mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-13 11:05:52 -04:00
6b2a955a15
Resolves all 30 zizmor alerts reported on main after #11607: - template-injection (19): move `${{ ... }}` interpolations in `run:` blocks to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name, github.actor) can't break out of shell quoting. - artipacked (8): add `persist-credentials: false` to `actions/checkout` in audit, benchmark, ci, codeql-analysis, docker, release, test workflows. `update-lockfile.yml` keeps the persisted token (later step pushes to a branch) with a `zizmor: ignore[artipacked]` comment and justification. - dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially malicious) Actions releases don't get auto-PR'd day-of-release. - ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at the `v2` tag, not a non-existent `v2.0.0`. Fix the comment. - superfluous-actions (1): mark `softprops/action-gh-release` with a `zizmor: ignore` and justification — the release pipeline is sensitive and the action is battle-tested; we're not swapping it for `gh release` here. Verified locally with `zizmor --persona regular .github` (online audits on): No findings to report. Good job! (2 ignored, 32 suppressed) --- Written by an agent (Claude Code, claude-opus-4-7).
85 lines
2.6 KiB
YAML
85 lines
2.6 KiB
YAML
name: Update Lockfile
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * *' # Daily at 6 AM UTC
|
|
workflow_dispatch: {} # Allow manual triggering
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
update-lockfile:
|
|
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout Commit
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked]
|
|
with:
|
|
# The token must persist in .git/config so the "Create or update PR"
|
|
# step below can `git push` to the chore/update-lockfile branch.
|
|
token: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
|
|
# The job deletes the lockfile and regenerates it with `--lockfile-only`,
|
|
# so skip the action's auto-install — it would just be wasted work.
|
|
- name: Install pnpm
|
|
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
|
|
with:
|
|
install: false
|
|
|
|
- name: Update lockfile
|
|
run: |
|
|
rm pnpm-lock.yaml
|
|
pnpm install --lockfile-only
|
|
timeout-minutes: 5
|
|
|
|
- name: Check for changes
|
|
id: changes
|
|
run: |
|
|
if git diff --quiet pnpm-lock.yaml; then
|
|
echo "changed=false" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "changed=true" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Create or update PR
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
|
|
BRANCH="chore/update-lockfile"
|
|
|
|
# Check if branch exists on remote
|
|
if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
|
|
git fetch origin "$BRANCH"
|
|
git checkout "$BRANCH"
|
|
git reset --hard origin/main
|
|
else
|
|
git checkout -b "$BRANCH"
|
|
fi
|
|
|
|
# Re-apply the lockfile update on the branch
|
|
rm pnpm-lock.yaml
|
|
pnpm install --lockfile-only
|
|
|
|
git add pnpm-lock.yaml
|
|
git commit -m "chore: update pnpm-lock.yaml"
|
|
git push -f origin "$BRANCH"
|
|
|
|
# Check if PR already exists
|
|
if gh pr list --head "$BRANCH" --state open | grep -q "$BRANCH"; then
|
|
echo "PR already exists, it has been updated"
|
|
else
|
|
gh pr create \
|
|
--title "chore: update pnpm-lock.yaml" \
|
|
--body "This PR updates the lockfile to pick up the latest compatible versions of dependencies.
|
|
|
|
This is an automated PR created by the update-lockfile workflow." \
|
|
--base main \
|
|
--head "$BRANCH"
|
|
fi
|