Skip to content

Add Copilot setup steps workflow#11590

Draft
Copilot wants to merge 6 commits into
1.9.xfrom
copilot/add-copilot-setup-steps-file
Draft

Add Copilot setup steps workflow#11590
Copilot wants to merge 6 commits into
1.9.xfrom
copilot/add-copilot-setup-steps-file

Conversation

Copilot AI commented Mar 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Adds .github/workflows/copilot-setup-steps.yml to pre-warm the Copilot coding agent environment so it can run tests without rebuilding from scratch on every session.

What it does

  • PHP 8.3 + Composer — installs all backend dependencies so static analysis and linting work natively
  • Builds appwrite-dev Docker image — uses the development target with TESTING=true, mirroring tests.yml
  • Pulls all compose dependency images — uses docker compose pull --ignore-buildable to stay automatically in sync with docker-compose.yml (no hardcoded image list)

Cache strategy

Per-ref GHA cache scoping prevents conflicts when multiple Copilot agent sessions run concurrently on different branches, with a fallback to main's warm cache for new branches:

cache-from: |
  type=gha,scope=appwrite-dev-${{ github.ref }}
  type=gha,scope=appwrite-dev-refs/heads/main
cache-to: type=gha,mode=max,scope=appwrite-dev-${{ github.ref }}
Original prompt

Add the following file to the repository at .github/workflows/copilot-setup-steps.yml:

name: "Copilot Setup Steps"

on:
  workflow_dispatch:
  push:
    paths:
      - .github/workflows/copilot-setup-steps.yml
  pull_request:
    paths:
      - .github/workflows/copilot-setup-steps.yml

jobs:
  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
  copilot-setup-steps:
    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          submodules: recursive

      # -----------------------------------------------------------------------
      # PHP setup (required for static analysis / linting without Docker)
      # -----------------------------------------------------------------------
      - name: Set up PHP 8.3
        uses: shivammathur/setup-php@v2
        with:
          php-version: "8.3"
          extensions: >-
            curl, imagick, mbstring, json, yaml, dom, redis,
            pdo, openssl, zlib, sockets, fileinfo
          tools: composer:v2
          coverage: none

      - name: Install PHP dependencies
        run: composer install --no-interaction --prefer-dist --optimize-autoloader

      # -----------------------------------------------------------------------
      # Docker — build the appwrite-dev image and pull all other dependency
      # images from docker-compose.yml so they're cached for Copilot.
      # -----------------------------------------------------------------------
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Appwrite dev image
        uses: docker/build-push-action@v6
        with:
          context: .
          target: development
          push: false
          load: true
          tags: appwrite-dev
          cache-from: |
            type=gha,scope=appwrite-dev-${{ github.ref }}
            type=gha,scope=appwrite-dev-refs/heads/main
          cache-to: type=gha,mode=max,scope=appwrite-dev-${{ github.ref }}
          build-args: |
            DEBUG=false
            TESTING=true
            VERSION=dev

      - name: Pull docker-compose dependency images
        run: docker compose pull --ignore-buildable

This workflow pre-warms the GitHub Actions Docker layer cache and pulls all dependency images defined in docker-compose.yml, so that the GitHub Copilot coding agent environment is ready to run tests without needing to build or pull images from scratch each time.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: What should be included in the .github/workflows/copilot-setup-steps.yml for this repo?

Assistant: Based on my analysis of the appwrite/appwrite repository — its language composition (TypeScript 72.4%, PHP 26.7%), composer.json, package.json, and existing CI workflows — here is what the copilot-setup-steps.yml should contain, along with a full explanation.

What to Include in .github/workflows/copilot-setup-steps.yml

Key Requirements (from GitHub Docs)

  1. The job MUST be named copilot-setup-steps — this is how Copilot coding agent identifies it.
  2. Triggers: Include workflow_dispatch, push, and pull_request on the file path so you can validate it easily.
  3. Minimal permissions (contents: read is sufficient for cloning).
  4. Steps should pre-install all dependencies Copilot needs before it starts working.

