Skip to content

Addressing PR comments#51

Merged
Stensel8 merged 4 commits into
developmentfrom
claude/automate-dependency-management
Mar 29, 2026
Merged

Addressing PR comments#51
Stensel8 merged 4 commits into
developmentfrom
claude/automate-dependency-management

Conversation

@Claude

@Claude Claude AI commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@Stensel8

Copy link
Copy Markdown
Owner

@claude[agent]

In .github/workflows/check-dependencies.yml regel 69 staat een typo volgensmij.

bashecho "current=$CURRENT_OUTPUT" >> $GITHUB_OUTPUT
Dit moet zijn:
bashecho "current=$CURRENT_VERSION" >> $GITHUB_OUTPUT
De variabele heet CURRENT_VERSION, niet CURRENT_OUTPUT. Dit zorgt ervoor dat de PCRE2 check faalt.

Claude AI and others added 2 commits March 29, 2026 10:44
- Auto-update workflow now modifies files directly instead of just creating empty PRs
- Automatically extracts versions from issues and updates installer scripts
- Creates PRs with actual code changes for Ansible, Kubernetes, and NGINX
- Marks NGINX PRs as draft (requires SHA256 checksum verification)
- Add helper script to calculate and update NGINX SHA256 checksums
- Enhanced README documentation explaining true self-maintenance

The repository can now maintain itself - detects updates, creates PRs with code changes, only needs human review before merging.

Agent-Logs-Url: https://github.com/Stensel8/Scripts/sessions/547a61b6-040d-4e32-ab08-55063bbe8ef5

Co-authored-by: Stensel8 <102481635+Stensel8@users.noreply.github.com>
Added TESTING_AUTOMATION.md with detailed instructions for testing the enhanced automated dependency management system

Agent-Logs-Url: https://github.com/Stensel8/Scripts/sessions/547a61b6-040d-4e32-ab08-55063bbe8ef5

Co-authored-by: Stensel8 <102481635+Stensel8@users.noreply.github.com>
@Claude Claude AI changed the title [WIP] Improve automated dependency management and PR submissions Implement fully automated dependency updates with code modification Mar 29, 2026
@Claude Claude AI requested a review from Stensel8 March 29, 2026 10:46
…RSION)

Fixed typo on line 65 where CURRENT_OUTPUT was used instead of CURRENT_VERSION, which would cause the PCRE2 current version to be empty in the workflow output.

Agent-Logs-Url: https://github.com/Stensel8/Scripts/sessions/fd0f5acc-490c-4a4f-b409-1ad4d50bdc39

Co-authored-by: Stensel8 <102481635+Stensel8@users.noreply.github.com>
@Claude

Claude AI commented Mar 29, 2026

Copy link
Copy Markdown
Contributor Author

@claude[agent]

In .github/workflows/check-dependencies.yml regel 69 staat een typo volgensmij.
...

Fixed in commit 749b8a8. Changed $CURRENT_OUTPUT to $CURRENT_VERSION on line 65 of check-dependencies.yml.

@Claude Claude AI changed the title Implement fully automated dependency updates with code modification Addressing PR comments Mar 29, 2026
@Stensel8 Stensel8 marked this pull request as ready for review March 29, 2026 10:49
Copilot AI review requested due to automatic review settings March 29, 2026 10:49
@Stensel8 Stensel8 merged commit c936da2 into development Mar 29, 2026
3 checks passed
@Stensel8 Stensel8 deleted the claude/automate-dependency-management branch March 29, 2026 10:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s automated dependency management docs and workflows so dependency issues can trigger PRs that include actual version bumps (plus helper tooling for NGINX checksum updates).

Changes:

  • Refines README dependency-update section and documents a new NGINX checksum helper script.
  • Fixes PCRE2 output handling in the dependency-check workflow.
  • Enhances the auto-update workflow to edit installer files, commit, push, and open PRs; adds testing documentation and a checksum update helper script.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
README.md Clarifies the end-to-end dependency update flow and adds NGINX checksum helper usage.
.github/workflows/check-dependencies.yml Fixes PCRE2 step output to use the correct variable.
.github/workflows/auto-update-dependencies.yml Implements automated file updates + commit/push/PR creation and improves issue/PR messaging.
.github/scripts/update-nginx-checksums.sh Adds a helper to compute and apply SHA256 updates for NGINX-related tarballs.
.github/TESTING_AUTOMATION.md Adds manual testing steps and expected behavior for the enhanced automation.
Comments suppressed due to low confidence (1)

