Skip to content

feat(ci): auto-update composer.lock on push/schedule #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CybotTM merged 2 commits into from
Feb 2, 2026
Merged

feat(ci): auto-update composer.lock on push/schedule #20

CybotTM merged 2 commits into from
Feb 2, 2026

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Feb 2, 2026
edited
Loading

Summary

Adds automatic composer update to the CI pipeline, ensuring dependencies stay fresh without manual intervention.

How it works

Trigger (push to main OR weekly schedule)
    ↓
update-deps job: composer update
    ↓
Lock file changed? 
  → YES: commit & push, output new SHA
  → NO: output original SHA
    ↓
lint job: checkout $SHA → run linting
    ↓
build job: checkout $SHA → build & release

Key implementation details

  • update-deps outputs the commit SHA (new if deps changed, original otherwise)
  • lint and build jobs checkout that specific SHA via ref: parameter
  • This ensures the built image always matches the committed lock file state
  • Works around GitHub's limitation where GITHUB_TOKEN pushes don't trigger new runs

Flow by trigger type

Trigger update-deps lint build
PR skipped ✓ (original SHA)
Push (no dep changes) runs ✓ (original SHA)
Push (dep changes) commits, outputs new SHA ✓ (new SHA)
Schedule same as push

Benefits

  • Dependencies updated automatically on every push/schedule
  • Built image always matches committed lock file
  • Clear audit trail - every dep update is a separate commit
  • Single workflow run handles both update and build

Test plan

  • PR triggers skip update-deps, run lint & build with original SHA
  • Push to main with no dep changes runs full pipeline
  • Push/schedule with dep changes commits, then builds with new SHA

@CybotTM
feat(ci): auto-update composer.lock on push/schedule
cf41379 
Add update-deps job that runs composer update on push to main and
scheduled builds. If lock file changes, commit and push to trigger
a fresh build with the updated dependencies.

Flow:
- PR: skip update-deps → lint → build
- Push/Schedule (no changes): update-deps → lint → build
- Push/Schedule (changes): update-deps commits → triggers new run
Copilot AI review requested due to automatic review settings February 2, 2026 12:43
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an update-deps job to the existing CI workflow to automatically run composer update on non-PR runs and conditionally short-circuit the pipeline when dependency changes are committed.

Changes:

  • Introduces an update-deps job that runs composer update and commits/pushes app/composer.lock when it changes.
  • Gates lint and build jobs to run only when update-deps did not change the lockfile (or was skipped for PRs).
  • Wires job dependencies/conditions so PRs continue to run lint/build without updating dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CybotTM
fix(ci): continue build after dep update instead of waiting for new run
ef00044 
Address review feedback: GITHUB_TOKEN pushes don't trigger new workflow
runs. Instead of exiting after committing deps, continue the build in
the same run by:

- Output the new commit SHA (or original if no changes)
- lint and build jobs checkout the updated SHA
- Always run lint/build instead of skipping when deps changed

This ensures the built image uses the committed lock file state.
@CybotTM CybotTM merged commit 764c003 into main Feb 2, 2026
11 checks passed
@CybotTM CybotTM deleted the feat/auto-update-composer-deps branch February 2, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM