You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a shared PSModule action is released (e.g. GitHub-Script v1.9.0), every downstream repository that pins it needs a follow-up version bump. The v1.9.0 rollout touched 14 repositories β some bumped by Dependabot, some by manually opened PRs β and there was no single place to see how far the rollout had progressed. A maintainer had to open each repository's pull request individually to know what had merged and what was still outstanding.
Request
Desired capability
When an action is updated, open a central tracking issue on the action's own repository that enumerates every downstream consumer and shows live rollout progress (for example "9 of 14 done") that advances on its own as each consumer's bump pull request merges β with no manual checkbox bookkeeping.
A maintainer looking at the action repository should be able to see, for a given release, which consumers still need the bump, which are in review, and which are done β as a native progress bar that updates automatically.
Acceptance criteria
One tracking issue per action release, on the action repository, listing all known downstream consumers.
Each consumer's bump is represented as an item that reflects real state (open / merged).
The tracking issue shows an automatic completion count / progress bar.
Progress advances without manual checkbox toggling as bump pull requests merge.
Works whether a bump pull request is opened by Dependabot or by an agent / maintainer.
A pull request cannot be a sub-issue β use an issue anchor. Verified 2026-07-10 against the REST API: POST /repos/{owner}/{repo}/issues/{n}/sub_issues with a pull request's REST id returns 404 Not Found; the endpoint accepts only issues. Cross-repository issue sub-issues do work (verified even on a personal account). Each consumer therefore needs a small anchor issue, and the pull request is tied to the rollout indirectly through that anchor.
The flow (one per consumer):
Create an anchor issue in the consumer repository (e.g. "Bump <action> to vX.Y.Z").
Open the bump pull request in the consumer repository with Closes #<anchor> (same-repository closing keyword β reliable; cross-repository keyword auto-close is not dependable).
Add the anchor issue as a cross-repository sub-issue of the central tracking issue: POST /repos/{action-owner}/{action-repo}/issues/{tracker}/sub_issues -F sub_issue_id=<anchor issue REST db id> β the numeric REST id (not the issue number, not the GraphQL node id), sent typed with -F.
On merge, the pull request closes its anchor β the tracker's sub_issues_summary ({ total, completed, percent_completed }) advances.
flowchart LR
subgraph ACTION["Action repo (e.g. GitHub-Script)"]
R["Release vX.Y.Z"]
T["Central tracking issue"]
R --> T
end
subgraph CONSA["Consumer repo A"]
PA["Bump PR"]
IA["Anchor issue"]
PA -- "Closes #a" --> IA
end
subgraph CONSB["Consumer repo B"]
PB["Bump PR"]
IB["Anchor issue"]
PB -- "Closes #b" --> IB
end
T -- "cross-repo sub-issue" --> IA
T -- "cross-repo sub-issue" --> IB
IA -. "merged β closed β progress +" .-> T
IB -. "merged β closed β progress +" .-> T
Loading
Central tracker location = the action repository. The release is the trigger, and keeping the tracker on the action itself makes the action's downstream impact visible from where the change originated. This complements β it does not replace β the existing convention of housing broad framework-migration trackers in Process-PSModule (e.g. #337, #369); those are not tied to a single action release.
Dependabot wrinkle. Dependabot opens many of these bump pull requests and its PR body is not templatable, so it cannot add Closes #<anchor>. Two options:
a small "close the anchor when a matching bump PR merges" workflow (match by the dependencies + github_actions labels and the action name in the title), or
agent / maintainer-driven bumps that set Closes directly (the model used by the ai-platform downstream-release-propagation flow).
Recommendation: implement the close-on-merge workflow so the Dependabot-native path also drives progress. Note #359 (stop Dependabot applying semver release labels) affects how the matcher identifies these PRs.
Progress aggregate lags.sub_issues_summary is denormalized and trails actual sub-issue state by a few seconds; any status/report step must re-query rather than trust the first read.
Alternative considered β a task list of PR references (- [ ] owner/repo#PR in the tracker body): lighter (no anchor issues) but gives no reliable auto-updating progress bar, and cross-repository PR references render inconsistently. Rejected in favor of sub-issues.
Input β which consumers need bumping. Reuse the enumeration proven during the v1.9.0 rollout: scan every non-archived org repository's action.yml and .github/workflows/** for PSModule/<action>@<sha> (a deterministic GraphQL HEAD:-tree scan; plain code search has index gaps). Related: #329 (pinned-SHA drift detection) can feed this consumer list.
Validation evidence (throwaway test repos)
Verified end-to-end in MariusStorhaug/verprop-test-action (tracking issue #1) and MariusStorhaug/verprop-test-consumer:
Attempt
Result
Same-repo issue as sub-issue
β works
Cross-repo issue as sub-issue (personal account)
β works
Cross-repo pull request as sub-issue
β 404 Not Found
After a consumer pull request carrying Closes #<anchor> merged, the tracker reported { "total": 2, "completed": 1, "percent_completed": 50 }.
Add a reusable step that lists downstream consumers of an action by scanning action.yml + .github/workflows/** for PSModule/<action>@<sha> across non-archived org repositories.
Tracking issue + anchors
On action release, open the central tracking issue on the action repository (title includes action name + version).
For each consumer, create an anchor issue in the consumer repository and attach it as a cross-repository sub-issue (sub_issue_id = anchor REST db id, sent with -F).
Bump pull requests
Ensure agent / maintainer-opened bump PRs include Closes #<anchor>.
