Add update_pull_request_branches maintenance operation with dedicated workflow job#28108
Open
Add update_pull_request_branches maintenance operation with dedicated workflow job#28108
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e1b6217e-c851-487f-8690-a75028715f5d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e1b6217e-c851-487f-8690-a75028715f5d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 23, 2026 14:11
View session
pelikhan
reviewed
Apr 23, 2026
| /** | ||
| * @returns {Promise<Set<number>>} | ||
| */ | ||
| async function listPullRequestsWithActiveSessions() { |
Contributor
Author
There was a problem hiding this comment.
Updated to explicitly filter to PRs without active sessions before branch updates (new filterPullRequestsWithoutActiveSessions path + test coverage). Addressed in commit a003433.
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dfc1d53a-7fec-47e2-a76a-9ecbf4a15d73 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dfc1d53a-7fec-47e2-a76a-9ecbf4a15d73 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot gh is not available, do a REST API call instead of "gh tasklist" See https://github.com/github/gh-aw/actions/runs/24844850181/job/72728893323#step:7:1 |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/009352de-ca04-4409-8eaa-4bd19ccad058 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Switched session discovery off Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot add more logging calls using core.* |
Collaborator
|
@copilot move to separate job to avoid polluting the list of required permissions |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/42605c79-7ebd-428c-9727-efe4ae592077 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/42605c79-7ebd-428c-9727-efe4ae592077 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/42605c79-7ebd-428c-9727-efe4ae592077 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/42605c79-7ebd-428c-9727-efe4ae592077 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Added additional Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/71dcefc7-2a67-4995-829b-60e155f10fc2 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c14085cc-c356-452e-bc47-4b5d0629b950 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
|
Done in Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
Hey
|
Collaborator
|
@copilot remove checking for agent sessions since the token has no access to it. |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b40dc9ff-340a-4ea0-be08-f1022de04dc4 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b40dc9ff-340a-4ea0-be08-f1022de04dc4 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new maintenance operation (update_pull_request_branches) and routes it through a dedicated maintenance workflow job to isolate permissions, along with the JS runtime and test updates to support it.
Changes:
- Adds
update_pull_request_branchesas a new maintenance operation option and dedicated workflow job. - Implements the operation logic in
actions/setup/js/update_pull_request_branches.cjswith accompanying Vitest coverage. - Updates maintenance workflow generation/tests and regenerates
.github/workflows/agentics-maintenance.ymlto reflect new routing/conditions.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/maintenance_workflow_yaml.go | Adds operation choice and emits a dedicated update_pull_request_branches job in generated maintenance workflow YAML. |
| pkg/workflow/maintenance_workflow_test.go | Extends workflow-generation tests to assert conditions/options for the new operation and job. |
| actions/setup/js/update_pull_request_branches.cjs | Implements listing/filtering mergeable non-draft PRs and calling pulls.updateBranch with retries and logging. |
| actions/setup/js/update_pull_request_branches.test.cjs | Adds Vitest coverage for mergeable filtering and non-fatal failure handling. |
| actions/setup/js/run_operation_update_upgrade.cjs | Updates docstring to reflect reduced scope of run_operation handling. |
| .github/workflows/agentics-maintenance.yml | Regenerated workflow including the new operation choice and dedicated job. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
actions/setup/js/update_pull_request_branches.test.cjs:98
- Tests cover mergeable vs non-mergeable and draft filtering, but don’t exercise the
mergeable: nullcase that GitHub returns while mergeability is pending. Adding a test for that case (and the expected retry/behavior) would help prevent regressions once mergeability-pending handling is added.
it("ignores draft pull requests when filtering mergeable pull requests", async () => {
mockGithub.rest.pulls.get.mockImplementation(async ({ pull_number }) => {
if (pull_number === 1) return { data: { state: "open", mergeable: true, draft: true } };
if (pull_number === 2) return { data: { state: "open", mergeable: true, draft: false } };
return { data: { state: "open", mergeable: false, draft: false } };
});
const result = await moduleUnderTest.filterMergeablePullRequests("owner", "repo", [1, 2, 3]);
expect(result).toEqual([2]);
expect(mockCore.info).toHaveBeenCalledWith(expect.stringContaining("Skipping PR #1"));
});
- Files reviewed: 6/6 changed files
- Comments generated: 4
| update_pull_request_branches: | ||
| if: ${{ ` + RenderCondition(buildDispatchOperationCondition("update_pull_request_branches")) + ` }} | ||
| runs-on: ` + runsOnValue + ` | ||
| permissions: |
There was a problem hiding this comment.
update_pull_request_branches job uses actions/checkout (in dev/script mode) but job permissions only grant pull-requests: write. When a job-level permissions: block is present, unspecified scopes (including contents) default to none, which can cause checkout (and local ./actions/setup) to fail. Add contents: read (or broader if required) to this job’s permissions.
