feat: add update input to refresh dependency refs (apm update)#51
Merged
Conversation
Add an `update` boolean input that runs `apm update --yes` in place of `apm install` in the project-install flow. It re-resolves branch/tag dependency refs to their latest matching commit and rewrites the lockfile, then proceeds with the normal post-install steps (audit-report, compile, script, pack). This gives a first-class, discoverable surface for the auto-update workflow described in #46, replacing the hand-rolled `script: "apm update --yes"` workaround. The default (false) keeps the reproducible install-from-lockfile behaviour. `update` is mutually exclusive with the no-install / from-scratch modes (isolated, setup-only, bundle, bundles-file, mode), each rejected with a clear consolidated error. Closes #46 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a first-class update input to the APM GitHub Action so workflows can refresh branch/tag-tracked dependency refs by running apm update --yes instead of apm install, updating apm.lock.yaml and then continuing with the normal post-install steps.
Changes:
- Introduce
updateinput (defaultfalse) and enforce mutual exclusivity with no-install / from-scratch modes. - Swap the project install verb to
apm update --yeswhenupdate: 'true'and add unit tests for the main update + mutex scenarios. - Update docs (README + CHANGELOG) and rebuild
dist/.
Show a summary per file
| File | Description |
|---|---|
| src/runner.ts | Implements update input, conflict handling, and verb swap to apm update --yes. |
| src/tests/runner.test.ts | Adds tests validating the verb swap and key mutual-exclusion errors. |
| README.md | Documents “Update mode” usage and adds update to the inputs table. |
| action.yml | Adds the update input with detailed behavior and exclusivity notes. |
| CHANGELOG.md | Adds an Unreleased entry describing the new update input. |
| dist/index.js | Rebuilt compiled action output including the new behavior. |
| dist/runner.d.ts | Updates generated type docs to mention update. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/7 changed files
- Comments generated: 1
Adds a `test-update` CI job that proves the new `update` input works against the real apm CLI, matching the empirical-proof pattern of the other test-* integration jobs (the existing coverage for #46 was mock-based unit tests only). The job: - seeds an install via the default verb and asserts apm.lock.yaml is written with a resolved_commit; - re-runs the action with `update: 'true'` and asserts the refresh path (`apm update --yes`) keeps a valid resolved lockfile and the deployed primitives in place -- the exact scenario from issue #46; - asserts the mutex guard rejects `update` + `setup-only` (negative test, mirroring the bundles-file traversal job). Wires `test-update` into the `release` job's needs gate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Addresses Copilot review on #51. Previously, when `update: 'true'` was combined with the `dependencies` input and no apm.yml was present, the project-verb dispatch condition (`fs.existsSync(apmYmlPath) || !depsInput`) was false, so the action silently skipped `apm update --yes` -- the update flag was effectively ignored, contradicting the documented verb swap. `update` is a project-manifest refresh: it re-resolves apm.yml refs and rewrites apm.lock.yaml. With no apm.yml there is nothing to refresh, so the action now fails fast with a clear, actionable error instead of no-op'ing. The `dependencies` input remains an additive inline install, not a manifest refresh. - src/runner.ts: guard rejecting update with no apm.yml (both the deps-present and no-deps paths). - src/__tests__/runner.test.ts: 2 tests (deps-present and no-deps). - action.yml + README: document the apm.yml requirement. - dist/index.js rebuilt. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merged
danielmeppiel
added a commit
that referenced
this pull request
Jun 25, 2026
Minor release. Since v1.9.1 the default branch gained the `update` input (#46/#51, a backward-compatible additive feature) plus the .zip bundle-detection fix (#47) and routine dependency bumps (#48, #28, #50). - package.json / package-lock.json: 1.9.1 -> 1.10.0 - CHANGELOG: cut [1.10.0] from [Unreleased]; add the missing Fixed entry for .zip archive detection (#47), which was merged without a changelog line. The `update` input Added entry carries over. dist/ verified clean (no drift) after a fresh `npm run build`; the version bump is not embedded in the bundle. typecheck, lint, and the full 195-test suite pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Adds an
updateinput. Whenupdate: 'true', the action runsapm update --yesin place ofapm install— re-resolving branch/tag dependency refs to their latest matching commit and rewritingapm.lock.yaml— then runs the normal post-install steps. Closes #46.Problem (WHY)
The action installs with
apm install, which honoursapm.lock.yamland pins every dependency to the exact commit recorded there. That is reproducible by design, but it means a branch-tracked dependency such asgithub/awesome-copilot#mainstays frozen at the lockfile commit forever. As the issue reports:There was no first-class way to do that through the action. The only workaround (noted in the issue thread) was to hand-roll it through the generic
scriptinput:That works but is undiscoverable and forces every consumer to add a throwaway
apm.ymlscript.Approach (WHAT)
Add a dedicated boolean
updateinput (default'false'). When set, the action swaps the project-install verb fromapm installtoapm update --yesrather than running both — runninginstallthenupdatewould resolve twice (install pins to the old lockfile, update immediately re-resolves).--yesskips the interactive plan-and-confirm gate for CI.Because the swap happens inside the standard project-install block,
updatecomposes for free with the steps that run after it:audit-report,compile,script, additivedependencies, andpack.It is mutually exclusive with the modes that either skip the project install or build from scratch with no lockfile to update:
isolated,setup-only,bundle,bundles-file, andmode. Each combination fails fast with a clear consolidated error, matching the existing conflict-handling style in the action.Implementation (HOW)
action.yml— newupdateinput with a description documenting the verb swap and the exclusivity set.src/runner.ts:updateonce at the top ofrun().const projectVerb = update ? ['update', '--yes'] : ['install'];updatein themodeandsetup-onlyconflict lists, and add a dedicatedupdatemutex guard forisolated/bundle/bundles-file.dist/index.js— rebuilt vianpm run build(required fornode-based actions; CI gates on dist freshness).README.mdgets an "Update mode" usage section (with the scheduled auto-update + open-PR workflow) and an inputs-table row;CHANGELOG.mdgets an[Unreleased]entry.flowchart TD A[run] --> B{update input?} B -- "false (default)" --> C["apm install (lockfile-pinned)"] B -- "true" --> D["apm update --yes (re-resolve refs + rewrite lockfile)"] C --> E[audit-report / compile / script / pack] D --> ETrade-offs
updateafterinstallwould double-resolve; swapping the verb is cleaner and faster. Trade-off:updateis not composable with the no-install modes — surfaced as an explicit error instead of being silently ignored.--yes. The action is non-interactive by nature, so there is no value in exposing the confirm gate; an update run that reaches the action is an intentional refresh.isolatedexcluded. Isolated mode clears primitives and generates a freshapm.ymlwith no pre-existing lockfile, so "update" has nothing to refresh; rejecting it avoids a confusing no-op.Validation evidence
npm run typecheck— clean.npm run lint(eslint) — clean.npm test— 193 passed (7 new tests insrc/__tests__/runner.test.tscovering the verb swap, the install-default regression, compose-with-compile, and the four mutex rejections).npm run build— dist rebuilt and committed; CI dist-freshness mirror (git diff --name-only dist/ | grep -v '.d.ts.map$') is empty after the build.How to test
Run once, merge; after upstream
github/awesome-copilot#mainadvances, re-run — the PR now contains the refreshed assets (previously only the audit file changed).