.github/workflows/auto-update-dependencies.yml:71

  • pulls.list only returns the first page (default 30). If the repo ever has >30 open PRs, the workflow may fail to detect an existing PR linked to the issue and create duplicates. Use pagination (github.paginate) or the search API to reliably find PRs referencing #${issueNumber}.
            // Search for any PR that references this issue
            const allPRs = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'open'
            });

            const linkedPR = allPRs.data.find(pr =>
              pr.body && pr.body.includes(`#${issueNumber}`)
            );

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +241 to +250
execSync(`git add ${files.join(' ')}`, { stdio: 'inherit' });

This PR addresses the dependency updates identified in issue #${issueNumber}.
const commitMessage = `chore: update ${updateType} dependencies

### Changes Required
${Object.entries(updates).map(([comp, vers]) => `- ${comp}: ${vers.current} → ${vers.latest}`).join('\n')}

The following files need to be updated:
${files.map(f => `- [ ] \`${f}\``).join('\n')}
Automated update from issue #${issueNumber}`;

### Update Information
execSync(`git commit -m "${commitMessage.replace(/"/g, '\\"')}"`, { stdio: 'inherit' });
console.log('Committed changes');

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow executes git commit via execSync while embedding content derived from the issue body (versions/components) into the command string. Because execSync runs through a shell, crafted issue content containing $()/backticks can lead to command injection with contents: write permissions. Use execFileSync/spawnSync with an argv array (no shell) for all git commands, and avoid interpolating untrusted data into shell strings.

Copilot uses AI. Check for mistakes.

# Create temp directory
TEMP_DIR=$(mktemp -d)
trap "rm -rf $TEMP_DIR" EXIT

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trap "rm -rf $TEMP_DIR" EXIT should quote the path to avoid issues if the temp directory ever contains unexpected characters. Prefer trap 'rm -rf "${TEMP_DIR}"' EXIT (and keep the rm argument quoted).

Suggested change
trap "rm -rf $TEMP_DIR" EXIT
trap 'rm -rf "${TEMP_DIR}"' EXIT

Copilot uses AI. Check for mistakes.
Comment on lines +115 to +130
sed -i "s/\$NGINX_SHA256 = \"[^\"]*\"/\$NGINX_SHA256 = \"$NGINX_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated NGINX SHA256 in nginx_installer.ps1"
fi

if [ -n "$OPENSSL_SHA256" ]; then
sed -i "s/\$OPENSSL_SHA256 = \"[^\"]*\"/\$OPENSSL_SHA256 = \"$OPENSSL_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated OpenSSL SHA256 in nginx_installer.ps1"
fi

if [ -n "$PCRE2_SHA256" ]; then
sed -i "s/\$PCRE2_SHA256 = \"[^\"]*\"/\$PCRE2_SHA256 = \"$PCRE2_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated PCRE2 SHA256 in nginx_installer.ps1"
fi

if [ -n "$ZLIB_SHA256" ]; then
sed -i "s/\$ZLIB_SHA256 = \"[^\"]*\"/\$ZLIB_SHA256 = \"$ZLIB_SHA256\"/" nginx/nginx_installer.ps1

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sed replacements for nginx/nginx_installer.ps1 won't match the current file format (it uses $Script:NGINX_SHA256 = '...' with single quotes), so the helper script likely won't update PowerShell checksums even though it reports success. Update the patterns to target $Script:*_SHA256 assignments and the quoting/spacing used in the PS1 installer.

Suggested change
sed -i "s/\$NGINX_SHA256 = \"[^\"]*\"/\$NGINX_SHA256 = \"$NGINX_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated NGINX SHA256 in nginx_installer.ps1"
fi
if [ -n "$OPENSSL_SHA256" ]; then
sed -i "s/\$OPENSSL_SHA256 = \"[^\"]*\"/\$OPENSSL_SHA256 = \"$OPENSSL_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated OpenSSL SHA256 in nginx_installer.ps1"
fi
if [ -n "$PCRE2_SHA256" ]; then
sed -i "s/\$PCRE2_SHA256 = \"[^\"]*\"/\$PCRE2_SHA256 = \"$PCRE2_SHA256\"/" nginx/nginx_installer.ps1
log_success "Updated PCRE2 SHA256 in nginx_installer.ps1"
fi
if [ -n "$ZLIB_SHA256" ]; then
sed -i "s/\$ZLIB_SHA256 = \"[^\"]*\"/\$ZLIB_SHA256 = \"$ZLIB_SHA256\"/" nginx/nginx_installer.ps1
sed -i "s/\$Script:NGINX_SHA256[[:space:]]*=[[:space:]]*'[^']*'/\$Script:NGINX_SHA256 = '$NGINX_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated NGINX SHA256 in nginx_installer.ps1"
fi
if [ -n "$OPENSSL_SHA256" ]; then
sed -i "s/\$Script:OPENSSL_SHA256[[:space:]]*=[[:space:]]*'[^']*'/\$Script:OPENSSL_SHA256 = '$OPENSSL_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated OpenSSL SHA256 in nginx_installer.ps1"
fi
if [ -n "$PCRE2_SHA256" ]; then
sed -i "s/\$Script:PCRE2_SHA256[[:space:]]*=[[:space:]]*'[^']*'/\$Script:PCRE2_SHA256 = '$PCRE2_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated PCRE2 SHA256 in nginx_installer.ps1"
fi
if [ -n "$ZLIB_SHA256" ]; then
sed -i "s/\$Script:ZLIB_SHA256[[:space:]]*=[[:space:]]*'[^']*'/\$Script:ZLIB_SHA256 = '$ZLIB_SHA256'/" nginx/nginx_installer.ps1

