Auto-heal npm dependency sync failures in CI workflow

[Copilot]

CI fails when package-lock.json drifts from package.json, blocking the aggregator workflow. This adds automatic recovery.

Changes

Workflow: .github/workflows/update-ai-pulse.yml

• Resilient installation: Try npm ci → fallback to npm install on sync errors
• Auto-commit lock file: Detect and push updated package-lock.json before aggregation

# Before
- name: Install dependencies
  run: npm ci

# After - two steps
- name: Install dependencies with auto-fix
  run: |
    if npm ci; then
      echo "✅ Installation réussie avec npm ci"
    else
      echo "⚠️ npm ci a échoué, reconstruction du lock file..."
      npm cache clean --force
      npm install
      echo "✅ package-lock.json régénéré automatiquement"
    fi

- name: Auto-commit updated lock file
  run: |
    git config --global user.name 'PhoenixProject-AutoSync'
    git config --global user.email '${{ secrets.GIT_AUTHOR_EMAIL }}'
    
    if ! git diff --exit-code package-lock.json; then
      git add package-lock.json
      git commit -m "🔧 Auto-sync: package-lock.json mis à jour automatiquement"
      git push
    fi

Behavior

• In sync: npm ci succeeds, no commits, same performance
• Out of sync: Regenerate lock file, auto-commit, continue workflow
• Zero manual intervention: Workflow self-heals and completes successfully

Original prompt

Objectif

Automatiser complètement la gestion des dépendances npm pour éviter les échecs de build dus à la désynchronisation entre package.json et package-lock.json. La solution doit être silencieuse et ne nécessiter aucune intervention manuelle.

Problème actuel

Le workflow échoue avec npm ci lorsque package.json et package-lock.json ne sont pas synchronisés:

npm ci` can only install packages when your package.json and package-lock.json are in sync
Missing: openai@4.104.0 from lock file
Missing: @types/node@18.19.130 from lock file
[...et autres dépendances manquantes]

Solution requise

1. Mettre à jour le workflow .github/workflows/update-ai-pulse.yml

Remplacer l'étape actuelle d'installation par un système robuste et automatisé :

    - name: Install dependencies
      run: npm ci

Doit devenir :

    # Installation automatique et résiliente des dépendances
    # Tente d'abord npm ci (rapide et reproductible)
    # Si échec dû à désynchronisation, bascule sur npm install
    # Et commit automatiquement le package-lock.json mis à jour
    - name: Install dependencies with auto-fix
      run: |
        # Tentative avec npm ci (installation propre et rapide)
        if npm ci; then
          echo "✅ Installation réussie avec npm ci"
        else
          echo "⚠️ npm ci a échoué, reconstruction du lock file..."
          
          # Suppression du cache npm pour éviter les conflits
          npm cache clean --force
          
          # Installation complète qui met à jour package-lock.json
          npm install
          
          echo "✅ package-lock.json régénéré automatiquement"
        fi

    # Commit automatique du package-lock.json si modifié
    # S'exécute avant l'agrégation pour garder le repo propre
    - name: Auto-commit updated lock file
      run: |
        # Configuration Git pour les commits automatiques
        git config --global user.name 'PhoenixProject-AutoSync'
        git config --global user.email '${{ secrets.GIT_AUTHOR_EMAIL }}'
        
        # Vérifier si package-lock.json a été modifié
        if ! git diff --exit-code package-lock.json; then
          echo "📦 Synchronisation automatique de package-lock.json"
          
          git add package-lock.json
          git commit -m "🔧 Auto-sync: package-lock.json mis à jour automatiquement
          
          - Synchronisation automatique des dépendances
          - Gén��ré par le workflow CI/CD
          - Date: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
          
          git push
          
          echo "✅ package-lock.json synchronisé et committé"
        else
          echo "ℹ️ package-lock.json déjà à jour"
        fi

2. Synchroniser immédiatement package-lock.json

Régénérer complètement le package-lock.json actuel pour inclure toutes les dépendances manquantes (openai et ses sous-dépendances).

Bénéfices de cette approche

1. Zéro maintenance : Le workflow se répare automatiquement
2. Silencieux : Fonctionne en arrière-plan sans notification
3. Toujours à jour : package-lock.json se synchronise automatiquement
4. Traçabilité : Commits automatiques documentés avec horodatage
5. Performance : Utilise npm ci quand possible (plus rapide)
6. Résilience : Bascule sur npm install uniquement en cas de besoin

Notes d'implémentation

• Les commentaires dans le workflow expliquent chaque étape
• Le système détecte automatiquement les désynchronisations
• Les commits automatiques sont clairement identifiés avec l'émoji 🔧
• Le format du message de commit inclut la date UTC pour traçabilité
• Utilise les secrets GitHub existants pour l'authentification

Fichiers à modifier

1. .github/workflows/update-ai-pulse.yml - Mise à jour de la logique d'installation
2. package-lock.json - Synchronisation initiale avec package.json

Référence

• Job échoué: https://github.com/ThePhoenixAgency/AI-Pulse/actions/runs/21565683392/job/62136658009
• Workflow actuel: .github/workflows/update-ai-pulse.yml

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds automatic recovery for npm dependency synchronization failures in the CI workflow. When package-lock.json drifts from package.json, the workflow will automatically regenerate the lock file and commit it, preventing build failures.

