ci: bump actions/checkout from 4 to 5#1
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Author
|
Superseded by #5. |
dependabot
Bot
deleted the
dependabot/github_actions/actions/checkout-5
branch
cabljac
added a commit
that referenced
this pull request
Apr 28, 2026
Address three more Copilot comments. All three are real: #1. Nested redaction blocks were leaking. The previous iterative-regex approach matched from the FIRST opening marker to the FIRST closing marker, which on properly-nested input (outer wraps inner) ate the inner pair and left an orphaned outer close marker plus the intended-private content between the inner close and the outer close. Replaced with `stripInternalBlocks` — a depth-tracking pass that walks all marker positions in document order and emits content only when depth=0. Defaults: unmatched close drops the marker and keeps surrounding content; unmatched open drops to end-of-input (fail-safe — better to drop too much than leak intended-private content upstream). Exported as `stripInternalBlocks` (with @internal JSDoc) so it can be unit-tested directly. 9 tests in tests/redaction.test.ts cover sibling, nested, whitespace tolerance, dangling close, unmatched open, multi-line, and lastIndex-reset cases. #2. The fallback compare URL (shown when --pr wasn't set or `gh pr create` failed) used `plan.upstreamDefaultBranch` instead of `baseBranch`. With `--base develop`, the URL pointed at `main`. Now uses the resolved `baseBranch`. #3. `syncPulledPr` was writing pulledPrs head/lastSyncedAt even when the push to origin failed, so the mirror state diverged from the recorded linkage. Same fix pattern as the recent pullRequestCommand bug: skip the config write when push fails. Tests cover the no-write-on-push-fail case. Plus: replaced `gh issue list --search` with plain `--state all --limit 20` in the Tier 5 e2e and added a 5-attempt retry around it. GitHub's search index AND list endpoint both have eventual-consistency lag for freshly-created issues; the retry makes the test deterministic. Verification - 239 unit tests pass / 0 fail (was 229; +10 new tests) - 4 e2e tiers pass / 0 fail across 3 consecutive runs (was 1 flaky run in 3 before this fix) - Lint clean, build OK
cabljac
added a commit
that referenced
this pull request
Apr 28, 2026
…/pull (#32) * refactor(commands): extract planStaging + executeStagingPush from stageCommand Pre-factor for shipCommand. No behaviour change — all 172 unit tests pass unchanged. The split: - planStaging(branch, cwd): pure read. Verifies the branch, resolves public and upstream remotes, detects upstream's default branch, checks whether scheduled sync is enabled. Returns a StagingPlan that callers display before any user confirmation. - executeStagingPush(plan, cwd, spinner): the actual push. Strips the internal workflow commit when scheduled sync is on; otherwise direct branch push. Returns the SHA pushed. stageCommand now reads as: auth → plan → confirm → execute → render PR URL. shipCommand will reuse plan + execute, slotting an internal-PR lookup and upstream PR creation between confirm and the post-execute step. * feat(config): add shippedBranches and pulledPrs to VenforkConfig Two new branch-keyed maps in `venfork-config`: - shippedBranches: linkage between an internal review PR and the upstream PR it was promoted to (recorded by `venfork stage --pr`). - pulledPrs: tracking record for upstream PRs pulled into the mirror for internal review (recorded by `venfork pull-request`, used by `venfork sync <branch>` to refresh). Patch semantics: per-entry merge with `null` to delete a single entry, or `null` for the whole field to clear the map. Same shape for both. Per-entry validation drops malformed records during normalize so a bad write never wedges the config branch. No callers yet — just the schema + the patch plumbing. * feat: add stage --pr, pull-request, and sync <pulled-branch> Three user-visible additions for 0.6.0, all sharing the same use case: closing the round-trip between internal review on the private mirror and upstream PR activity. stage --pr (opt-in) - `venfork stage <branch> --pr` runs the existing stage logic, then opens the upstream PR via `gh pr create --repo <upstream> --head <fork>:<branch>`. - The upstream PR body comes from the most recent internal-mirror PR for that branch (open first, then any state). Blocks delimited by `<!-- venfork:internal -->...<!-- /venfork:internal -->` are stripped before posting; a footer linking back to the internal review is appended. - The translated body is shown in a confirm prompt before any push happens so contractors can catch redaction mistakes before they go public. - The internal/upstream PR pair is recorded in `venfork-config.shippedBranches[<branch>]` for follow-up tooling. - `--draft`, `--title <text>`, `--base <branch>` flags supported. `--draft` implies `--pr`. Default `stage` behaviour without `--pr` is unchanged. pull-request <pr-number-or-url> - Brings a third-party upstream PR's commits onto a local branch (default `upstream-pr/<n>`) and pushes it to the mirror so the team can review internally before it lands upstream. - Reads PR metadata via `gh pr view --json`; renders title/author/state/ body preview as a `p.note` so the team has context. - Refuses to clobber an existing local branch unless --branch-name is passed (prevents stomping on a previous review). - `--no-push` skips the mirror push for purely-local inspection. - Records `pulledPrs[<branch>]` so sync can later refresh. sync <pulled-branch> - When the targetBranch matches a `pulledPrs` entry (or the `upstream-pr/<n>` naming convention), syncCommand refetches `pull/<n>/head` from upstream and force-with-lease pushes to origin instead of running the default-branch +1-commit sync flow. - Falls back to the convention if no config entry exists, so users can refresh branches that were created manually. Tests - 28 new tests across stage-args, pull-request-args, stageCommand --pr flow, pullRequestCommand happy/sad paths, and syncCommand pulled-PR routing. Total: 203 pass / 0 fail. Docs - README: rewrote `venfork stage` section with the new flags + the redaction marker convention; added `venfork pull-request` section and a sync-pulled-branch note. Quick Start example updated. - showHelp() output covers the new commands. * feat: add venfork issue stage/pull + e2e fixtures for ship/pull/sync issue stage|pull - `venfork issue stage <internal-#>` reads an internal mirror issue, applies the same `<!-- venfork:internal -->...<!-- /venfork:internal -->` redaction as stage --pr, and opens the upstream counterpart. - `venfork issue pull <upstream-#>` creates an internal triage issue on the mirror titled `[upstream #N] <title>` referencing the upstream source, so teams can review without leaving the private space. - Both record one-shot linkage in venfork-config (`shippedIssues` / `pulledIssues` maps). No comment sync — these are audit-log records. Config schema additions - `ShippedIssue` and `PulledIssue` types alongside ShippedBranch / PulledPr. - Same per-entry merge + null-clear semantics in updateVenforkConfig. - Per-entry validators drop malformed records during normalize. E2E fixtures (Tier 3, 4, 5) - Tier 3: stage --pr against real GitHub. Creates a feature branch + an internal review PR with a redaction block, runs `venfork stage feat --pr --draft`, asserts the upstream PR exists with the redacted block removed and isDraft=true. - Tier 4: pull-request + sync upstream-pr. Opens an upstream PR via the contents API, runs `venfork pull-request <n>`, asserts mirror branch matches local. Pushes another commit upstream, runs `venfork sync upstream-pr/<n>`, asserts the mirror branch advanced. - Tier 5: issue stage + pull round-trip. Creates an internal issue with a redaction block, stages it upstream, asserts redaction applied. Creates an upstream issue, pulls it into the mirror, asserts the internal copy has the [upstream #N] prefix and links back. Tests - 12 new unit tests across issue-args (6) + issueCommand (5) + config round-trip (1). Total: 215 pass / 0 fail. - E2E tiers 3-5 add 3 tests gated behind VENFORK_E2E=1; all use the same beforeAll setup as Tier 1, sharing the upstream/mirror/fork repos. Helpers - `openUpstreamPr` (creates branch + commit + PR via the contents API) - `pushToUpstreamPrBranch` (adds another commit to an existing PR branch — used by the sync test) - `createIssueOnRepo`, `getIssueMeta`, `getPrMeta` for assertions Docs - README: new `venfork issue` section under Commands; quick-start example unchanged (issues are an opt-in flow). - showHelp: includes the new sub-command. * fix(commands): VENFORK_NONINTERACTIVE bypass for stage --pr / issue prompts clack's confirm reads keypresses, so piping `y\n` over stdin in non-TTY mode doesn't reliably resolve the prompt — the e2e Tier 3 (stage --pr) and Tier 5 (issue stage/pull) tests both saw stdin EOF interpreted as cancel, exiting cleanly without performing the action. - New `confirmOrAutoYes` wrapper