Copilot uses AI. Check for mistakes.
- Updates `BUILD_PYTHON_VERSION:-3.14.2` to `BUILD_PYTHON_VERSION:-3.14.3`
- Updates `pip install ansible==13.3.0` to `pip install ansible==13.5.0`

3. **Branch Creation**: Creates a new branch like `automated-update/ansible-1743422410`

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example branch name uses a 10-digit timestamp (automated-update/ansible-1743422410), but the workflow generates branch names using Date.now() (milliseconds since epoch), which is typically 13 digits. Update the example to match the actual branch format, or change the workflow to use seconds if that’s the intended convention.

Suggested change
3. **Branch Creation**: Creates a new branch like `automated-update/ansible-1743422410`
3. **Branch Creation**: Creates a new branch like `automated-update/ansible-1743422410123`

Copilot uses AI. Check for mistakes.
Comment on lines +150 to +171
ps1Content = ps1Content.replace(/\$NGINX_VERSION = "([0-9.]+)"/, `$NGINX_VERSION = "${updates['NGINX'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated NGINX version to ${updates['NGINX'].latest}`);
}

if (updates['OpenSSL']) {
shContent = shContent.replace(/OPENSSL_VERSION="([0-9.]+)"/, `OPENSSL_VERSION="${updates['OpenSSL'].latest}"`);
ps1Content = ps1Content.replace(/\$OPENSSL_VERSION = "([0-9.]+)"/, `$OPENSSL_VERSION = "${updates['OpenSSL'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated OpenSSL version to ${updates['OpenSSL'].latest}`);
}

if (updates['PCRE2']) {
shContent = shContent.replace(/PCRE2_VERSION="([0-9.]+)"/, `PCRE2_VERSION="${updates['PCRE2'].latest}"`);
ps1Content = ps1Content.replace(/\$PCRE2_VERSION = "([0-9.]+)"/, `$PCRE2_VERSION = "${updates['PCRE2'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated PCRE2 version to ${updates['PCRE2'].latest}`);
}

if (updates['Zlib']) {
shContent = shContent.replace(/ZLIB_VERSION="([0-9.]+)"/, `ZLIB_VERSION="${updates['Zlib'].latest}"`);
ps1Content = ps1Content.replace(/\$ZLIB_VERSION = "([0-9.]+)"/, `$ZLIB_VERSION = "${updates['Zlib'].latest}"`);

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PowerShell version update regexes don't match the actual nginx/nginx_installer.ps1 variable declarations (they are $Script:NGINX_VERSION = '1.29.7', etc.). As written, the workflow won't update the PS1 installer, but will still mark it modified and include it in files, leading to incorrect PR contents/instructions. Update the patterns to target $Script:*_VERSION assignments and handle single quotes.