Add a workflow that closes the matching anchor issue when a Dependabot bump PR for the action merges (match by title + dependencies/github_actions labels), so Dependabot-origin bumps also drive progress.
Progress + closeout
Use sub_issues_summary for status reporting, allowing for aggregation lag (re-query).
Close the central tracking issue automatically when all anchors are closed.
Documentation
Document the pattern (anchor-issue model, why PRs cannot be sub-issues, the Dependabot close-on-merge workflow). Port to the ai-platform downstream-release-propagation specification once its release-management restructuring settles.
When a shared PSModule action is released (e.g.
GitHub-Scriptv1.9.0), every downstream repository that pins it needs a follow-up version bump. The v1.9.0 rollout touched 14 repositories β some bumped by Dependabot, some by manually opened PRs β and there was no single place to see how far the rollout had progressed. A maintainer had to open each repository's pull request individually to know what had merged and what was still outstanding.Request
Desired capability
When an action is updated, open a central tracking issue on the action's own repository that enumerates every downstream consumer and shows live rollout progress (for example "9 of 14 done") that advances on its own as each consumer's bump pull request merges β with no manual checkbox bookkeeping.
A maintainer looking at the action repository should be able to see, for a given release, which consumers still need the bump, which are in review, and which are done β as a native progress bar that updates automatically.
Acceptance criteria
Note
Motivating rollout: the GitHub-Script v1.9.0 bump across 14 repositories (
Debug,Get-IssueFormData,Get-PesterCodeCoverage,Get-PesterTestResults,Get-PSModuleSettings,Initialize-PSModule,Invoke-Pester,Invoke-ScriptAnalyzer,Release-GHRepository,Template-Action,docs,GoogleFonts,NerdFonts,Process-PSModule).Technical decisions
A pull request cannot be a sub-issue β use an issue anchor. Verified 2026-07-10 against the REST API:
POST /repos/{owner}/{repo}/issues/{n}/sub_issueswith a pull request's REST id returns 404 Not Found; the endpoint accepts only issues. Cross-repository issue sub-issues do work (verified even on a personal account). Each consumer therefore needs a small anchor issue, and the pull request is tied to the rollout indirectly through that anchor.The flow (one per consumer):
<action>tovX.Y.Z").Closes #<anchor>(same-repository closing keyword β reliable; cross-repository keyword auto-close is not dependable).POST /repos/{action-owner}/{action-repo}/issues/{tracker}/sub_issues -F sub_issue_id=<anchor issue REST db id>β the numeric RESTid(not the issue number, not the GraphQL node id), sent typed with-F.sub_issues_summary({ total, completed, percent_completed }) advances.flowchart LR subgraph ACTION["Action repo (e.g. GitHub-Script)"] R["Release vX.Y.Z"] T["Central tracking issue"] R --> T end subgraph CONSA["Consumer repo A"] PA["Bump PR"] IA["Anchor issue"] PA -- "Closes #a" --> IA end subgraph CONSB["Consumer repo B"] PB["Bump PR"] IB["Anchor issue"] PB -- "Closes #b" --> IB end T -- "cross-repo sub-issue" --> IA T -- "cross-repo sub-issue" --> IB IA -. "merged β closed β progress +" .-> T IB -. "merged β closed β progress +" .-> TCentral tracker location = the action repository. The release is the trigger, and keeping the tracker on the action itself makes the action's downstream impact visible from where the change originated. This complements β it does not replace β the existing convention of housing broad framework-migration trackers in
Process-PSModule(e.g. #337, #369); those are not tied to a single action release.Dependabot wrinkle. Dependabot opens many of these bump pull requests and its PR body is not templatable, so it cannot add
Closes #<anchor>. Two options:dependencies+github_actionslabels and the action name in the title), orClosesdirectly (the model used by the ai-platform downstream-release-propagation flow).Recommendation: implement the close-on-merge workflow so the Dependabot-native path also drives progress. Note #359 (stop Dependabot applying semver release labels) affects how the matcher identifies these PRs.
Progress aggregate lags.
sub_issues_summaryis denormalized and trails actual sub-issue state by a few seconds; any status/report step must re-query rather than trust the first read.Alternative considered β a task list of PR references (
- [ ] owner/repo#PRin the tracker body): lighter (no anchor issues) but gives no reliable auto-updating progress bar, and cross-repository PR references render inconsistently. Rejected in favor of sub-issues.Input β which consumers need bumping. Reuse the enumeration proven during the v1.9.0 rollout: scan every non-archived org repository's
action.ymland.github/workflows/**forPSModule/<action>@<sha>(a deterministic GraphQLHEAD:-tree scan; plain code search has index gaps). Related: #329 (pinned-SHA drift detection) can feed this consumer list.Validation evidence (throwaway test repos)
Verified end-to-end in
MariusStorhaug/verprop-test-action(tracking issue #1) andMariusStorhaug/verprop-test-consumer:After a consumer pull request carrying
Closes #<anchor>merged, the tracker reported{ "total": 2, "completed": 1, "percent_completed": 50 }.Related to the dependency-management epic #356.
Implementation plan
Enumeration
action.yml+.github/workflows/**forPSModule/<action>@<sha>across non-archived org repositories.Tracking issue + anchors
sub_issue_id= anchor REST db id, sent with-F).Bump pull requests
Closes #<anchor>.dependencies/github_actionslabels), so Dependabot-origin bumps also drive progress.Progress + closeout
sub_issues_summaryfor status reporting, allowing for aggregation lag (re-query).Documentation