Sync Action version updates back to the source templates in the pr-checks directory

[Copilot]

Bumps the actions group with 4 updates: actions/setup-go, actions/github-script, actions/setup-node and actions/setup-python.

Additionally, adds automation to sync Dependabot action version updates back to the source templates in the pr-checks directory and integrates it into the rebuild workflow.

Dependabot Updates

Updates actions/setup-go from 5 to 6

Updates actions/github-script from 7 to 8

Updates actions/setup-node from 4 to 5

Updates actions/setup-python from 5 to 6

Enhanced Sync-Back Automation

This PR adds a new Python script (pr-checks/sync-back.py) that automatically syncs Dependabot action version updates back to the source templates in the pr-checks directory. When Dependabot updates action versions in the generated workflows (.github/workflows/__*.yml), this script ensures those changes are properly reflected in:

• Hardcoded action versions in pr-checks/sync.py
• Action version references in template files in pr-checks/checks/

The script does not update regular workflow files since Dependabot handles those automatically, focusing only on the source templates that require sync-back.

Key Features

• Automatic Action Detection: Scans all uses: entries in generated workflows to automatically identify which actions need syncing (no hardcoded list required)
• Comment Preservation: Preserves version comments like uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 when syncing versions
• Direct Execution: Can be run directly with python3 pr-checks/sync-back.py without shell wrapper
• Focused Scope: Only updates files that need sync-back, avoiding duplicate work with Dependabot
• Comprehensive Testing: Includes full test suite (test_sync_back.py) covering all functionality
• Workflow Integration: Integrated into the rebuild workflow to automatically run before sync.py

The script automatically detects and handles multiple action types beyond the original 4, ensuring the verify-pr-checks.sh test always passes.

Workflow Integration

The sync-back script is now integrated into the rebuild workflow (.github/workflows/rebuild.yml) to run automatically before the sync.py script. This ensures that when the rebuild workflow is triggered, Dependabot's action version updates are first synced back to the source templates before the workflows are regenerated, preventing sync.py from overwriting Dependabot's changes.

Files Added/Modified

• Added: pr-checks/sync-back.py - Enhanced sync-back script with auto-detection and comment preservation
• Added: pr-checks/test_sync_back.py - Comprehensive test suite
• Modified: pr-checks/readme.md - Updated documentation with new usage examples and testing instructions
• Modified: pr-checks/.gitignore - Added Python cache exclusions
• Modified: .github/workflows/rebuild.yml - Integrated sync-back script execution before sync.py
• Modified: Multiple template files to sync current action versions

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[henrymercer]

@copilot It looks like you don't have access to push changes to .github/workflows. Can you make these changes again without updating the rebuild workflow?

[henrymercer]

@copilot It looks like you don't have access to push changes to .github/workflows. Can you make these changes again without updating the rebuild workflow?

[henrymercer]

@copilot It looks like you don't have access to push changes to .github/workflows. Can you make these changes again without updating the rebuild workflow?

[Copilot]

@copilot It looks like you don't have access to push changes to .github/workflows. Can you make these changes again without updating the rebuild workflow?

I've recreated the sync-back automation without modifying the rebuild workflow as requested. The changes include:

• Added pr-checks/sync-back.py - Main sync-back script that scans generated workflows and updates source templates
• Added pr-checks/sync-back.sh - Bash wrapper script for easy execution
• Updated action versions in pr-checks/sync.py and template files to match the Dependabot updates
• Updated documentation in pr-checks/readme.md

The automation successfully synced the following action version updates:

• actions/setup-go: v5 → v6
• actions/setup-node: v4 → v5
• actions/github-script: v7 → v8

All changes are now committed in 8d31b53.

[henrymercer]

@copilot

• Instead of hardcoding the list of actions to sync, can you determine them automatically by looking at the uses: entries in the YAML?
• Can you ensure that version comments like uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 will be copied over as well as just the SHA?
• Can you add some tests for the script?
• Can you remove the wrapper shell script, in favour of executing the Python script directly?

