chore(deps): bump axios from 1.13.4 to 1.13.5#42
Conversation
Co-authored-by: EthanThePhoenix38 <103653068+EthanThePhoenix38@users.noreply.github.com>
|
@copilot Tout merge sur main |
There was a problem hiding this comment.
Pull request overview
This PR appears to standardize Dependabot’s batching flow to use a dependencies branch (instead of securite/security) and updates related automation/documentation accordingly, alongside changelog entries.
Changes:
- Switch Dependabot update target branch to
dependencies. - Rename/update the secure-flow GitHub Actions workflow to merge into
dependencies, create PRs tomain, and addghretry logic. - Update release-notification workflow snippet and add new changelog entries.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
CHANGELOG.md |
Adds new version entries describing automated sync/config updates. |
.github/workflows/release-notification.yaml |
Updates the example job name in the release announcement to auto-merge-to-dependencies. |
.github/workflows/dependabot-secure-flow.yaml |
Migrates batching workflow from securite to dependencies, adds retry wrappers, and adds auto-merge enablement logic. |
.github/dependabot.yml |
Routes npm and GitHub Actions Dependabot PRs to the dependencies branch. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| git switch securite | ||
| # Switch to dependencies and merge | ||
| git switch dependencies | ||
| git merge origin/${{ github.head_ref }} --no-edit || true |
There was a problem hiding this comment.
In the merge step, git merge ... || true will ignore merge failures (e.g., conflicts). If the merge fails, the subsequent git push origin dependencies can still succeed (pushing the unchanged branch), and the workflow may then close/delete the Dependabot branch even though nothing was merged. Treat merge failures as fatal and gate the PR-closing step on a successful merge (e.g., remove || true and/or explicitly check the merge exit code before proceeding).
| git merge origin/${{ github.head_ref }} --no-edit || true | |
| git merge origin/${{ github.head_ref }} --no-edit |
| git fetch origin dependencies 2>/dev/null || git switch --create dependencies | ||
| git push origin dependencies || true |
There was a problem hiding this comment.
Branch bootstrap is brittle: if dependencies doesn't exist remotely, git switch --create dependencies creates it from the currently checked-out ref (for pull_request events this is typically the PR merge ref), which can seed dependencies with unintended commits. Also, if the branch exists remotely, git fetch origin dependencies doesn't ensure a local tracking branch exists. Prefer an explicit flow: fetch origin/dependencies (or origin/main if creating), then git switch --track -c dependencies origin/dependencies (or git switch -c dependencies origin/main) before pushing.
| git fetch origin dependencies 2>/dev/null || git switch --create dependencies | |
| git push origin dependencies || true | |
| # Check if the dependencies branch exists on origin | |
| if git ls-remote --exit-code --heads origin dependencies >/dev/null 2>&1; then | |
| # Remote dependencies branch exists: fetch and ensure a local tracking branch | |
| git fetch origin dependencies | |
| if git show-ref --verify --quiet refs/heads/dependencies; then | |
| git switch dependencies | |
| else | |
| git switch --track -c dependencies origin/dependencies | |
| fi | |
| else | |
| # Remote dependencies branch does not exist: create it from origin/main | |
| git fetch origin main | |
| git switch -c dependencies origin/main | |
| git push origin dependencies | |
| fi |
| # Check commits between main and securite | ||
| NEW_COMMITS=$(git log main..securite --oneline | wc -l) | ||
| # Check commits between main and dependencies | ||
| NEW_COMMITS=$(git log main..dependencies --oneline | wc -l) |
There was a problem hiding this comment.
git log main..dependencies is likely to fail in this job because actions/checkout (even with fetch-depth: 0) checks out dependencies but does not necessarily create a local main branch ref. With bash -e -o pipefail, this will fail the step. Use origin/main..dependencies (or fetch/create main explicitly) to make this robust.
| NEW_COMMITS=$(git log main..dependencies --oneline | wc -l) | |
| NEW_COMMITS=$(git log origin/main..dependencies --oneline | wc -l) |
| gh_retry() { | ||
| local tries=0 | ||
| local max=5 | ||
| local delay=2 | ||
| while ! "$@"; do | ||
| tries=$((tries + 1)) | ||
| if [ "$tries" -ge "$max" ]; then | ||
| return 1 | ||
| fi | ||
| sleep "$delay" | ||
| delay=$((delay * 2)) | ||
| done | ||
| } |
There was a problem hiding this comment.
The gh_retry helper is duplicated in multiple steps. This increases maintenance cost and makes fixes easy to miss. Consider moving it into a small checked-in script (e.g., .github/scripts/gh_retry.sh) and source it from each step, or wrap the GH calls in a reusable composite action.
💡 Codex Review Avoid deleting the dependencies integration branch
This failure handler closes the current PR with ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Updates axios dependency from 1.13.4 to 1.13.5 per Dependabot recommendation.
Changes
^1.13.4to^1.13.5.github/dependabot.yml, workflows, andCHANGELOG.mdto main branch state (removed unintended deletions from original Dependabot commit)Security
No vulnerabilities detected in axios 1.13.5 (verified via GitHub Advisory Database and CodeQL).
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.