What This Repo Needs

Looking at the repo's stack:

Concern Detail
PHP 8.3 Required per composer.json ("php": ">=8.3.0")
PHP Extensions curl, imagick, mbstring, json, yaml, dom, redis, swoole, pdo, openssl, zlib, sockets, fileinfo
Composer Install PHP dependencies via composer install
Node.js Needed for TypeScript (72.4% of codebase) — check .nvmrc/package.json for version
Docker + Docker Compose Tests run entirely via Docker (docker compose up -d); the tests.yml builds a Docker image and runs tests inside it

⚠️ Important note on Docker: The existing test suite builds and runs a full Docker image of Appwrite. The copilot-setup-steps.yml is best suited for unit tests and static analysis (PHP/Composer + Node), not the full Docker-based E2E suite, since that requires Docker-in-Docker. For static analysis and linting, Copilot only needs PHP + Composer.

Recommended copilot-setup-steps.yml

name: "Copilot Setup Steps"

# Automatically run the setup steps when they are changed to allow for easy
# validation, and allow manual testing through the repository's "Actions" tab.
on:
  workflow_dispatch:
  push:
    paths:
      - .github/workflows/copilot-se...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.](https://gh.io/cca-advanced-security)

@stnguyen90
Add .github/workflows/copilot-setup-steps.yml
74a3dd9 
Co-authored-by: stnguyen90 <1477010+stnguyen90@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Copilot setup steps workflow file Add Copilot setup steps workflow Mar 19, 2026
Copilot AI requested a review from stnguyen90 March 19, 2026 20:52
@github-actions

github-actions Bot commented Mar 19, 2026
edited
Loading

Copy link
Copy Markdown

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
imagemagick 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-c++ 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-c++ 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-dev 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-dev 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-heic 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-heic 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-jpeg 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-jpeg 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-jxl 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-jxl 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-libs 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-libs 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-openexr 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-openexr 7.1.2.8-r0 CVE-2026-27798 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25897 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25898 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25968 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25971 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25983 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25986 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-25987 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2026-26284 CRITICAL
imagemagick-webp 7.1.2.8-r0 CVE-2025-66628 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2025-68618 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2025-69204 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-24481 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-24485 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25794 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25795 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25796 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25798 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25799 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25965 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25966 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25967 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25969 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25970 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25985 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25988 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-25989 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-26066 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-26283 HIGH
imagemagick-webp 7.1.2.8-r0 CVE-2026-27798 HIGH
libcrypto3 3.5.4-r0 CVE-2025-15467 CRITICAL
libcrypto3 3.5.4-r0 CVE-2025-69419 HIGH
libcrypto3 3.5.4-r0 CVE-2025-69421 HIGH
libecpg 17.7-r0 CVE-2026-2004 HIGH
libecpg 17.7-r0 CVE-2026-2005 HIGH
libecpg 17.7-r0 CVE-2026-2006 HIGH
libecpg 17.7-r0 CVE-2026-2007 HIGH
libecpg-dev 17.7-r0 CVE-2026-2004 HIGH
libecpg-dev 17.7-r0 CVE-2026-2005 HIGH
libecpg-dev 17.7-r0 CVE-2026-2006 HIGH
libecpg-dev 17.7-r0 CVE-2026-2007 HIGH
libexpat 2.7.3-r0 CVE-2026-32767 CRITICAL
libexpat 2.7.3-r0 CVE-2026-25210 HIGH
libheif 1.19.8-r0 CVE-2025-68431 HIGH
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng 1.6.51-r0 CVE-2026-22695 HIGH
libpng 1.6.51-r0 CVE-2026-22801 HIGH
libpng 1.6.51-r0 CVE-2026-25646 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22695 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22801 HIGH
libpng-dev 1.6.51-r0 CVE-2026-25646 HIGH
libpq 17.7-r0 CVE-2026-2004 HIGH
libpq 17.7-r0 CVE-2026-2005 HIGH
libpq 17.7-r0 CVE-2026-2006 HIGH
libpq 17.7-r0 CVE-2026-2007 HIGH
libpq-dev 17.7-r0 CVE-2026-2004 HIGH
libpq-dev 17.7-r0 CVE-2026-2005 HIGH
libpq-dev 17.7-r0 CVE-2026-2006 HIGH
libpq-dev 17.7-r0 CVE-2026-2007 HIGH
libssl3 3.5.4-r0 CVE-2025-15467 CRITICAL
libssl3 3.5.4-r0 CVE-2025-69419 HIGH
libssl3 3.5.4-r0 CVE-2025-69421 HIGH
openssl 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl 3.5.4-r0 CVE-2025-69419 HIGH
openssl 3.5.4-r0 CVE-2025-69421 HIGH
openssl-dev 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl-dev 3.5.4-r0 CVE-2025-69419 HIGH
openssl-dev 3.5.4-r0 CVE-2025-69421 HIGH
postgresql17-dev 17.7-r0 CVE-2026-2004 HIGH
postgresql17-dev 17.7-r0 CVE-2026-2005 HIGH
postgresql17-dev 17.7-r0 CVE-2026-2006 HIGH
postgresql17-dev 17.7-r0 CVE-2026-2007 HIGH
py3-urllib3 1.26.20-r0 CVE-2026-21441 HIGH
py3-urllib3-pyc 1.26.20-r0 CVE-2026-21441 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

