From d412e465987917eec2368a1e99c442ef642d683d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 10 Mar 2026 09:59:32 +0000
Subject: [PATCH 1/5] Initial plan


From fe82bdbd7873777be9da6beb390dcebc30a1ca41 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 10 Mar 2026 10:03:12 +0000
Subject: [PATCH 2/5] Add GitHub Actions workflow to automate Requests library
 updates

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
---
 .github/workflows/update-requests.yml | 62 +++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 .github/workflows/update-requests.yml

diff --git a/.github/workflows/update-requests.yml b/.github/workflows/update-requests.yml
new file mode 100644
index 000000000..22e84ec8d
--- /dev/null
+++ b/.github/workflows/update-requests.yml
@@ -0,0 +1,62 @@
+name: Update Requests library
+
+on:
+  schedule:
+    - cron: '0 3 * * 1' # Run every Monday at 03:00 UTC.
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-requests:
+    name: Check and update Requests library
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Get the latest Requests release tag
+        id: latest_release
+        run: |
+          LATEST_TAG=$(curl -sf "https://api.github.com/repos/WordPress/Requests/releases/latest" | jq -r '.tag_name')
+          if [[ -z "${LATEST_TAG}" || "${LATEST_TAG}" == "null" ]]; then
+            echo "Failed to retrieve latest Requests release tag." >&2
+            exit 1
+          fi
+          echo "tag=${LATEST_TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Get the current Requests version from install script
+        id: current_version
+        run: |
+          CURRENT_TAG=$(grep -oP 'REQUESTS_TAG="\K[^"]+' utils/install-requests.sh)
+          if [[ -z "${CURRENT_TAG}" ]]; then
+            echo "Failed to determine current Requests version from utils/install-requests.sh." >&2
+            exit 1
+          fi
+          echo "tag=${CURRENT_TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Update install script and bundle if versions differ
+        if: steps.latest_release.outputs.tag != steps.current_version.outputs.tag
+        env:
+          LATEST_TAG: ${{ steps.latest_release.outputs.tag }}
+          CURRENT_TAG: ${{ steps.current_version.outputs.tag }}
+        run: |
+          sed -i "s/REQUESTS_TAG=\"${CURRENT_TAG}\"/REQUESTS_TAG=\"${LATEST_TAG}\"/" utils/install-requests.sh
+          grep -q "REQUESTS_TAG=\"${LATEST_TAG}\"" utils/install-requests.sh || { echo "Failed to update REQUESTS_TAG in install script." >&2; exit 1; }
+          bash utils/install-requests.sh
+
+      - name: Create pull request
+        if: steps.latest_release.outputs.tag != steps.current_version.outputs.tag
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "Update bundled Requests library to ${{ steps.latest_release.outputs.tag }}"
+          branch: "update/requests-${{ steps.latest_release.outputs.tag }}"
+          delete-branch: true
+          title: "Update bundled Requests library to ${{ steps.latest_release.outputs.tag }}"
+          body: |
+            This automated PR updates the bundled [Requests](https://github.com/WordPress/Requests) library from `${{ steps.current_version.outputs.tag }}` to `${{ steps.latest_release.outputs.tag }}`.
+
+            Please review the [Requests changelog](https://github.com/WordPress/Requests/releases/tag/${{ steps.latest_release.outputs.tag }}) before merging.
+          labels: "Requests"

From 9116dac32e904cab9ec0b7e2342f328c2c8c4867 Mon Sep 17 00:00:00 2001
From: Pascal Birchler <pascalb@google.com>
Date: Tue, 10 Mar 2026 11:38:46 +0100
Subject: [PATCH 3/5] Update .github/workflows/update-requests.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/update-requests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/update-requests.yml b/.github/workflows/update-requests.yml
index 22e84ec8d..f0f6df44b 100644
--- a/.github/workflows/update-requests.yml
+++ b/.github/workflows/update-requests.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 3 * * 1' # Run every Monday at 03:00 UTC.
   workflow_dispatch:
 
+concurrency:
+  group: update-requests
+  cancel-in-progress: true
 permissions:
   contents: write
   pull-requests: write

From b25b62de9b9e8b312f1e0a80acfa7b047520c180 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 10 Mar 2026 10:40:51 +0000
Subject: [PATCH 4/5] Use gh CLI instead of curl for GitHub API request

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
---
 .github/workflows/update-requests.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-requests.yml b/.github/workflows/update-requests.yml
index f0f6df44b..fd41de442 100644
--- a/.github/workflows/update-requests.yml
+++ b/.github/workflows/update-requests.yml
@@ -22,8 +22,10 @@ jobs:
 
       - name: Get the latest Requests release tag
         id: latest_release
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          LATEST_TAG=$(curl -sf "https://api.github.com/repos/WordPress/Requests/releases/latest" | jq -r '.tag_name')
+          LATEST_TAG=$(gh api repos/WordPress/Requests/releases/latest --jq '.tag_name')
           if [[ -z "${LATEST_TAG}" || "${LATEST_TAG}" == "null" ]]; then
             echo "Failed to retrieve latest Requests release tag." >&2
             exit 1

From f6f7ef088338ff647291bdd9e5f7cdeec35324b5 Mon Sep 17 00:00:00 2001
From: Pascal Birchler <pascalb@google.com>
Date: Tue, 10 Mar 2026 11:50:10 +0100
Subject: [PATCH 5/5] Update .github/workflows/update-requests.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/update-requests.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.github/workflows/update-requests.yml b/.github/workflows/update-requests.yml
index fd41de442..16415f2f4 100644
--- a/.github/workflows/update-requests.yml
+++ b/.github/workflows/update-requests.yml
@@ -52,6 +52,32 @@ jobs:
           grep -q "REQUESTS_TAG=\"${LATEST_TAG}\"" utils/install-requests.sh || { echo "Failed to update REQUESTS_TAG in install script." >&2; exit 1; }
           bash utils/install-requests.sh
 
+      - name: Validate modified files
+        if: steps.latest_release.outputs.tag != steps.current_version.outputs.tag
+        run: |
+          mapfile -t changed_files < <(git diff --name-only)
+
+          if [ "${#changed_files[@]}" -eq 0 ]; then
+            echo "No files changed by update; nothing to validate."
+            exit 0
+          fi
+
+          allowed_regex='^(utils/install-requests\.sh|bundle/rmccue/requests(/|$))'
+          disallowed=()
+
+          for f in "${changed_files[@]}"; do
+            if ! [[ "$f" =~ $allowed_regex ]]; then
+              disallowed+=("$f")
+            fi
+          done
+
+          if [ "${#disallowed[@]}" -ne 0 ]; then
+            echo "Error: Unexpected files were modified by utils/install-requests.sh:"
+            printf '  %s\n' "${disallowed[@]}"
+            exit 1
+          fi
+
+          echo "All modified files are within the allowed paths."
       - name: Create pull request
         if: steps.latest_release.outputs.tag != steps.current_version.outputs.tag
         uses: peter-evans/create-pull-request@v7