Add agentic workflow to update DefaultVersions.props#16993
Open
ViktorHofer wants to merge 2 commits into
Open
Conversation
Adds a gh-aw scheduled (weekly) agentic workflow that mimics dependabot for the toolset version properties in the Arcade SDK's DefaultVersions.props, which regular dependabot cannot update. It checks nuget.org and the configured NuGet feeds (prereleases allowed), updates matching versions elsewhere in the repo, requests package mirroring when needed, and honors xunit special instructions. Fixes #16992 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the repository’s first GitHub Agentic Workflow (gh-aw) to periodically update the Arcade SDK’s DefaultVersions.props-backed toolset version properties by scanning nuget.org and configured feeds and opening a consolidated PR with bumps.
Changes:
- Introduces an agent prompt workflow definition for updating
DefaultVersions.props(and matching versions across the repo). - Adds the compiled gh-aw lock workflow YAML and an actions SHA lockfile.
- Marks
*.lock.ymlworkflows as generated in.gitattributes(and sets merge behavior).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-default-versions.md | gh-aw source workflow prompt and rules for resolving package IDs and version selection. |
| .github/workflows/update-default-versions.lock.yml | Compiled GitHub Actions workflow that runs the agent and creates PRs via Safe Outputs. |
| .github/aw/actions-lock.json | Generated action SHA lock entries for gh-aw compilation/runtime. |
| .gitattributes | Marks compiled *.lock.yml as generated and configures merge behavior. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 3
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
akoeplinger
reviewed
Jun 9, 2026
| | `Microsoft.Signed.Wix` | `MicrosoftSignedWixVersion` | | ||
| | `Microsoft.WixToolset.Sdk` | `MicrosoftWixToolsetSdkVersion` | | ||
| | `Microsoft.ManifestTool.CrossPlatform` | `MicrosoftManifestToolCrossPlatformVersion` | | ||
| | `Microsoft.VisualStudio.Eng.MicroBuild.Core` | `MicrosoftVisualStudioEngMicroBuildCoreVersion` | |
Member
There was a problem hiding this comment.
the wix and microbuild packages aren't available on nuget, they're internal packages. we shouldn't update them via this workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the proposal in #16992.
Adds a GitHub Agentic Workflow (gh-aw) — the repository's first — that runs weekly and acts like a "dependabot on steroids" for the toolset version properties defined in the Arcade SDK's
DefaultVersions.props. Regular dependabot cannot update these because they are SDK-provided MSBuild properties rather thanPackageReference/PackageVersionitems.What the workflow does
PackageIdwith dots removed +Version), validating candidates against the feeds and skipping anything it cannot confidently resolve or that is an MSBuild reference like$(ArcadeSdkVersion).NuGet.configfor newer versions (prereleases allowed).Directory.Packages.props, docs).It opens a single consolidated PR per run. The agent job is read-only; all writes go through the
create-pull-requestsafe output, and a human reviews/approves every PR.Files
.github/workflows/update-default-versions.md— the workflow.github/workflows/update-default-versions.lock.yml— compiled output.github/aw/actions-lock.json— SHA-pinned actions lockfile (generated).gitattributes— marks*.lock.ymlas generated