returns true immediately when `VENFORK_NONINTERACTIVE=1` is set; otherwise delegates to `p.confirm`. - Applied to stageCommand's "push to public fork" prompt and to both issueCommand prompts (stage + pull). - Setup's personal-account safety prompt is intentionally NOT bypassed — that one's a guardrail against accidental personal-account creation in scripts. - Tier 3 and Tier 5 e2e tests now set the env var instead of piping `y\n`. - README documents the env var under Environment Variables. * fix(stage): pass --state value as separate arg in gh pr list lookup Internal-PR lookup was passing '--state open' as a single execa template interpolation, which gh either rejects or filters wrong — producing zero results and triggering the synthetic-body fallback. Splitting into '--state ${state}' separates the flag from the value. * test(e2e): tier 3 filters upstream PR by headRefName instead of --head gh's --head filter on cross-repo PRs is unreliable — listing all PRs and filtering in JS by headRefName + headRepositoryOwner is robust. * fix: review-found issues for 0.6.0 Self-review surfaced 11 issues; fixing all of them on this branch before opening the PR keeps the release cohesive. Stage / PR creation - Synthetic body (when no internal review PR exists) is now generated from `git log --oneline upstream/<default>..<branch>` instead of a literal "please add a description" placeholder. The upstream maintainer sees real commit subjects. - Redaction marker stripping iterates until no marker pair remains — nested `<!-- venfork:internal -->` blocks now redact correctly. - `--internal-pr <n>` flag pins a specific internal PR (skips the most-recent-open lookup). Useful when a branch has had multiple internal PRs and you want to ship from a specific one. - When `gh pr create` reports "already exists", venfork now follows up with `gh pr edit --body-file -` to refresh the upstream PR body from the (possibly updated) internal review. `--no-update-existing` opts out. URL handling - `resolvePullRequestArg` and `resolveIssueArg` now throw instead of warning when the URL's owner/repo doesn't match the upstream remote. Pasting a stray URL no longer silently uses upstream as the source. Pull-request flow - `pullRequestCommand` only records the `pulledPrs` linkage when the push to origin actually succeeded. Previously the entry was written even on push failure, leading `venfork sync <branch>` to think the mirror had a branch it didn't. Config branch - `writeConfigBranch` switches from `git push --force` to an explicit `--force-with-lease=venfork-config:<sha>`, where the expected SHA comes from a fresh `git ls-remote`. Concurrent venfork commands now fail loud (the second push errors) instead of silently overwriting each other. Status - `venfork status` now reads `venfork-config` and renders four best-effort linkage blocks: shippedBranches, pulledPrs, shippedIssues, pulledIssues. No live `gh` round-trips per entry. Tests - Stage-args: --internal-pr (value + equals form, validation), --no-update-existing. - Stage command: regression for the `--state open` execa-arg bug (asserts the rendered command has `--state` separated from `open`); --internal-pr override path; auto-update via `gh pr edit`; `--no-update-existing` opt-out; VENFORK_NONINTERACTIVE bypass. - Total: 215 → 225 pass. Docs - README: `--branch-name` caveat under `pull-request`; new "Concurrency" subsection under environment variables explaining the --force-with-lease retry behaviour. * fix: apply all reviewer feedback from PR review thread Agent-Logs-Url: https://github.com/cabljac/venfork/sessions/1ed2e6ce-a0f0-4ce4-a530-8550020fc15d Co-authored-by: cabljac <32874567+cabljac@users.noreply.github.com> * style(commands): wrap translateInternalBody call to satisfy biome line-length * fix: address copilot review round 2 - Tighten issue/PR number validation in normalizers to require positive integers (was: any finite number). Hand-edited config with garbage numbers (negatives, floats, NaN) is now dropped during normalize. New `isPositiveInt` helper de-duplicates the four call sites. - Fix --no-push semantics in `pullRequestCommand`. Previously initialised `pushSucceeded = !push`, which evaluated to `true` when the user passed --no-push and let the flow fall through to record a pulledPrs entry. A later `venfork sync <branch>` would then push the branch to the mirror unexpectedly, defeating --no-push. Renamed to `pushedToMirror` (defaults to false) and skip the linkage write