Weekly Dependency Update #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Weekly Dependency Update | |
| on: | |
| schedule: | |
| # Every Monday at 03:00 UTC | |
| - cron: '0 3 * * 1' | |
| workflow_dispatch: # allow manual trigger | |
| permissions: | |
| contents: read # default to least privilege for the workflow | |
| jobs: | |
| update-deps: | |
| permissions: | |
| contents: write # commit dependency updates and allow gh pr merge | |
| pull-requests: write # create pull requests via peter-evans/create-pull-request | |
| actions: write # dispatch ci.yml after creating the dependency PR | |
| runs-on: ubuntu-latest | |
| outputs: | |
| changes: ${{ steps.commit-changes.outputs.changes }} | |
| pr-number: ${{ steps.create-pull-request.outputs.pull-request-number }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Use Node.js | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version-file: .node-version | |
| cache: npm | |
| - name: Update dependencies to latest version compatible with version range | |
| run: npm update --package-lock-only | |
| - name: Commit npm update changes | |
| id: commit-update | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| if git diff --quiet -- package.json package-lock.json; then | |
| echo "changes=false" >> "$GITHUB_OUTPUT" | |
| else | |
| git add package.json package-lock.json | |
| git commit -m "chore: update dependencies to latest compatible versions" | |
| echo "changes=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Fix vulnerabilities while complying with version ranges | |
| run: | | |
| set +e | |
| npm audit fix --package-lock-only | |
| status=$? | |
| set -e | |
| if [ "$status" -eq 0 ]; then | |
| exit 0 | |
| fi | |
| if [ "$status" -eq 1 ]; then | |
| echo "npm audit fix exited with code 1; clearing Git history to prevent unintended changes." | |
| git reset --hard HEAD | |
| exit 0 | |
| fi | |
| exit "$status" | |
| - name: Commit changes | |
| id: commit-changes | |
| env: | |
| UPDATE_CHANGES: ${{ steps.commit-update.outputs.changes }} | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| if git diff --quiet -- package.json package-lock.json; then | |
| if [ "$UPDATE_CHANGES" = "true" ]; then | |
| echo "changes=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "changes=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| git add package.json package-lock.json | |
| git commit -m "chore: patch dependency vulnerabilities" | |
| echo "changes=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Create Pull Request | |
| if: ${{ steps.commit-changes.outputs.changes == 'true' }} | |
| id: create-pull-request | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| branch: chore/update-dependencies | |
| title: 'chore: update dependencies to latest compatible versions' | |
| body: | | |
| This PR was automatically generated by the weekly dependency update workflow. | |
| It updates all dependencies to their latest compatible versions. | |
| commit-message: 'chore: update dependencies to latest compatible versions' | |
| labels: dependencies | |
| - name: Trigger CI workflow | |
| if: ${{ steps.create-pull-request.outputs.pull-request-number != '' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh workflow run ci.yml --ref chore/update-dependencies | |
| - name: Enable PR automerge | |
| if: ${{ steps.create-pull-request.outputs.pull-request-number != '' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh pr merge --merge --auto "${{ steps.create-pull-request.outputs.pull-request-number }}" --repo "$GITHUB_REPOSITORY" |