Suggested change
ps1Content = ps1Content.replace(/\$NGINX_VERSION = "([0-9.]+)"/, `$NGINX_VERSION = "${updates['NGINX'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated NGINX version to ${updates['NGINX'].latest}`);
}
if (updates['OpenSSL']) {
shContent = shContent.replace(/OPENSSL_VERSION="([0-9.]+)"/, `OPENSSL_VERSION="${updates['OpenSSL'].latest}"`);
ps1Content = ps1Content.replace(/\$OPENSSL_VERSION = "([0-9.]+)"/, `$OPENSSL_VERSION = "${updates['OpenSSL'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated OpenSSL version to ${updates['OpenSSL'].latest}`);
}
if (updates['PCRE2']) {
shContent = shContent.replace(/PCRE2_VERSION="([0-9.]+)"/, `PCRE2_VERSION="${updates['PCRE2'].latest}"`);
ps1Content = ps1Content.replace(/\$PCRE2_VERSION = "([0-9.]+)"/, `$PCRE2_VERSION = "${updates['PCRE2'].latest}"`);
shModified = ps1Modified = true;
console.log(`Updated PCRE2 version to ${updates['PCRE2'].latest}`);
}
if (updates['Zlib']) {
shContent = shContent.replace(/ZLIB_VERSION="([0-9.]+)"/, `ZLIB_VERSION="${updates['Zlib'].latest}"`);
ps1Content = ps1Content.replace(/\$ZLIB_VERSION = "([0-9.]+)"/, `$ZLIB_VERSION = "${updates['Zlib'].latest}"`);
ps1Content = ps1Content.replace(/\$Script:NGINX_VERSION\s*=\s*['"]([0-9.]+)['"]/, `$Script:NGINX_VERSION = '${updates['NGINX'].latest}'`);
shModified = ps1Modified = true;
console.log(`Updated NGINX version to ${updates['NGINX'].latest}`);
}
if (updates['OpenSSL']) {
shContent = shContent.replace(/OPENSSL_VERSION="([0-9.]+)"/, `OPENSSL_VERSION="${updates['OpenSSL'].latest}"`);
ps1Content = ps1Content.replace(/\$Script:OPENSSL_VERSION\s*=\s*['"]([0-9.]+)['"]/, `$Script:OPENSSL_VERSION = '${updates['OpenSSL'].latest}'`);
shModified = ps1Modified = true;
console.log(`Updated OpenSSL version to ${updates['OpenSSL'].latest}`);
}
if (updates['PCRE2']) {
shContent = shContent.replace(/PCRE2_VERSION="([0-9.]+)"/, `PCRE2_VERSION="${updates['PCRE2'].latest}"`);
ps1Content = ps1Content.replace(/\$Script:PCRE2_VERSION\s*=\s*['"]([0-9.]+)['"]/, `$Script:PCRE2_VERSION = '${updates['PCRE2'].latest}'`);
shModified = ps1Modified = true;
console.log(`Updated PCRE2 version to ${updates['PCRE2'].latest}`);
}
if (updates['Zlib']) {
shContent = shContent.replace(/ZLIB_VERSION="([0-9.]+)"/, `ZLIB_VERSION="${updates['Zlib'].latest}"`);
ps1Content = ps1Content.replace(/\$Script:ZLIB_VERSION\s*=\s*['"]([0-9.]+)['"]/, `$Script:ZLIB_VERSION = '${updates['Zlib'].latest}'`);

Copilot uses AI. Check for mistakes.
Comment on lines 224 to 229
// Create a new branch
const mainBranch = await github.rest.repos.getBranch({
owner: context.repo.owner,
repo: context.repo.repo,
branch: context.payload.repository.default_branch
});

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mainBranch is fetched via the API but never used (branch creation is done via git checkout -b). This adds unnecessary API calls and can be removed, or alternatively use the fetched default branch info to ensure the local checkout is on the expected base before creating the new branch.

Copilot uses AI. Check for mistakes.
Comment on lines +282 to +292
${updateType === 'NGINX' ? `
**NGINX requires SHA256 checksum updates:**

5. Commit and push your changes:
After reviewing this PR, you'll need to:
1. Download the new NGINX tarball and calculate its SHA256:
\`\`\`bash
git add ${files.join(' ')}
git commit -m "Update ${updateType} dependencies"
git push
wget https://nginx.org/download/nginx-${updates['NGINX']?.latest}.tar.gz
sha256sum nginx-${updates['NGINX']?.latest}.tar.gz
\`\`\`
2. Update the SHA256 checksums in both installer files
3. Test the installation on a clean system

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generated NGINX PR instructions still tell reviewers to manually wget + sha256sum, but this PR also adds ./.github/scripts/update-nginx-checksums.sh and the README now points to it. Consider updating this PR body text to reference the helper script (and keep a single source of truth for the checksum update process).

Copilot uses AI. Check for mistakes.
const fs = require('fs');
const { execSync } = require('child_process');

const issueNumber = context.payload.issue?.number || ${{ github.event.inputs.issue_number }};

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issueNumber is built using an unquoted workflow expression: context.payload.issue?.number || ${{ github.event.inputs.issue_number }}. On non-workflow_dispatch runs, ${{ github.event.inputs.issue_number }} expands to an empty string, which will produce invalid JS (|| ;) and break the step. Pass the input via env and read process.env, or wrap the expression in quotes and coerce with Number().

Suggested change
const issueNumber = context.payload.issue?.number || ${{ github.event.inputs.issue_number }};
const issueNumber = Number(context.payload.issue?.number || '${{ github.event.inputs.issue_number }}');

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants