Conversation
Defines a Copilot skill that automates the full dependency update lifecycle for this Rust workspace: discover outdated deps via dependabot alerts/PRs, apply updates grouped by ecosystem (cargo, github-actions, npm), fix breakage, get CI green, and create PRs for human review. Also adds github/rust-gems to the update-deps-supervisor target list. Co-authored-by: Copilot <[email protected]>
PR bodies should now include GHSA IDs, advisory URLs, and a link to the repo's dependabot security dashboard. Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull request overview
Adds a repository-level Copilot skill (update-deps) that documents an end-to-end workflow for discovering, applying, validating, and submitting dependency updates across the Rust workspace and related tooling.
Changes:
- Introduces
.github/skills/update-deps/SKILL.mddescribing a structured dependency update process grouped by ecosystem (cargo, GitHub Actions, npm). - Documents recommended commands and PR hygiene (risk assessment, CI iteration limits, and closing superseded dependabot PRs).
Comments suppressed due to low confidence (2)
.github/skills/update-deps/SKILL.md:92
- This second
gh api .../dependabot/alertscall has the same pagination issue as the earlier one: without--paginate, the advisory URL list may be incomplete if there are more than one page of alerts.
Also fetch the advisory URLs for any security-related updates. The dependabot security dashboard is at `https://github.com/{owner}/{repo}/security/dependabot`. Individual alert details (including GHSA links) are available via:
```bash
gh api /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | select(.state=="open") | {number: .number, package: .security_vulnerability.package.name, severity: .security_advisory.severity, ghsa_id: .security_advisory.ghsa_id, url: .html_url}]'
**.github/skills/update-deps/SKILL.md:35**
* This markdown table also uses `||` at the start of each line, which will add an unintended blank column when rendered. Switching to single leading `|` will fix the table formatting.
| Ecosystem | Directories | Notes |
|---|---|---|
| cargo | / (workspace root) |
All Rust deps managed at workspace level via Cargo.lock |
| github-actions | .github/workflows/ |
CI and publish workflows |
| npm | crates/string-offsets/js/ |
JS bindings for string-offsets (WASM) |
</details>
---
💡 <a href="/github/rust-gems/new/main?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
| ```bash | ||
| gh api /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | select(.state=="open") | {number: .number, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, severity: .security_advisory.severity, summary: .security_advisory.summary}]' | ||
| ``` |
There was a problem hiding this comment.
gh api /repos/{owner}/{repo}/dependabot/alerts is paginated (default ~30 items). Without --paginate (or an explicit ?per_page= + pagination loop), this can miss open alerts in larger repos, which breaks the “gather all alerts” step.
This issue also appears on line 88 of the same file.
.github/skills/update-deps/SKILL.md
Outdated
| For ecosystems without dependabot coverage or when running ad-hoc, use native tooling: | ||
|
|
||
| - **cargo:** `cargo update --dry-run` | ||
| - **npm:** `cd crates/string-offsets/js && npm outdated --json` |
There was a problem hiding this comment.
npm outdated --json exits with a non-zero status when updates are available (it’s often used specifically to signal “outdated”). If this skill is executed in a set -e context, that can be misinterpreted as a failure; consider documenting the expected exit code or appending || true when capturing JSON output.
| - **npm:** `cd crates/string-offsets/js && npm outdated --json` | |
| - **npm:** `cd crates/string-offsets/js && npm outdated --json || true` # npm exits non-zero when updates are available |
Use per-alert URLs (security/dependabot/{number}) instead of just
the dashboard. Include alerts in any state, not just open.
Co-authored-by: Copilot <[email protected]>
itsibitzi
left a comment
itsibitzi
left a comment
There was a problem hiding this comment.
Few points. But I feel like these kinds of skills its more important what the end effect is than the exact wording. And I guess we'll be iterating on these going forward.
.github/skills/update-deps/SKILL.md
Outdated
| - **Never push to `main` directly.** Always work on a feature branch. | ||
| - **Never push code that doesn't pass `make lint` and `make test`.** If you can't fix it in 3 tries, stop and ask. | ||
| - **Be conservative with major version bumps.** If a major version update breaks things and the fix isn't obvious, skip that package and note it in the PR description. | ||
| - **Preserve lockfiles.** Always regenerate `Cargo.lock` and `package-lock.json` after updating — don't just edit manifests. |
There was a problem hiding this comment.
Does this make sense? Preserve lockfiles -> regenerate lockfiles?
There was a problem hiding this comment.
changed to "Regenerate lockfiles."
.github/skills/update-deps/SKILL.md
Outdated
|
|
||
| ## Edge cases | ||
|
|
||
| - **Cargo workspace:** All Rust dependencies are managed at the workspace root. Always run `cargo update` and `cargo check` from the repo root. |
There was a problem hiding this comment.
This isn't true? There are no dependencies in the workspace root.
There was a problem hiding this comment.
Good reworded to: "Dependencies are declared per-crate but share a single Cargo.lock at the workspace root."
.github/skills/update-deps/SKILL.md
Outdated
| ## Edge cases | ||
|
|
||
| - **Cargo workspace:** All Rust dependencies are managed at the workspace root. Always run `cargo update` and `cargo check` from the repo root. | ||
| - **npm is scoped to string-offsets:** The only npm package is in `crates/string-offsets/js/`. Don't look for npm elsewhere. |
There was a problem hiding this comment.
I feel like this could cause issues in the future if we add more npm stuff and forget to update here. Not sure what value it adds either? Maybe just let the agent grep?
There was a problem hiding this comment.
changed to discover package.json files dynamically instead of hardcoding the path.
.github/skills/update-deps/SKILL.md
Outdated
|
|
||
| | Ecosystem | Directories | Notes | | ||
| |---|---|---| | ||
| | **cargo** | `/` (workspace root) | All Rust deps managed at workspace level via `Cargo.lock` | |
There was a problem hiding this comment.
This is a bit confusing because the dependencies are pinned via the lock file but aren't "managed". That is delegated to the individual crates.
Honestly not sure why we even have a workspace at all given these are individually published crates.
There was a problem hiding this comment.
Updated the table too: "Deps declared per-crate; Cargo.lock at workspace root pins versions"
- Fix misleading cargo workspace description (deps are per-crate, not managed at workspace root) - Don't hardcode npm let the agent discover package.json filespaths - Fix 'preserve lockfiles' wording to 'regenerate lockfiles' - Fix reviewer assignment to use CODEOWNERS, not the PR author - Add --paginate to dependabot alert API calls - Fix npm outdated exit code handling (|| true) Co-authored-by: Copilot <[email protected]>
Adds a repo-level
update-depsskill at.github/skills/update-deps/SKILL.mdthat automates the full dependency update lifecycle for this Rust workspace.What the skill does
Discovers outdated deps via dependabot alerts/PRs, applies updates grouped by ecosystem, fixes breakage, gets CI green, and creates PRs for human review.
Ecosystems covered
crates/string-offsets/js/)Key features
cargo update --dry-run,npm outdated)serde,wasm-bindgen)