Allow vs-code-engineering bot to update distro field in package.json#301218
Allow vs-code-engineering bot to update distro field in package.json#301218benvillalobos wants to merge 1 commit intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow that blocks PRs modifying engineering-system files, while allowing a narrowly-scoped exception for automated package.json distro updates authored by vs-code-engineering[bot].
Changes:
- Introduces
.github/workflows/no-engineering-system-changes.ymlto detect PRs that modify.github/workflows/,build/, orpackage.json. - Adds a bot-only exception path intended to allow PRs where the only change is updating the
distrofield in the repo-rootpackage.json. - Enforces collaborator permission checks for restricted changes, with a special-case block for
Copilotauthors.
You can also share your feedback on Copilot code review. Take the survey.
Add a targeted exception to the engineering system changes check: when the PR author is vs-code-engineering[bot], package.json is the only changed file, and the diff exclusively touches the 'distro' field, skip the permission check. This enables automated distro commit updates from vscode-engineering without broadly allowlisting the bot. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benvillalobos
force-pushed
the
bv/allow-distro-bot-update
branch
from
30c1ce2 to
72175d8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
You can also share your feedback on Copilot code review. Take the survey.
| - name: Allow automated distro updates | ||
| id: distro_exception | ||
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login == 'vs-code-engineering[bot]' }} | ||
| run: | | ||
| # Allow the vs-code-engineering bot ONLY when package.json is the | ||
| # sole changed file and the diff exclusively touches the "distro" field. | ||
| ONLY_PKG=$(cat $HOME/files.json | jq -e '. == ["package.json"]' 2>/dev/null && echo true || echo false) | ||
| if [[ "$ONLY_PKG" != "true" ]]; then | ||
| echo "Bot modified files beyond package.json — not allowed" | ||
| echo "allowed=false" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| fi | ||
|
|
||
| DIFF=$(gh pr diff ${{ github.event.pull_request.number }} -- package.json) | ||
| CHANGED_LINES=$(echo "$DIFF" | grep -E '^[+-]' | grep -vE '^(\+\+\+|---)' | wc -l) | ||
| DISTRO_LINES=$(echo "$DIFF" | grep -cE '^[+-].*"distro"') |
There was a problem hiding this comment.
The new exception step relies on gh pr diff ${{ github.event.pull_request.number }} -- package.json, but this workflow never checks out the repository and doesn’t pass --repo ${{ github.repository }}. In that setup, gh pr diff is likely to fail (can’t infer repo / may not support pathspec filtering), and because run: uses bash -e, the job would error out instead of falling back to the normal permission check. Consider avoiding gh pr diff here (e.g., use the PR files API to fetch the patch for package.json, or check out the PR and use git diff) and make failures default to allowed=false rather than failing the job. Also ensure the token has the minimal required permissions (e.g., pull-requests: read, contents: read) if you keep using API/gh calls.
Add a targeted exception to the engineering system changes check: when the PR author is \�s-code-engineering[bot], \package.json\ is the only changed file, and the diff exclusively touches the \distro\ field, skip the permission check.
This enables the automated distro commit mismatch fix from vscode-engineering without broadly allowlisting the bot.
Companion PR: microsoft/vscode-engineering (pending) — auto-creates fix PRs when a distro mismatch is detected.