chore: reconfigures workflow for dependabot and forked PRs VSCODE-708 #1171
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR modifies CI/CD workflows to disable code health runs on fork PRs while maintaining them for Dependabot, and adds a 7-day cooldown period for all Dependabot updates to reduce update frequency.
Key changes:
- Restricts the test-and-build workflow to run only for Dependabot PRs, excluding fork PRs
- Implements a 7-day cooldown for all Dependabot dependency updates
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/test-and-build-from-fork.yaml |
Modified workflow trigger condition to exclude fork PRs while keeping Dependabot support |
.github/dependabot.yml |
Added cooldown configuration to limit Dependabot update frequency |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
himanshusinghs
force-pushed
the
chore/ci-work
branch
from
3ac7391 to
4d67967
Compare
himanshusinghs
added
the
no-title-validation
This comment was marked as resolved.
This comment was marked as resolved.
himanshusinghs
changed the title
1. Removes excessive permissions from workflow expected to run on forked and dependabot PRs 2. Change the trigger of workflow intended for forked PRs to use pull_request instead of pull_request_trigger, aiming to not un-intentionally expose secrets. 3. Split the auto-merge step for dependabot PRs that require pull_request_target trigger into a separate workflow.
himanshusinghs
force-pushed
the
chore/ci-work
branch
from
4d67967 to
2874bdf
Compare
himanshusinghs
changed the title
addaleax
approved these changes
Nov 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds a 7 days of cooldown for dependabot before pulling updates for npm dependencies. The cooldown is to provide a little shield period until a malicious package is identified before getting merged in our releasable code.
Additionally addresses VSCODE-708
Checklist
Motivation and Context
Open Questions
Dependents
Types of changes