Changes:

• Replace simple npm ci with a fallback mechanism that tries npm ci first, then falls back to npm install if sync errors occur
• Add auto-commit step that detects package-lock.json changes and pushes them to the repository
• Include detailed French comments explaining the auto-healing behavior

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The npm install command at line 44 can fail (e.g., network issues, registry unavailable, dependency resolution conflicts), but there's no error handling. If npm install fails, the script will continue and echo the success message, potentially causing the subsequent aggregation step to fail when dependencies are missing.

Add error handling to ensure npm install succeeds:

if ! npm install; then
  echo "❌ npm install a également échoué"
  exit 1
fi

Suggested change

	npm install
	if ! npm install; then
	echo "❌ npm install a également échoué lors de la régénération du package-lock.json"
	exit 1
	fi

[Copilot]

The multi-line commit message uses embedded newlines which may not render correctly in git commit -m. The command substitution $(date -u +'%Y-%m-%d %H:%M:%S UTC') at line 66 is inside the quoted string, which should work, but the multi-line string format could cause issues depending on the shell.

Consider using git commit with -m multiple times for a cleaner approach, or ensure proper escaping. Also, consider adding [skip ci] to prevent infinite loops when this commit triggers the workflow again.

Suggested change

	git commit -m "🔧 Auto-sync: package-lock.json mis à jour automatiquement
	- Synchronisation automatique des dépendances
	- Généré par le workflow CI/CD
	- Date: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
	UTC_DATE=$(date -u +'%Y-%m-%d %H:%M:%S UTC')
	git commit \
	-m "🔧 Auto-sync: package-lock.json mis à jour automatiquement [skip ci]" \
	-m "- Synchronisation automatique des dépendances" \
	-m "- Généré par le workflow CI/CD" \
	-m "- Date: $UTC_DATE"

[Copilot]

Using a secret (GIT_AUTHOR_EMAIL) for the commit email in an auto-sync bot may be unnecessary and could expose the secret in git logs. Bot emails are typically public and don't need to be secrets. Consider using a fixed bot email address or the GitHub no-reply email format.

For example:

git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'

Or a project-specific bot email without needing a secret:

git config --global user.email 'phoenix-autosync@users.noreply.github.com'

[Copilot]

The auto-commit step will create commit noise in the repository history every time package-lock.json drifts from package.json. While this provides traceability, it adds clutter to the git log. Combined with the fact that this workflow runs every 3 hours (line 5) AND on every push to main (line 6-8), this could result in frequent auto-sync commits.

Consider:

1. Documenting this behavior in the repository's README or contributing guidelines
2. Adding a concurrency group to prevent multiple simultaneous runs
3. Using a separate branch for auto-sync commits and periodically merging to main

This is particularly important given the workflow already makes automatic commits for README updates (lines 87-101), potentially resulting in two commits per workflow run.

[Copilot]

This workflow lacks a concurrency control mechanism. Since it triggers on both schedule (every 3 hours) and push to main, and now makes auto-commits that could re-trigger itself, multiple instances of this workflow could run simultaneously. This could lead to:

1. Git push conflicts when multiple runs try to commit simultaneously
2. Race conditions in package-lock.json updates
3. Wasted CI resources

Add a concurrency group to ensure only one instance runs at a time:

concurrency:
  group: ai-pulse-aggregator
  cancel-in-progress: false

Place this at the job level (after line 16) or workflow level (after line 12).

[Copilot]

This workflow creates a potential infinite loop. The workflow triggers on push to main (line 6-8), and the auto-commit step pushes to main (line 68), which will trigger the workflow again. This can cause an endless cycle of workflow runs.

To prevent this, you should either:

1. Add [skip ci] to the commit message to prevent retriggering workflows
2. Use paths filters in the workflow trigger to exclude package-lock.json
3. Add a condition to check if the commit author is 'PhoenixProject-AutoSync' and skip the workflow

The recommended fix is to update the commit message on line 62 to include [skip ci] marker.

[Copilot]

The git push operation will fail because actions/checkout@v4 by default uses the GITHUB_TOKEN which doesn't persist credentials for subsequent git operations. When the workflow tries to push, it will encounter an authentication error.

You need to either:

1. Pass a token to actions/checkout that has push permissions (e.g., persist-credentials: true should work with GITHUB_TOKEN given the workflow has contents: write permission)
2. Or configure git to use the GITHUB_TOKEN explicitly before pushing

Consider adding to the checkout step:

- name: Check out repository
  uses: actions/checkout@v4
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

Or configure git credentials before the push:

git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git