copilot-cli/.github/workflows/copilot-dependabot-update.yml at main · austenstone/copilot-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
on:
  workflow_call:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  dependabot-analysis:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    steps:
      - uses: actions/checkout@v6
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
      - name: Generate dependency analysis with Copilot
        uses: austenstone/copilot-cli@main
        env:
          CONTEXT7_API_KEY: ${{ secrets.CONTEXT7_API_KEY }}
        with:
          mcp-config: |
            {
              "mcpServers": {
                "context7": {
                  "type": "http",
                  "url": "https://mcp.context7.com/mcp",
                  "headers": {
                    "CONTEXT7_API_KEY": "${CONTEXT7_API_KEY}"
                  },
                  "tools": ["get-library-docs", "resolve-library-id"]
                }
              }
            }
          prompt: |
            You are an expert Senior Software Engineer specializing in dependency management and secure coding. Your task is to analyze a Dependabot pull request and generate a comprehensive analysis comment for the PR.

            ### 1. Dependency Update Details

            * **Dependency Names:** ${{ steps.metadata.outputs.dependency-names }}
            * **Update Type:** ${{ steps.metadata.outputs.update-type }}
            * **Old Version(s):** ${{ steps.metadata.outputs.previous-version }}
            * **New Version(s):** ${{ steps.metadata.outputs.new-version }}

            ### 2. Provided Context

            #### Dependabot Metadata
            ```json
            ${{ toJson(steps.metadata.outputs) }}
            ```

            #### Event Data
            ```event
            ${{ toJson(github.event) }}
            ```

            ### 3. Your Tasks

            Based on the context provided above:

            1.  **Use Context7 to get library documentation** - Use the `resolve-library-id` and `get-library-docs` tools to fetch up-to-date documentation for the dependency being updated. Focus on migration guides and breaking changes between versions.
            2.  **Analyze Release Notes:** Summarize the Release Notes / Changelog. Explicitly list all **Breaking Changes**, **New Features**, and **Deprecations** found between the old and new versions.
            3.  **Assess Security:** Review the Known Vulnerabilities data. State if this update fixes any known vulnerabilities and their severity (CVSS score).
            4.  **Analyze Code Impact:** Search the codebase to understand how this dependency is used. Use `semantic_search` or `grep_search` to find import statements and usage patterns.
                * If there are breaking changes, determine if they affect our code.
                * If they do affect our code, pinpoint which files/patterns are affected and suggest necessary code changes to migrate.
                * Attempt to build the project to verify compatibility.
            5.  **Formulate Recommendation:** Based on your analysis, provide a clear, final recommendation.

            ### 4. Output Format

            Generate the Markdown for a PR comment and post it to: ${{ github.event.pull_request.html_url }}

            Follow this structure precisely:

            ---

            ### 📋 Summary
            *(Provide a one-sentence summary of the update, e.g., "This is a minor/major/patch update for `[Dependency Name]` from `vX.X` to `vY.Y`.")*

            ### 🔒 Security
            *(State if this update resolves any vulnerabilities. Be specific with CVE IDs and CVSS scores if available. If no vulnerabilities, state "No known vulnerabilities addressed.")*

            ### ⚠️ Breaking Changes
            *(List any breaking changes from the release notes and documentation. If there are none, state "No breaking changes found.")*

            ### 🚀 New Features & Improvements
            *(List any notable new features or improvements from the changelog.)*

            ### 📝 Migration & Impact Analysis
            *(This is the most important section.)*
            * **If no code changes are needed:** "I have analyzed our codebase and this update appears to be fully compatible. No migration is required."
            * **If code changes ARE needed:** "This update requires changes to our code. The following breaking change(s) affect our implementation:"
                * *(List the breaking change and show the diff for the required fix with file locations, e.g.,)*
                ```diff
                # In file: src/example.ts
                - // Old code
                - import { oldMethod } from '[library-name]';
                - oldMethod();

                + // New code
                + import { newMethod } from '[library-name]';
                + newMethod();
                ```

            ### ✅ Recommendation
            *(Choose one and explain why.)*
            * **✅ Auto-Merge:** This update is a `[minor/patch]`, resolves `[X]` vulnerabilities, and requires no code changes.
            * **👀 Needs Review:** This update is a `[major/minor]` with significant new features but appears compatible. Please review the changelog before merging.
            * **⚠️ Manual Intervention Required:** This update includes breaking changes that require code modifications. Please review the migration notes above and apply the fixes.