Skip to content

Add GitHub Action to enforce architect approval for strict version pins #44117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Add GitHub Action to enforce architect approval for strict version pins #44117

wants to merge 6 commits into from
+550 −0

Conversation

Copy link
Contributor

Copilot AI commented Nov 20, 2025
edited
Loading

Implementation Complete ✅

  • Analyze existing workflows and understand patterns used in the repository
  • Create a GitHub Actions workflow that:
    • Triggers on pull_request events for paths matching /sdk/**/setup.py and /sdk/**/pyproject.toml
    • Detects newly introduced strict version pins (==) in main runtime dependencies
    • Ignores dev/test/extras dependencies and comments
    • Blocks merging unless approved by an architect (kashifkhan, annatisch, or johanste)
  • Create Python script with logic to detect strict version pins
  • Test the detection logic locally (all tests passing)
  • Update CODEOWNERS file to require architect approval for setup.py and pyproject.toml files
  • Add comprehensive documentation
  • Validate workflow YAML structure and syntax
  • Run integration tests
  • Fix CI errors
  • Remove codeowner names from README
  • Add .github/scripts to cspell ignore list

Recent Changes:

Added .github/scripts/ to cspell ignorePaths** - Updated .vscode/cspell.json to ignore spelling checks in the .github/scripts/ directory to avoid false positives in the check_strict_pins.py script.

Original prompt

Implement a GitHub Action workflow that blocks merging a PR if it introduces a new strict version pin (e.g., package==version) in a main runtime dependency section (install_requires for setup.py, [project] dependencies for pyproject.toml) inside any file matching /sdk//setup.py or /sdk//pyproject.toml, unless an architect—a user in the set {kashifkhan, annatisch, johanste}—has approved the PR. The workflow should:

  • Only consider main package dependencies and ignore new pins in dev/test/extras or comments
  • Execute on pull requests touching the relevant files
  • Analyze the diff to detect only newly introduced or modified pins (changes from broader constraints to strict == as well as additions)
  • Block merging unless one of the specified architects leaves an approval review.

Also, update CODEOWNERS to require approval from kashifkhan, annatisch, or johanste for /sdk//setup.py and /sdk//pyproject.toml files.

All workflow and CODEOWNERS changes should be compatible with downstream branch protection rules to guarantee enforcement.

Provide a clear workflow file and CODEOWNERS proposal for review.

This pull request was created as a result of the following prompt from Copilot chat.

Implement a GitHub Action workflow that blocks merging a PR if it introduces a new strict version pin (e.g., package==version) in a main runtime dependency section (install_requires for setup.py, [project] dependencies for pyproject.toml) inside any file matching /sdk//setup.py or /sdk//pyproject.toml, unless an architect—a user in the set {kashifkhan, annatisch, johanste}—has approved the PR. The workflow should:

  • Only consider main package dependencies and ignore new pins in dev/test/extras or comments
  • Execute on pull requests touching the relevant files
  • Analyze the diff to detect only newly introduced or modified pins (changes from broader constraints to strict == as well as additions)
  • Block merging unless one of the specified architects leaves an approval review.

Also, update CODEOWNERS to require approval from kashifkhan, annatisch, or johanste for /sdk//setup.py and /sdk//pyproject.toml files.

All workflow and CODEOWNERS changes should be compatible with downstream branch protection rules to guarantee enforcement.

Provide a clear workflow file and CODEOWNERS proposal for review.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Add GitHub Action to block merging PRs on strict version pins Add GitHub Action to enforce architect approval for strict version pins Nov 20, 2025
Copilot AI requested a review from l0lawrence November 20, 2025 18:16
Copilot finished work on behalf of l0lawrence November 20, 2025 18:16
@l0lawrence
Copy link
Member

l0lawrence commented Nov 20, 2025

@copilot help me fix the CI errors

Copy link
Contributor Author

Copilot AI commented Nov 20, 2025
edited
Loading

@copilot help me fix the CI errors

Fixed the CI errors in commit c2684be:

  1. Added pull-requests: write permission - The workflow needs write access to post comments on PRs
  2. Moved README file - Relocated README-strict-version-pins.md from .github/workflows/ to .github/ to avoid CI validation issues with non-workflow files

The workflow should now pass CI checks.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scanning-api.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of l0lawrence November 20, 2025 21:00
@l0lawrence
Copy link
Member

l0lawrence commented Nov 20, 2025

@copilot remove the codeowner names from the readme

Copy link
Contributor Author

Copilot AI commented Nov 20, 2025
edited
Loading

@copilot remove the codeowner names from the readme

Removed the codeowner names from the README in commit 45517b7. The documentation now refers to "designated architects" instead of listing specific usernames.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scanning-api.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of l0lawrence November 20, 2025 21:47
@l0lawrence
Copy link
Member

l0lawrence commented Nov 20, 2025

@copilot ignoring the spelling errors in the python file

Copy link
Contributor Author

Copilot AI commented Nov 20, 2025
edited
Loading

@copilot ignoring the spelling errors in the python file

Added .github/scripts/** to the cspell ignorePaths in commit 67cc772. The spell checker will now ignore files in the .github/scripts/ directory.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scanning-api.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of l0lawrence November 20, 2025 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@l0lawrence l0lawrence Awaiting requested review from l0lawrence

@scbedd scbedd Awaiting requested review from scbedd scbedd will be requested when the pull request is marked ready for review scbedd is a code owner

@mccoyp mccoyp Awaiting requested review from mccoyp mccoyp will be requested when the pull request is marked ready for review mccoyp is a code owner

@benbp benbp Awaiting requested review from benbp benbp will be requested when the pull request is marked ready for review benbp is a code owner

@weshaggard weshaggard Awaiting requested review from weshaggard weshaggard will be requested when the pull request is marked ready for review weshaggard is a code owner

@lmazuel lmazuel Awaiting requested review from lmazuel lmazuel will be requested when the pull request is marked ready for review lmazuel is a code owner

@xiangyan99 xiangyan99 Awaiting requested review from xiangyan99 xiangyan99 will be requested when the pull request is marked ready for review xiangyan99 is a code owner

@kashifkhan kashifkhan Awaiting requested review from kashifkhan kashifkhan will be requested when the pull request is marked ready for review kashifkhan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@l0lawrence l0lawrence

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@l0lawrence