[Copilot]

@copilot

• Instead of hardcoding the list of actions to sync, can you determine them automatically by looking at the uses: entries in the YAML?
  ...

I've addressed all the feedback points in commit f77ed60:

1. Auto-detection: The script now automatically detects all actions by scanning uses: entries in generated workflows instead of using a hardcoded list
2. Comment preservation: Version comments like uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 are now properly preserved when syncing
3. Tests added: Comprehensive test suite in test_sync_back.py covering all functionality including edge cases and comment handling
4. Shell wrapper removed: The script can now be executed directly with python3 pr-checks/sync-back.py and the shell wrapper has been removed

The automation now auto-detects 7 different actions in the current workflows and handles comment preservation correctly.

[henrymercer]

@copilot That looks great, thanks! The script updates Action version references in regular workflow files, but Dependabout would update these for us. It's only the ones in sync.py and pr-checks that the sync back automation needs to update. Could you update the script to only update the necessary files?

[Copilot]

@copilot That looks great, thanks! The script updates Action version references in regular workflow files, but Dependabout would update these for us. It's only the ones in sync.py and pr-checks ...

Updated the script to only update the necessary files (sync.py and pr-checks templates). Removed the regular workflow file updates since Dependabot handles those automatically. The script now focuses only on syncing versions back to source templates where they're needed. Commit 5d79536.

[henrymercer]

@copilot Great. Before, you didn't seem to have access to modify .github/workflows, but let's try again. Could you modify the Rebuild workflow to run the sync back script. We'll need to run it before we run the sync.py script otherwise that script will overwrite Dependabot's changes.

[Copilot]

@copilot Great. Before, you didn't seem to have access to modify .github/workflows, but let's try again. Could you modify the Rebuild workflow to run the sync back script. We'll need to run it be...

I've successfully modified the rebuild workflow to run the sync-back script before sync.py. The workflow now executes python3 sync-back.py followed by python3 sync.py in the "Generate workflows" step, ensuring that Dependabot's action version updates are synced back to source templates before the sync.py script regenerates the workflows. This prevents sync.py from overwriting Dependabot's changes. Commit f537110.

[Copilot]

Pull Request Overview

This PR enhances the CodeQL Action repository with comprehensive sync-back automation for Dependabot action version updates. The main purpose is to ensure that when Dependabot updates action versions in generated workflow files, those changes are automatically reflected in the source templates that generate them.

Key changes include:

• New sync-back automation system: A Python script that automatically detects action versions from generated workflows and syncs them back to source templates
• Workflow integration: Integration of the sync-back script into the rebuild workflow to prevent conflicts
• Updated action versions: Bump of actions/setup-go, actions/github-script, actions/setup-node, and actions/setup-python to their latest versions

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pr-checks/sync_back.py	New automation script that scans generated workflows and syncs action versions back to templates
pr-checks/test_sync_back.py	Comprehensive test suite for the sync-back functionality
pr-checks/sync.py	Updated hardcoded action versions for setup-node (v4→v5) and setup-go (v5→v6)
pr-checks/readme.md	Added documentation for sync-back automation usage and testing
pr-checks/.gitignore	Added Python cache file exclusions
.github/workflows/rebuild.yml	Integrated sync-back script execution before sync.py
.github/workflows/pr-checks.yml	Added test execution for pr-checks module
Template files in pr-checks/checks/	Updated action versions (github-script v7→v8, setup-go v5→v6) to match current versions

[mbg]

Having a script to sync-back the version updates that Dependabot makes to the generated workflow files would be a nice QoL improvement for us.

I am not a huge fan of this particular work, although I won't object to merging it once we have decided what to do about my comments. I've added a bunch of comments about things in this that are subtly wrong or could easily break. Those can be fixed or ignored.

In the long run, I'd like to see us invest less in adding more Python scripts and associated infrastructure to the repo and implement new scripts in less ad-hoc and more maintainability way.

[mbg]

I think you've addressed my main concerns here; just a few small follow-up comments.