whenever the mirror doesn't have the branch — covers both the push-fail path and --no-push. - Strengthen the existing --no-push unit test to assert no pulledPrs config write happens, not just no `git push origin`. E2E smoke green: 4 pass / 2 skip / 0 fail / 85s. * feat(config): auto-retry venfork-config writes on lease failure Concurrent venfork commands previously crashed the losing run with a "stale info" error; the user had to re-run by hand. The losing run already has all the information needed to recover automatically (its patch, the read+write helpers, the lease semantics). Wrap the read-merge-write cycle in a bounded retry loop so the recovery is invisible. How it works - New `fetchConfigContentAndSha` reads the venfork-config branch content together with the SHA of the commit it came from, in a single fetch. Capturing the read-from SHA is what makes the lease correct under concurrency — a separate ls-remote right before the push would race with concurrent writers. - `writeConfigBranch` now accepts an optional `expectedSha`. When set, the push leases against that exact SHA (the one we read from). The ls-remote fallback stays for first-time writes (`createConfigBranch`). - `updateVenforkConfig` runs the full read → merge-patch → write cycle in a `for` loop bounded at MAX_RETRIES = 3. On a lease failure (git stderr containing "stale info" or the rejected-with-stale-info pattern) it re-reads, re-applies the same patch on top of the now- fresh content, and retries. Auth/network failures are NOT retried. - Patch application is factored into `applyPatchAndNormalize` so the same patch is applied cleanly on each retry without duplication. Tests (4 new, 11 total in tests/config.test.ts) - Push uses --force-with-lease against the read sha (not a fresh ls-remote). - Stale-info on first push → re-read → retry succeeds; final push leases against the new sha. - Three consecutive stale-info failures → throws after attempt 3. - Auth-failure error message → throws immediately, no retry. Docs - README "Concurrency" subsection rewritten: explains that concurrent runs are normally invisible (auto-retry merges both updates) and surfaces the manual-retry expectation only after sustained contention. * fix: round-3 review (nested redaction, --base URL, sync push fail) Address three more Copilot comments. All three are real: #1. Nested redaction blocks were leaking. The previous iterative-regex approach matched from the FIRST opening marker to the FIRST closing marker, which on properly-nested input (outer wraps inner) ate the inner pair and left an orphaned outer close marker plus the intended-private content between the inner close and the outer close. Replaced with `stripInternalBlocks` — a depth-tracking pass that walks all marker positions in document order and emits content only when depth=0. Defaults: unmatched close drops the marker and keeps surrounding content; unmatched open drops to end-of-input (fail-safe — better to drop too much than leak intended-private content upstream). Exported as `stripInternalBlocks` (with @internal JSDoc) so it can be unit-tested directly. 9 tests in tests/redaction.test.ts cover sibling, nested, whitespace tolerance, dangling close, unmatched open, multi-line, and lastIndex-reset cases. #2. The fallback compare URL (shown when --pr wasn't set or `gh pr create` failed) used `plan.upstreamDefaultBranch` instead of `baseBranch`. With `--base develop`, the URL pointed at `main`. Now uses the resolved `baseBranch`. #3. `syncPulledPr` was writing pulledPrs head/lastSyncedAt even when the push to origin failed, so the mirror state diverged from the recorded linkage. Same fix pattern as the recent pullRequestCommand bug: skip the config write when push fails. Tests cover the no-write-on-push-fail case. Plus: replaced `gh issue list --search` with plain `--state all --limit 20` in the Tier 5 e2e and added a 5-attempt retry around it. GitHub's search index AND list endpoint both have eventual-consistency lag for freshly-created issues; the retry makes the test deterministic. Verification - 239 unit tests pass / 0 fail (was 229; +10 new tests) - 4 e2e tiers pass / 0 fail across 3 consecutive runs (was 1 flaky run in 3 before this fix) - Lint clean, build OK --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 5.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
08c6903Prepare v5.0.0 release (#2238)9f26565Update actions checkout to use node 24 (#2226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)