fix: sync-actions creates a PR instead of pushing directly to main

[Copilot]

sync-actions.yml was pushing synced action files directly to main. This changes the flow to open a PR and block until it merges (or times out), enabling review before changes land.

Changes

• PR creation instead of direct push – synced files are committed to a new branch sync/gh-aw-<resolved_ref> and a PR is opened against main via gh pr create
• Polling loop – polls PR state every 30s up to 20 minutes (1200s); warns on transient API errors, fails fast if PR is closed without merging
• pr_number output – exposed as a workflow_call output so callers can reference or link the created PR; empty when there are no changes to sync
• Permissions – added pull-requests: write to the job
• Tag creation – condition updated to reference the renamed step id (create-pr)

[Copilot]

Pull request overview

This PR changes the sync-actions GitHub Actions workflow to sync action files by opening a pull request (instead of pushing directly to main), allowing review and gating before changes land.

Changes:

• Adds a workflow_call output (pr_number) so callers can link to the created PR (or detect “no changes”).
• Creates a new branch, pushes it, opens a PR to main, and polls until the PR is merged (or times out / is closed).
• Updates job permissions to allow PR creation and updates the tag-creation condition to the renamed step id.

Comments suppressed due to low confidence (1)

.github/workflows/sync-actions.yml:332

• After switching to a PR-based flow, the tag is still created from the local checkout in gh-aw-actions, which at this point is on the PR branch (not main). If the PR is merged with a merge commit or squash merge, the tag will point to a commit that may not exist on main. After the PR is merged, fetch/checkout origin/main (or tag the PR’s mergeCommit SHA via gh pr view) so tags always reference the commit actually landed on main.

        if: steps.resolve-ref.outputs.should_create_tag == 'true' && steps.create-pr.outputs.changed == 'true'
        run: |
          echo "::group::Creating Tag"
          cd gh-aw-actions
          TAG="${{ steps.resolve-ref.outputs.raw_ref }}"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

BRANCH is derived from resolved_ref, but when the input is latest, resolved_ref comes from the upstream release tag name (which can contain characters that are not valid/safe in git ref names, e.g. slashes). This can make git checkout -b fail or create surprising branch paths. Consider sanitizing resolved_ref for use in branch names (e.g., replace non [A-Za-z0-9._-] with -), or use a stable safe identifier like the resolved commit SHA in the branch name.

Suggested change

	BRANCH="sync/gh-aw-${{ steps.resolve-ref.outputs.resolved_ref }}"
	SAFE_REF="$(printf '%s\n' "${{ steps.resolve-ref.outputs.resolved_ref }}" | sed -E 's/[^A-Za-z0-9._-]+/-/g')"
	BRANCH="sync/gh-aw-$SAFE_REF"

[Copilot]

The branch name sync/gh-aw-<resolved_ref> is likely to collide across reruns for the same ref. If the previous remote branch wasn't deleted (or was merged via squash), git push origin "$BRANCH" can be rejected as a non-fast-forward, causing the workflow to fail unexpectedly. Consider making the branch name unique per run (e.g., include ${{ github.run_id }}) or explicitly force-updating / deleting the remote branch before pushing.