Skip to content

Pin @github/copilot CLI version in package.json for Dependabot tracking#294

Merged
rajbos merged 3 commits intomainfrom
copilot/pin-copilot-cli-version
Feb 25, 2026
Merged

Pin @github/copilot CLI version in package.json for Dependabot tracking#294
rajbos merged 3 commits intomainfrom
copilot/pin-copilot-cli-version

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

Workflows were installing @github/copilot globally without version pinning, triggering Scorecard security alerts and preventing Dependabot from tracking updates.

Changes

  • package.json: Added @github/copilot: ^0.0.417 to devDependencies
  • check-models.yml: Replaced npm install -g @github/copilot with npm ci + npx @github/copilot
  • sync-toolnames.yml: Same pattern - use npm ci to install pinned dependencies, invoke via npx

This approach ensures version consistency across CI runs and enables automated dependency updates via Dependabot.

- npm install -g @github/copilot
- copilot --version
+ npm ci
+ npx @github/copilot --version

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@rajbos
Pin @github/copilot CLI version to allow Dependabot updates
8373a52 
- Add @github/copilot ^0.0.417 as devDependency in package.json
- Update check-models.yml to use npx @github/copilot instead of global install
- Update sync-toolnames.yml to use npx @github/copilot instead of global install
- Add npm ci step to install dependencies before running copilot CLI

Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copilot AI changed the title [WIP] Add pinned version for Copilot CLI in workflows Pin @github/copilot CLI version in package.json for Dependabot tracking Feb 25, 2026
rajbos
rajbos approved these changes Feb 25, 2026
View reviewed changes
Copy link
Owner

@rajbos rajbos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rajbos rajbos marked this pull request as ready for review February 25, 2026 08:28
@rajbos
Copy link
Owner

rajbos commented Feb 25, 2026

@copilot , package-lock file was not updated, please run npm install and add it

Copy link
Contributor Author

Copilot AI commented Feb 25, 2026

@copilot , package-lock file was not updated, please run npm install and add it

The package-lock.json was updated and committed in 8373a52. It includes all @github/copilot dependencies (125 lines added). The changes show @github/copilot@0.0.417 and all platform-specific binaries (darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-arm64, win32-x64) with their resolved URLs and integrity hashes.

@rajbos rajbos enabled auto-merge February 25, 2026 08:37
@rajbos rajbos merged commit 7acad78 into main Feb 25, 2026
12 checks passed
@rajbos rajbos deleted the copilot/pin-copilot-cli-version branch February 25, 2026 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rajbos rajbos rajbos approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rajbos rajbos

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rajbos