interpolation in run: blocks) to prevent expression injection
• No eval — label arguments use bash arrays, PR body uses --body-file with a temp file
• Token passed via GH_TOKEN env var, never on command lines
• All callers trigger only on schedule or workflow_dispatch (requires repo write access)
• Eliminates the unmaintained external dependency entirely

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15964

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15964"

[Copilot]

Pull request overview

This PR replaces the repository’s dependency on the external dotnet/actions-create-pull-request action with a local composite action that uses git + gh CLI, then updates the scheduled/dispatch workflows and docs to use the new local action.

Changes:

• Added a new composite action at .github/actions/create-pull-request/action.yml to create/update PRs via gh.
• Updated 8 workflows (9 call sites) to use the local composite action instead of the external pinned action SHA.
• Updated release process documentation to reference the local action.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.github/actions/create-pull-request/action.yml	New composite action implementing commit/push and PR creation via git/gh.
.github/workflows/generate-api-diffs.yml	Switched PR creation step to use the local action.
.github/workflows/generate-ats-diffs.yml	Switched PR creation step to use the local action.
.github/workflows/refresh-manifests.yml	Switched PR creation step to use the local action.
.github/workflows/refresh-typescript-sdks.yml	Switched PR creation step to use the local action.
.github/workflows/update-ai-foundry-models.yml	Switched PR creation step to use the local action.
.github/workflows/update-dependencies.yml	Switched PR creation step to use the local action.
.github/workflows/update-github-models.yml	Switched PR creation step to use the local action.
.github/workflows/release-github-tasks.yml	Switched PR creation to local action and added branch-already-exists for pre-pushed branches.
docs/release-process.md	Updated “approved actions” list to reference the local action.

[Copilot]

This step parses EXISTING_PR with jq, which adds an extra tool dependency. Since gh already supports --jq, you can avoid relying on jq being installed (especially on non-standard/self-hosted runners) by extracting number/url directly in the gh pr list call(s).

Suggested change

	EXISTING_PR=$(gh pr list --head "$BRANCH" --base "$BASE" --json number,url --jq '.[0] // empty')
	if [ -n "$EXISTING_PR" ]; then
	PR_NUMBER=$(echo "$EXISTING_PR" | jq -r '.number')
	PR_URL=$(echo "$EXISTING_PR" | jq -r '.url')
	PR_NUMBER=$(gh pr list --head "$BRANCH" --base "$BASE" --json number --jq '.[0].number // empty')
	if [ -n "$PR_NUMBER" ]; then
	PR_URL=$(gh pr list --head "$BRANCH" --base "$BASE" --json url --jq '.[0].url // empty')

[joperezr]

Won't fix. jq is pre-installed on all GitHub-hosted runners (ubuntu-latest, windows-latest, macos-latest) and is already used extensively in other steps of release-github-tasks.yml. The extra gh pr list call suggested would double the API requests for the existing-PR path. Not worth the churn for a non-issue.

[github-actions]

Re-running the failed jobs in the CI workflow for this pull request because 3 jobs were identified as retry-safe transient failures in the CI run attempt.
GitHub was asked to rerun all failed jobs for that attempt, and the rerun is being tracked in the rerun attempt.
The job links below point to the failed attempt jobs that matched the retry-safe transient failure rules.

• Tests / Microsoft.Data.SqlClient / Microsoft.Data.SqlClient (windows-latest) - Failed step 'Build test project' will be retried because the job log shows a likely transient infrastructure network failure. Matched pattern: /Unable to load the service index for source https:\/\/(?:pkgs\.dev\.azure\.com\/dnceng|dnceng\.pkgs\.visualstudio\.com)\/public\/_packaging\//i.
• Tests / Keycloak.Authentication / Keycloak.Authentication (windows-latest) - Failed step 'Set up job' matched the transient annotation allowlist.
• Tests / Templates-NUnit_NewUpAndBuildSupportProjectTemplatesTests / Templates-NUnit_NewUpAndBuildSupportProjectTemplatesTests (ubuntu-latest) - Failed step 'Install sdk for nuget based testing' will be retried because the job log shows a likely transient infrastructure network failure. Matched pattern: /builds\.dotnet\.microsoft\.com.{0,160}(timed out|failed to connect|could not resolve|ENOTFOUND|ECONNRESET|EPROTO|Bad Gateway|SSL connection could not be established)/i.

[github-actions]

🎬 CLI E2E Test Recordings — 56 recordings uploaded (commit 7487ac4)

View recordings

Test	Recording
AddPackageInteractiveWhileAppHostRunningDetached	▶️ View Recording
AddPackageWhileAppHostRunningDetached	▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect	▶️ View Recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly	▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig	▶️ View Recording
AllPublishMethodsBuildDockerImages	▶️ View Recording
AspireAddPackageVersionToDirectoryPackagesProps	▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	▶️ View Recording
Banner_DisplayedOnFirstRun	▶️ View Recording
Banner_DisplayedWithExplicitFlag	▶️ View Recording
Banner_NotDisplayedWithNoLogoFlag	▶️ View Recording
CertificatesClean_RemovesCertificates	▶️ View Recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	▶️ View Recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate	▶️ View Recording
ConfigSetGet_CreatesNestedJsonFormat	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle	▶️ View Recording
CreateAndRunEmptyAppHostProject	▶️ View Recording
CreateAndRunJavaEmptyAppHostProject	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateAndRunTypeScriptEmptyAppHostProject	▶️ View Recording
CreateAndRunTypeScriptStarterProject	▶️ View Recording
CreateJavaAppHostWithViteApp	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DashboardRunWithOtelTracesReturnsNoTraces	▶️ View Recording
DescribeCommandResolvesReplicaNames	▶️ View Recording
DescribeCommandShowsRunningResources	▶️ View Recording
DetachFormatJsonProducesValidJson	▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
GlobalMigration_HandlesCommentsAndTrailingCommas	▶️ View Recording
GlobalMigration_HandlesMalformedLegacyJson	▶️ View Recording
GlobalMigration_PreservesAllValueTypes	▶️ View Recording
GlobalMigration_SkipsWhenNewConfigExists	▶️ View Recording
GlobalSettings_MigratedFromLegacyFormat	▶️ View Recording
InvalidAppHostPathWithComments_IsHealedOnRun	▶️ View Recording
LegacySettingsMigration_AdjustsRelativeAppHostPath	▶️ View Recording
LogsCommandShowsResourceLogs	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout	▶️ View Recording
PublishWithDockerComposeServiceCallbackSucceeds	▶️ View Recording
RestoreGeneratesSdkFiles	▶️ View Recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	▶️ View Recording
RunFromParentDirectory_UsesExistingConfigNearAppHost	▶️ View Recording
RunWithMissingAwaitShowsHelpfulError	▶️ View Recording
SecretCrudOnDotNetAppHost	▶️ View Recording
SecretCrudOnTypeScriptAppHost	▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	▶️ View Recording
StopAllAppHostsFromAppHostDirectory	▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory	▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError	▶️ View Recording
StopNonInteractiveSingleAppHost	▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #24152394246}

[joperezr]

Merging to unblock other workflows. Will address feedback in a follow up.