feat: add gh-aw agent for NuGet dependency updates#616
Conversation
Adds a Copilot-powered agentic workflow that: - Queries latest versions of GitHub.Copilot.SDK from nuget.org - Queries latest MauiDevFlow packages from dotnet10 ADO feed - Updates all csproj files and dotnet-tools.json consistently - Builds and tests to verify changes compile - Opens a PR with old → new version details Runs weekly on Monday or on manual dispatch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Expert Code Review — PR #616
Methodology
3 independent reviewers with adversarial consensus (findings require ≥2/3 agreement; solo findings go to follow-up arbitration).
Findings (ranked by severity)
| # | Severity | Finding | Consensus | File | Line |
|---|---|---|---|---|---|
| 1 | 🔴 CRITICAL | network: defaults blocks api.nuget.org and pkgs.dev.azure.com — all curl commands fail, workflow non-functional |
3/3 | dep-update.md |
12 |
| 2 | 🔴 CRITICAL | Wrong csproj filename: PolyPilot.Gtk/PolyPilot.csproj → actual is PolyPilot.Gtk/PolyPilot.Gtk.csproj (3 occurrences: lines 37, 51, 52) |
3/3 | dep-update.md |
37 |
| 3 | 🟡 MODERATE | dotnet build PolyPilot.slnx will fail in AWF container — no .NET 10 SDK or MAUI workloads → agent reverts all changes → silent no-op |
3/3 (after follow-up) | dep-update.md |
73 |
| 4 | 🟡 MODERATE | No github-token-for-extra-empty-commit: — agent-created PR won't trigger CI |
3/3 | dep-update.md |
15 |
| 5 | 🟢 MINOR | "Up to date" check is ambiguous when SDK versions are already inconsistent across projects | 2/3 | dep-update.md |
67 |
Discarded findings (single reviewer only, no consensus)
- Concurrency control missing — debunked: compiler auto-generates
concurrency: group: "gh-aw-${{ github.workflow }}"(verified in lock file line 36) - Protected files blocking csproj edits — debunked:
.csprojfiles are NOT in the protected-files list (verified in lock file line 1053) jq [-1]publication-order vs semver-order — fragile edge case for prerelease packages (1/3)- No explicit
timeout-minutes— defaults are acceptable (1/3) Microsoft.Maui.Essentials.AInot in update scope — intentionally pinned (1/3)
What's done well ✅
- Permissions are minimal —
contents: read, pull-requests: readon agent job; write permissions correctly isolated tosafe_outputsjob - Safe-output keys use kebab-case (
create-pull-request) per conventions - Schedule format uses fuzzy syntax correctly (
weekly on monday) - Early exit logic prevents empty PRs when everything is current
- Lock file committed alongside source
.mdas required - Package list is complete (excluding
PolyPilot.Provider.Samplewhich has no SDK reference)
Recommendation
Fix the 2 critical issues (network allowlist, Gtk filename) before merge — without these fixes the workflow will fail 100% of the time. The moderate issues (build environment, CI triggering) are strongly recommended. After fixing, recompile with gh aw compile .github/workflows/dep-update.md and commit the updated lock file.
Generated by Expert Code Review (auto) for issue #616
|
|
||
| engine: copilot | ||
|
|
||
| network: defaults |
There was a problem hiding this comment.
🔴 CRITICAL — network: defaults blocks NuGet and ADO API calls (Flagged by: 3/3 reviewers)
The compiled allowlist from network: defaults does not include api.nuget.org or pkgs.dev.azure.com. All three curl commands in the agent prompt will be blocked by the AWF firewall — the agent cannot query any package versions, making the workflow non-functional.
Verified in the compiled lock file: the --allow-domains list contains standard infrastructure domains but neither NuGet nor Azure DevOps feeds.
Suggested fix:
network:
allow:
- defaults
- api.nuget.org
- pkgs.dev.azure.comOr if gh-aw has a dotnet network preset that includes these, use that instead.
| This package appears in multiple csproj files — update ALL of them to the same version: | ||
| - `PolyPilot/PolyPilot.csproj` | ||
| - `PolyPilot.Console/PolyPilot.csproj` | ||
| - `PolyPilot.Gtk/PolyPilot.csproj` |
There was a problem hiding this comment.
