Merged
Conversation
Replace non-standard deps/deps-dev prefixes with chore so dependabot produces valid conventional commits: chore(deps): and chore(deps-dev): Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Run uv lock before make install so the lockfile is always consistent with pyproject.toml, preventing --locked failures on dependabot PRs. Also removes the redundant direct uv sync that duplicated make install. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The packages/manifest setup forces monorepo component semantics even for a single package. Switch to simple (non-manifest) mode — version tracking continues from the existing v1.0.0 tag. The manifest file is no longer referenced and can be ignored. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace exit with return in cleanup() and main() so all functions have explicit return statements, satisfying Sonar rule S6596. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The setting was at the top level but only takes effect per-package in manifest mode. Keep manifest-file explicit and packages structure intact. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates automation configuration (Dependabot, CI, Release Please) and improves the composability of an internal bash script used for updating agent context files.
Changes:
- Adjust Dependabot commit message prefixing to align with conventional commits.
- Modify security CI dependency setup to use
uv lockbefore runningmake install. - Simplify
release-please-config.jsonby consolidating settings under thepackagesentry and adjust script exit/return behavior inupdate-agent-context.sh.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
release-please-config.json |
Moves include-component-in-tag under the . package configuration. |
.specify/scripts/bash/update-agent-context.sh |
Switches exit to return in cleanup and main for better composability. |
.github/workflows/security-ci.yml |
Changes dependency step to run uv lock before make install. |
.github/dependabot.yml |
Updates Dependabot commit message prefix to chore. |
Comments suppressed due to low confidence (1)
.specify/scripts/bash/update-agent-context.sh:124
cleanupis registered forINT/TERMas well asEXIT, but it now usesreturn. ForINT/TERM, returning from the trap handler suppresses the default signal behavior and the script will continue running after Ctrl+C / termination signals. If the goal is to avoid killing the parent shell when sourced, consider conditionallyexitwhen executed directly andreturnwhen sourced (or keepexitforINT/TERMand onlyreturnforEXIT).
cleanup() {
local exit_code=$?
rm -f /tmp/agent_update_*_$$
rm -f /tmp/manual_additions_$$
return $exit_code
}
# Set up cleanup trap
trap cleanup EXIT INT TERM
| run: | | ||
| echo "## 🔧 Installing dependencies" >> "$GITHUB_STEP_SUMMARY" | ||
| uv sync --locked --group dev | ||
| uv lock |
There was a problem hiding this comment.
uv lock generates/updates uv.lock but does not install dependencies. In CI this makes the environment non-reproducible (it can resolve newer versions than what’s committed) and is redundant since make install already runs uv sync --locked --group dev. Prefer removing uv lock here, or replace it with a non-mutating validation like uv lock --locked if you want to assert the lockfile is up to date.
Suggested change
| uv lock |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request includes several configuration and script updates aimed at improving workflow consistency, error handling, and dependency management. The most important changes are grouped below by theme.
Workflow and Dependency Management:
.github/workflows/security-ci.ymlto useuv lockinstead ofuv sync --locked --group dev, ensuring a more consistent lock file generation."deps"and"deps-dev"to"chore"in.github/dependabot.yml, standardizing commit message conventions.Script Error Handling:
cleanup()andmain()functions in.specify/scripts/bash/update-agent-context.shto usereturninstead ofexit, improving error handling and script composability. [1] [2]Release Configuration:
include-component-in-tagproperty from the root to the package-specific section inrelease-please-config.json, clarifying configuration scope and ensuring proper tagging behavior for the Python package.