@github-actions

github-actions Bot commented Mar 19, 2026
edited
Loading

Copy link
Copy Markdown

✨ Benchmark results

  • Requests per second: 1,672
  • Requests with 200 status code: 300,953
  • P99 latency: 0.102286902

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,672 1,212
200 300,953 218,274
P99 0.102286902 0.182291663

stnguyen90
stnguyen90 reviewed Mar 19, 2026
View reviewed changes
Comment thread .github/workflows/copilot-setup-steps.yml Outdated
coverage: none

- name: Install PHP dependencies
run: composer install --no-interaction --prefer-dist --optimize-autoloader

@stnguyen90 stnguyen90 Mar 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot change this to:

composer install --ignore-platform-reqs --optimize-autoloader --no-interaction --no-plugins --no-scripts --prefer-dist

Copilot AI Mar 19, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 96473ad.

@stnguyen90
Update composer install flags in copilot-setup-steps.yml
96473ad 
Co-authored-by: stnguyen90 <1477010+stnguyen90@users.noreply.github.com>
Copilot AI requested a review from stnguyen90 March 19, 2026 21:37
stnguyen90
stnguyen90 reviewed Mar 19, 2026
View reviewed changes
Comment thread .github/workflows/copilot-setup-steps.yml Outdated
VERSION=dev

- name: Pull docker-compose dependency images
run: docker compose pull --ignore-buildable

@stnguyen90 stnguyen90 Mar 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot the CI failed because appwrite-dev is still being pull but results in:

Error response from daemon: pull access denied for appwrite-dev, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

It shouldn't be pulled because it was just built and it's a buildable and the param --ignore-buildable was passed.

Copilot AI Mar 19, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 7b3d99e. The root cause was that services like appwrite-realtime, appwrite-worker-*, etc. use image: appwrite-dev but don't have a build: section, so --ignore-buildable didn't skip them.

The fix uses docker compose config --format json to get the fully resolved config, then filters out any service whose image is appwrite-dev before passing the remainder to docker compose pull.

@stnguyen90
Fix docker compose pull to skip appwrite-dev image services
7b3d99e 
Co-authored-by: stnguyen90 <1477010+stnguyen90@users.noreply.github.com>
Copilot AI requested a review from stnguyen90 March 19, 2026 23:18
@stnguyen90 stnguyen90 changed the base branch from main to 1.9.x March 21, 2026 16:46
@github-actions

github-actions Bot commented Mar 21, 2026
edited
Loading

Copy link
Copy Markdown

🔄 PHP-Retry Summary

Flaky tests detected across commits:

Commit 38c7efa - 2 flaky tests
Test Retries Total Time Details
UsageTest::testFunctionsStats 1 10.13s Logs
UsageTest::testPrepareSitesStats 1 6ms Logs
Commit c457a50 - 5 flaky tests
Test Retries Total Time Details
UsageTest::testVectorsDBStats 1 10.05s Logs
DocumentsDBConsoleClientTest::testTimeout 1 121.56s Logs
LegacyConsoleClientTest::testUpsertDocument 1 241.79s Logs
LegacyCustomClientTest::testAttributeResponseModels 1 120.78s Logs
LegacyCustomServerTest::testTimeout 1 120.96s Logs

@blacksmith-sh

blacksmith-sh Bot commented Mar 21, 2026
edited
Loading

Copy link
Copy Markdown

Found 2 test failures on Blacksmith runners:

Failures

Test View Logs
› Tests\E2E\Services\TablesDB\TablesDBCustomServerTest/testManyToManyRelationship View Logs
› Tests\E2E\Services\TablesDB\Transactions\TablesDBTransactionsCustomClientTest/
testMixedSingleOperations		 View Logs

Fix in Cursor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stnguyen90 stnguyen90 Awaiting requested review from stnguyen90

At least 1 approving review is required to merge this pull request.

Assignees

@stnguyen90 stnguyen90

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stnguyen90