🔴 CRITICAL — Wrong csproj filename for Gtk project (Flagged by: 3/3 reviewers)
This references PolyPilot.Gtk/PolyPilot.csproj but the actual file on disk is PolyPilot.Gtk/PolyPilot.Gtk.csproj. The same error appears on lines 51 and 52 in the MauiDevFlow section.
The agent will look for a nonexistent file and either skip the Gtk project (leaving 3 packages at stale versions) or create a spurious new file.
Fix (apply in all 3 occurrences — lines 37, 51, 52):
-- `PolyPilot.Gtk/PolyPilot.csproj`
+- `PolyPilot.Gtk/PolyPilot.Gtk.csproj`|
|
||
| 4. **Update dotnet-tools.json** — update the `microsoft.maui.cli` version. | ||
|
|
||
| 5. **Build to verify** — run `dotnet build PolyPilot.slnx -c Debug --nologo` to confirm everything compiles. If it fails, investigate and fix or revert. |
There was a problem hiding this comment.
🟡 MODERATE — Build will fail in agent container (no .NET 10 / MAUI workloads) (Flagged by: 3/3 reviewers after follow-up)
The AWF agent container does not have .NET 10 SDK or MAUI workloads pre-installed, and the frontmatter has no runtimes: dotnet: declaration. dotnet build PolyPilot.slnx targets Mac Catalyst/iOS/Android — it will hard-fail on Ubuntu without MAUI workloads. Since the prompt says "investigate and fix or revert", the agent will likely revert all changes → silent no-op every weekly run.
Suggested fix — replace the full-solution build with a lighter verification:
5. **Verify package resolution** — run `dotnet restore PolyPilot.slnx --nologo` to confirm
all package references resolve. If it fails, the version may not exist — revert that package.
6. **Run tests** — run `cd PolyPilot.Tests && dotnet test --configuration Debug --nologo`
(the test project targets net10.0 without MAUI workloads and is buildable on Linux).| network: defaults | ||
|
|
||
| safe-outputs: | ||
| create-pull-request: |
There was a problem hiding this comment.
🟡 MODERATE — Agent-created PR will not trigger CI (Flagged by: 3/3 reviewers)
Per gh-aw conventions, PRs created with GITHUB_TOKEN do not trigger GitHub Actions. Without github-token-for-extra-empty-commit:, the dependency update PR will have no CI status checks — it cannot be merged if branch protection requires passing CI.
Suggested fix:
safe-outputs:
create-pull-request:
github-token-for-extra-empty-commit: $\{\{ secrets.GH_AW_CI_TRIGGER_TOKEN }}(GH_AW_CI_TRIGGER_TOKEN is already referenced in the compiled lock file, suggesting the repo has this secret.)
|
|
||
| 1. **Query latest versions** for all three package groups using the curl commands above. | ||
|
|
||
| 2. **Compare with current versions** in the csproj files and `dotnet-tools.json`. If everything is already up to date, stop — do not create a PR. |
There was a problem hiding this comment.
🟢 MINOR — Ambiguous "up to date" check with existing version skew (Flagged by: 2/3 reviewers)
GitHub.Copilot.SDK is already at inconsistent versions across projects (0.2.1 in PolyPilot/Tests, 0.2.0 in Console/Gtk/Provider.Abstractions). If the latest on nuget.org is 0.2.1, the agent might conclude "already up to date" based on the main project, missing that three others are behind.
Suggested fix — tighten the description:
2. **Compare with current versions** in ALL csproj files. If every file already
pins the package at the latest version AND they are all consistent with each
other, stop. Partial updates (some at latest, others behind) still need a PR.1 participant
Adds a Copilot-powered agentic workflow (
dep-update) that automatically checks for and applies NuGet package updates.What it does
Triggers
workflow_dispatchFiles
.github/workflows/dep-update.md— agent instructions.github/workflows/dep-update.lock.yml— compiled GitHub Actions workflow