Add Copilot setup workflow#811
Conversation
Add .github/workflows/copilot-setup-steps.yml to run Copilot setup steps. The workflow triggers on manual dispatch and on PRs that modify this file to enable validation and manual testing. It defines the required job name copilot-setup-steps, runs on ubuntu-latest, checks out the repo, sets up Node.js 20 with npm caching, installs dependencies and runs the build.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a GitHub Actions workflow to run the required “Copilot setup steps” job for validation and manual testing.
Changes:
- Introduces a new workflow triggered by
workflow_dispatchand PRs that modify the workflow file. - Defines the
copilot-setup-stepsjob to checkout, set up Node.js 20 with npm caching, install deps, and build.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # checkout@v5 | ||
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | ||
|
|
||
| - name: Set up Node.js | ||
| # setup-node@v5 | ||
| uses: jonobr1/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 |
There was a problem hiding this comment.
Using third-party forked actions for checkout and setup-node increases supply-chain risk and makes provenance less clear. Prefer the official actions/checkout and actions/setup-node actions (still pinned to a commit SHA for security), and keep the uses: and inline comments consistent with the chosen actions.
| # checkout@v5 | |
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Node.js | |
| # setup-node@v5 | |
| uses: jonobr1/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 | |
| # actions/checkout@v4 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
| - name: Set up Node.js | |
| # actions/setup-node@v4 | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 |
| cache: "npm" | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install |
There was a problem hiding this comment.
For CI builds, npm ci is typically preferred over npm install because it produces deterministic installs from the lockfile and fails if the lockfile is out of sync. Switching to npm ci improves reproducibility and avoids unintended lockfile/dep resolution drift.
| run: npm install | |
| run: npm ci |
| # checkout@v5 | ||
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | ||
|
|
||
| - name: Set up Node.js | ||
| # setup-node@v5 |
There was a problem hiding this comment.
These inline comments are misleading because the workflow is not actually using checkout@v5 / setup-node@v5. Update the comments to match the real action source/version being used (or remove the versioned comments) to avoid confusion during maintenance.
| # checkout@v5 | |
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Node.js | |
| # setup-node@v5 | |
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Node.js |
| # checkout@v5 | ||
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | ||
|
|
||
| - name: Set up Node.js | ||
| # setup-node@v5 |
There was a problem hiding this comment.
These inline comments are misleading because the workflow is not actually using checkout@v5 / setup-node@v5. Update the comments to match the real action source/version being used (or remove the versioned comments) to avoid confusion during maintenance.
| # checkout@v5 | |
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Node.js | |
| # setup-node@v5 | |
| uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Set up Node.js |
Add .github/workflows/copilot-setup-steps.yml to run Copilot setup steps. The workflow triggers on manual dispatch and on PRs that modify this file to enable validation and manual testing. It defines the required job name copilot-setup-steps, runs on ubuntu-latest, checks out the repo, sets up Node.js 20 with npm caching, installs dependencies and runs the build.