ci: fix update dependencies

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This pull request improves the automation for updating VS Code extensions and APT package dependencies in the development container. The main changes focus on making the update process more robust, improving the handling of summary output, and ensuring compatibility with GitHub Actions best practices.

VS Code Extension Update Workflow Improvements:

• The update-vscode-extensions action now writes the markdown summary and updated extensions JSON to temporary files and outputs their paths, instead of embedding large markdown directly in outputs. (.github/actions/update-vscode-extensions/action.yml, .github/actions/update-vscode-extensions/update-vscode-extensions.sh) [1] [2] [3] [4]
• The workflow now generates a pull request body by concatenating a manual test warning with the markdown summary file, and passes this as a file path to the PR creation step. (.github/workflows/update-dependencies.yml)

General Workflow Robustness and Usability:

• Added fail-fast: false to matrix strategies for both APT and VS Code extension update jobs, allowing all matrix jobs to run even if one fails. (.github/workflows/update-dependencies.yml) [1] [2]
• The workflows now run on pull_request events in addition to scheduled and manual triggers, and only create PRs when not running on a pull request. (.github/workflows/update-dependencies.yml) [1] [2]

Bug Fixes and Minor Improvements:

• Improved quoting and input handling in the update scripts for better reliability and to avoid issues with spaces or special characters. (.github/actions/update-vscode-extensions/update-vscode-extensions.sh) [1] [2]
• Fixed the APT input file glob pattern for consistency. (.github/workflows/update-dependencies.yml)

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[Copilot]

Pull request overview

This PR fixes issues in the dependency update workflow and improves release notes handling. It corrects the APT requirements file pattern matching to be more flexible, and prevents potential issues with excessively large release notes by implementing truncation logic.

Changes:

• Updated the APT requirements file pattern to match files without requiring a dash separator
• Added truncation logic for release notes bodies exceeding 32,768 characters

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/update-dependencies.yml	Removed dash requirement from apt-requirements file pattern
.github/actions/update-vscode-extensions/update-vscode-extensions.sh	Added release notes body size validation and truncation

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1114

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	167.84 MB	167.84 MB	97 B (0%)	🔽
linux/arm64	160.6 MB	160.6 MB	688 B (0%)	🔽

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	20		0	0	0.52s
✅ DOCKERFILE	hadolint	3		0	0	0.63s
✅ GHERKIN	gherkin-lint	6		0	0	2.41s
✅ JSON	npm-package-json-lint	yes		no	no	0.44s
✅ JSON	prettier	21	4	0	0	0.55s
✅ JSON	v8r	21		0	0	7.4s
✅ MARKDOWN	markdownlint	12	0	0	0	0.95s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.26s
✅ REPOSITORY	checkov	yes		no	no	17.22s
✅ REPOSITORY	gitleaks	yes		no	no	0.52s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	28.69s
✅ REPOSITORY	secretlint	yes		no	no	0.92s
✅ REPOSITORY	syft	yes		no	no	1.91s
✅ REPOSITORY	trivy	yes		no	no	5.38s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.24s
✅ REPOSITORY	trufflehog	yes		no	no	2.26s
⚠️ SPELL	lychee	80		3	0	11.55s
✅ YAML	prettier	28	0	0	0	0.95s
✅ YAML	v8r	28		0	0	8.11s
✅ YAML	yamllint	28		0	0	0.79s

Detailed Issues

⚠️ SPELL / lychee - 3 errors

[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[ERROR] https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer | Network error: error sending request for url (https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer) Maybe a certificate error?
[ERROR] https://www.sigstore.dev/ | Network error: error sending request for url (https://www.sigstore.dev/) Maybe a certificate error?
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....121
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........3

Errors in README.md
[ERROR] https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer | Network error: error sending request for url (https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer) Maybe a certificate error?
[ERROR] https://www.sigstore.dev/ | Network error: error sending request for url (https://www.sigstore.dev/) Maybe a certificate error?

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-1114

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	548.25 MB	548.25 MB	+144 B (+0%)	🔼
linux/arm64	502.71 MB	502.71 MB	1.24 kB (0%)	🔽

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-1114

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	682.84 MB	682.84 MB	+161 B (+0%)	🔼
linux/arm64	664.57 MB	664.57 MB	775 B (0%)	🔽

[Copilot]

@rjaegers I've opened a new pull request, #1119, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

[Copilot]

The variable RUNNER_TEMP should be quoted to prevent word splitting and pathname expansion. Change ${RUNNER_TEMP} to "${RUNNER_TEMP}".

Suggested change

	echo "markdown-summary-file=${RUNNER_TEMP}/markdown-summary.md" >> "${GITHUB_OUTPUT}"
	echo "updated-dependencies=$(cat ${RUNNER_TEMP}/updated-extensions.json)" >> "${GITHUB_OUTPUT}"
	echo markdown-summary-file="${RUNNER_TEMP}/markdown-summary.md" >> "${GITHUB_OUTPUT}"
	echo updated-dependencies="$(cat "${RUNNER_TEMP}/updated-extensions.json")" >> "${GITHUB_OUTPUT}"

[github-actions]

Test Results

 7 files  ±0   7 suites  ±0   4m 3s ⏱️ -4s
33 tests ±0  33 ✅ ±0  0 💤 ±0  0 ❌ ±0 
69 runs  ±0  69 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit e612015. ± Comparison against base commit f3459f2.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

When EXTENSIONS is empty, the string slicing ${EXTENSIONS::-1} on line 66 will fail. The check on line 65 tests if the variable is non-empty, but EXTENSIONS starts as an empty string and only gets populated in the loop. If no extensions are processed, this will attempt to slice an empty string. Move the empty check before the string slicing operation or initialize EXTENSIONS differently.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

The step name uses "PR body" while the repository convention uses "pull request" in full form. For consistency with other step names and descriptions in the codebase, consider renaming to "Generate pull request body".

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

The variable RUNNER_TEMP should be quoted to prevent potential issues with spaces or special characters in the path.

Suggested change

	echo "updated-dependencies=$(cat ${RUNNER_TEMP}/updated-extensions.json)" >> "${GITHUB_OUTPUT}"
	echo "updated-dependencies=$(cat "${RUNNER_TEMP}/updated-extensions.json")" >> "${GITHUB_OUTPUT}"

[Copilot]

The EXTENSIONS variable ends with a trailing comma. When EXTENSIONS is empty, the string slicing ${EXTENSIONS::-1} will fail because there's no character to remove. This should be checked before attempting to remove the trailing comma.