Add workflow to sync Rush.json version on PR

[nev21]

No description provided.

[Copilot]

Pull request overview

This PR introduces a GitHub Actions workflow that automatically syncs the rushVersion field in rush.json when Dependabot updates the @microsoft/rush package in package.json. The workflow detects Rush version changes, updates the configuration file, regenerates lockfiles, and commits the changes back to the Dependabot PR.

Key changes:

• Adds a two-job workflow (detect and update) that triggers on pull requests when package.json, rush.json, or common-versions.json files change
• Implements automatic detection of Rush version bumps by Dependabot
• Automates the synchronization of rush.json and regeneration of Rush lockfiles

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The detection logic only checks the root package.json file, but Rush is typically managed at the repository level and Dependabot might update it in other package.json files in the monorepo. The script should check for changes to "@microsoft/rush" in any package.json file that was modified, not just the root one. Consider using 'git diff -U0 HEAD~1 -- "**/package.json"' or iterating through all changed package.json files.

Suggested change

	# Look for @microsoft/rush in the diff
	if git diff -U0 HEAD~1 -- package.json | grep '"@microsoft/rush"'; then
	# Look for @microsoft/rush in the diff of any package.json file
	if git diff -U0 HEAD~1 -- '**/package.json' | grep '"@microsoft/rush"'; then

[Copilot]

The workflow uses 'actions/checkout@v6' and 'actions/setup-node@v6', but the existing CI workflow in this repository uses v4 for both actions. Using v6 may not exist or may introduce inconsistency. For consistency with the existing CI workflow and to avoid potential failures, consider using 'actions/checkout@v4' and 'actions/setup-node@v4' instead.

[Copilot]

The workflow installs the globally latest version of Rush with 'npm install -g @microsoft/rush', which may not match the version extracted from package.json. This could cause compatibility issues when running 'rush update'. The workflow should either install the specific version extracted from package.json or use the install-run-rush.js script that's already present in the repository (as seen in package.json scripts).

[Copilot]

The 'rush update --full' command may fail if there are validation errors or if the rush.json is malformed after the jq update. Add error handling to check if the command succeeds, and consider adding 'set -e' at the beginning of the script blocks to fail fast on any error, or use the shell option 'shell: bash' with 'set -eo pipefail' to ensure failures are caught.

[Copilot]

The workflow name includes '.json' in 'Rush.json' which is inconsistent with the actual file name 'rush.json' (lowercase). While this is just the display name and doesn't affect functionality, it should match the actual file name for clarity. Consider changing to "Sync rush.json Version".

Suggested change

	name: Sync Rush.json Version
	name: Sync rush.json Version

[Copilot]

The workflow triggers on changes to "common-versions.json" but this file does not appear to exist in the repository. This path should be removed from the trigger paths unless the file is expected to be created in the future.

Suggested change

- "common-versions.json"

[Copilot]

The jq command will fail if the NEW_VERSION variable is empty or contains special characters that need escaping. The script should validate that NEW_VERSION is non-empty and matches a valid semver pattern before attempting to update rush.json. Add error handling such as: if [ -z "$NEW_VERSION" ] || [ "$NEW_VERSION" = "null" ]; then echo "Error: Could not extract Rush version" && exit 1; fi

Suggested change

	# Update rush.json version field
	jq ".rushVersion = \"$NEW_VERSION\"" rush.json > rush.tmp.json
	# Validate extracted version
	if [ -z "$NEW_VERSION" ] || [ "$NEW_VERSION" = "null" ]; then
	echo "Error: Could not extract Rush version from package.json"
	exit 1
	fi
	# Ensure the version looks like a valid semver (basic check)
	if ! [[ "$NEW_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
	echo "Error: Extracted Rush version '$NEW_VERSION' is not a valid semver"
	exit 1
	fi
	# Update rush.json version field safely using jq --arg
	jq --arg v "$NEW_VERSION" '.rushVersion = $v' rush.json > rush.tmp.json

[Copilot]

The workflow only checks and adds 'common-versions.json' if it exists, but this file doesn't appear to exist in the repository and isn't created by the workflow. This line is unnecessary unless the file is expected to be generated by 'rush update'. Consider removing this line or adding a comment explaining when this file would exist.

Suggested change

if [ -f common-versions.json ]; then git add common-versions.json; fi

[Copilot]

Using GITHUB_TOKEN to push commits to a pull request from a fork will fail because GITHUB_TOKEN doesn't have write permissions to the base repository. For Dependabot PRs specifically, this limitation exists as a security measure. Consider using a personal access token (PAT) stored in secrets, or document that this workflow only works for Dependabot PRs on the same repository (not forks). Note that the current condition 'github.actor == dependabot[bot]' suggests this is intended for Dependabot, which creates branches in the same repo, so this should work, but it's worth documenting this limitation.

[Copilot]

The git push operation doesn't specify a branch or use --force-with-lease, which could fail if the remote branch has been updated since checkout. While git push without arguments will push to the tracked branch (github.head_ref), it's more explicit and safer to use 'git push origin HEAD' or 'git push origin ${{ github.head_ref }}'. Additionally, there's no error handling if the push fails due to conflicts or other reasons.

Suggested change

	git push
	if ! git push origin HEAD; then
	echo "Failed to push changes to origin. The remote branch may have been updated since checkout. Please resolve any conflicts and re-run this workflow." >&2
	exit 1
	fi