Suggested change
| permissions: | |
| permissions: | |
| contents: read |
| update_pull_request_branches: | ||
| if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'update_pull_request_branches' && (!(github.event.repository.fork)) }} | ||
| runs-on: ubuntu-slim | ||
| permissions: |
There was a problem hiding this comment.
This job checks out repository content (actions/checkout with sparse-checkout) but its job-level permissions only include pull-requests: write. With job-level permissions set, contents becomes none, which can break checkout and the local ./actions/setup action. Add contents: read to the job permissions.
Suggested change
| permissions: | |
| permissions: | |
| contents: read |
Comment on lines
+52
to
+61
| ); | ||
|
|
||
| const isMergeable = pull?.state === "open" && pull?.mergeable === true && pull?.draft !== true; | ||
| if (isMergeable) { | ||
| mergeable.push(pullNumber); | ||
| continue; | ||
| } | ||
|
|
||
| core.info(`Skipping PR #${pullNumber}: mergeable=${String(pull?.mergeable)}, state=${pull?.state || "unknown"}, draft=${String(Boolean(pull?.draft))}`); | ||
| } |
There was a problem hiding this comment.
pulls.get can return mergeable: null while GitHub is still computing mergeability. Current logic treats anything other than mergeable === true as non-mergeable and will skip these PRs without retrying, so some mergeable PRs may never get updated. Consider retrying specifically when mergeable === null (similar to getPullRequestWithMergeability in actions/setup/js/merge_pull_request.cjs) before deciding to skip.
Comment on lines
+58
to
+63
| mockGithub.rest.pulls.updateBranch.mockResolvedValue({ data: {} }); | ||
|
|
||
| await moduleUnderTest.main(); | ||
|
|
||
| expect(mockGithub.rest.pulls.updateBranch).toHaveBeenCalledTimes(2); | ||
| expect(mockGithub.rest.pulls.updateBranch).toHaveBeenNthCalledWith(1, { |
There was a problem hiding this comment.
moduleUnderTest.main() sleeps for UPDATE_DELAY_MS (1s) between PR updates. The first test updates 2 PRs, so the test will incur a real 1s delay and can slow/flakify the suite. Consider using vi.useFakeTimers() + vi.advanceTimersByTimeAsync(...), or mocking sleep so tests run instantly.
This issue also appears on line 87 of the same file.
Contributor
🧪 Test Quality Sentinel ReportTest Quality Score: 93/100✅ Excellent test quality
Test Classification DetailsView All Test Classifications
Language SupportTests analyzed:
Notes
Verdict
📖 Understanding Test ClassificationsDesign Tests (High Value) verify what the system does:
Implementation Tests (Low Value) verify how the system does it:
Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators. References: §24874739013
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ca209793-8352-47be-83f9-433ebaeb1aef Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ca209793-8352-47be-83f9-433ebaeb1aef Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ca209793-8352-47be-83f9-433ebaeb1aef Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ca209793-8352-47be-83f9-433ebaeb1aef Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Fixed in Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
update_pull_request_branchesactions/setup/js/update_pull_request_branches.cjsupdate_pull_request_branchesexecution to a dedicatedupdate_pull_request_branchesjob in maintenance workflow generation to isolate permissionsrun_operationconditions andrun_operation_update_upgrade.cjssorun_operationno longer handlesupdate_pull_request_branches.github/workflows/agentics-maintenance.yml)update_pull_request_branches(the workflow token cannot access the sessions endpoint), so the operation now updates all mergeable non-draft PRs directlyValidation
make fmtmake recompilenpm test -- run_operation_update_upgrade.test.cjs update_pull_request_branches.test.cjs(fromactions/setup/js)npm test -- update_pull_request_branches.test.cjs(fromactions/setup/js)go test -v -run "TestGenerateMaintenanceWorkflow_OperationJobConditions|TestGenerateMaintenanceWorkflow_RunOperationCLICodegen" ./pkg/workflow/make agent-finish(currently fails due pre-existing workflow package test failures unrelated to this change:TestCopilotDetectionDefaultModelandTestWasmGolden_CompileFixtures)Notes
parallel_validationcompleted Code Review successfully after feedback updates🤖 Smoke CI scheduled run: https://github.com/github/gh-aw/actions/runs/24841939453
> Generated by Smoke CI · ● 396.7K · ◷