ci: bump update-copilot-skills reusable workflow pin to v3.2.0#8
Merged
Merged
Conversation
v3.0.1 internally hardcodes the step-security mirror of peter-evans (step-security/create-pull-request + harden-runner), which now hard-fails with "Subscription is not valid" — making the daily 🔄 Update Copilot Skills run fail since 2026-05-19. v3.2.0 uses peter-evans/create-pull-request@v8.1.1 directly with no step-security dependency. The `dir` input is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the scheduled 🔄 Update Copilot Skills GitHub Actions workflow to use a newer revision of the upstream reusable workflow, addressing failures caused by the previously pinned version’s dependency on StepSecurity-mirrored actions.
Changes:
- Bump
devantler-tech/reusable-workflows/.github/workflows/update-copilot-skills.yamlpin from v3.0.1 to v3.2.0 (SHA update only). - Keep existing workflow inputs unchanged (
dir: plugins), preserving current behavior while changing the referenced reusable workflow implementation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The scheduled 🔄 Update Copilot Skills workflow has failed every day since 2026-05-19 at the create-PR step with
Subscription is not valid.Root cause: this workflow calls the reusable workflow pinned at v3.0.1 (
@11f70d3), and v3.0.1 internally hardcodes the StepSecurity mirror of peter-evans —step-security/create-pull-request@e604d57b+step-security/harden-runner@v2.17.0. That mirror requires a valid StepSecurity subscription, which is no longer present (the StepSecurity org apps were uninstalled), so the step hard-fails.Note: PR #6 already reverted StepSecurity actions in this repo's own workflows, but the reusable-workflow pin still pointed at the StepSecurity-dependent v3.0.1 — this is the remaining piece.
Fix
Bump the reusable-workflow pin v3.0.1 → v3.2.0 (
@41924797). v3.2.0 uses upstream authors directly with no StepSecurity dependency:peter-evans/create-pull-request@v8.1.1devantler-tech/actions/update-copilot-skills@v3.3.0actions/checkout@v6.0.2The
dirinput (dir: plugins) is unchanged between v3.0.1 and v3.2.0, so this is a pure pin bump — no input changes required.Validation
update-copilot-skills.yamlcontains nostep-security/harden-runnerreferences and retains thedirinput.