mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-29 10:25:05 -04:00
8cec791e38
Bumps the github-actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [github/codeql-action](https://github.com/github/codeql-action), [taiki-e/install-action](https://github.com/taiki-e/install-action) and [crate-ci/typos](https://github.com/crate-ci/typos). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](de0fac2e45...df4cb1c069) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](7211b7c807...8aad20d150) Updates `taiki-e/install-action` from 2.79.14 to 2.81.8 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](873c7452ca...0631aa6515) Updates `crate-ci/typos` from 1.47.0 to 1.47.2 - [Release notes](https://github.com/crate-ci/typos/releases) - [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md) - [Commits](f8a58b6b53...37bb98842b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: crate-ci/typos dependency-version: 1.47.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: taiki-e/install-action dependency-version: 2.81.6 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
119 lines
4.7 KiB
YAML
119 lines
4.7 KiB
YAML
name: Update Lockfile
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * *' # Daily at 6 AM UTC
|
|
workflow_dispatch: {} # Allow manual triggering
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
# Serialize runs so a manual dispatch and the daily schedule can't reset and
|
|
# force-push the chore/update-lockfile branch at the same time.
|
|
concurrency:
|
|
group: update-lockfile
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
update-lockfile:
|
|
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout Commit
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
# Don't persist the write-scoped token in .git/config. The full install
|
|
# below runs third-party lifecycle scripts from freshly-bumped
|
|
# dependencies; the token is only needed to push, which the "Commit and
|
|
# push" step does with an explicit, single-use remote URL.
|
|
persist-credentials: false
|
|
|
|
# The job regenerates the lockfile and runs the meta-updater itself, so the
|
|
# action's auto-install would just be wasted work.
|
|
- name: Install pnpm
|
|
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
|
|
with:
|
|
install: false
|
|
|
|
# Build the day's changes on a single, persistent branch based on the latest
|
|
# main on every run. main is fetched explicitly so the branch is correct even
|
|
# for a workflow_dispatch run triggered from another ref. If a PR from a
|
|
# previous day is still open, the force-push below replaces its contents with
|
|
# today's changes instead of opening a second PR.
|
|
- name: Prepare update branch
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git fetch origin main
|
|
git checkout -B chore/update-lockfile FETCH_HEAD
|
|
|
|
- name: Update dependencies, Node.js, pnpm, and pacquet versions
|
|
timeout-minutes: 20
|
|
run: |
|
|
# Bump the pacquet config dependency to the latest release.
|
|
pnpm add --config @pnpm/pacquet
|
|
|
|
# Bump Node.js to the latest 26.x and record it in devEngines.runtime.
|
|
pnpm runtime set node 26
|
|
|
|
# Refresh the whole lockfile to the latest compatible dependency versions.
|
|
# Remove node_modules too so pnpm cannot reuse node_modules/.pnpm/lock.yaml
|
|
# as the missing wanted lockfile and skip resolution.
|
|
rm -rf node_modules pnpm-lock.yaml
|
|
pnpm install
|
|
|
|
# Propagate the new Node.js version into the GitHub Actions workflows,
|
|
# the `node@runtime:` scripts, and other manifests, then reinstall to
|
|
# sync the lockfile with any manifest changes.
|
|
pnpm update-manifests
|
|
|
|
# Bump pnpm itself last: this rewrites the `packageManager` and
|
|
# `devEngines.packageManager` pins, so doing it after the install steps
|
|
# keeps them running on the action-provided pnpm.
|
|
pnpm self-update latest
|
|
|
|
- name: Check for changes
|
|
id: changes
|
|
run: |
|
|
if [ -z "$(git status --porcelain)" ]; then
|
|
echo "changed=false" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "changed=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Commit and push
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
run: |
|
|
git add -A
|
|
git commit -m "chore: update lockfile, Node.js, pnpm, and pacquet versions"
|
|
git push -f "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" chore/update-lockfile
|
|
|
|
- name: Create PR if needed
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
run: |
|
|
BRANCH="chore/update-lockfile"
|
|
|
|
# An already-open PR from a previous day now points at the freshly
|
|
# force-pushed branch, so there is nothing more to do.
|
|
if [ -n "$(gh pr list --head "$BRANCH" --state open --json number --jq '.[].number')" ]; then
|
|
echo "PR already exists; today's changes were force-pushed to it"
|
|
else
|
|
gh pr create \
|
|
--title "chore: update lockfile, Node.js, pnpm, and pacquet versions" \
|
|
--body "This automated PR refreshes the project's pinned versions:
|
|
|
|
- Updates the lockfile to the latest compatible versions of dependencies.
|
|
- Bumps Node.js to the latest 26.x release, propagated into the CI, release, and benchmark workflows via the meta-updater.
|
|
- Bumps pnpm to the latest release (\`packageManager\` and \`devEngines.packageManager\`).
|
|
- Bumps the \`@pnpm/pacquet\` config dependency to its latest release.
|
|
|
|
Created by the update-lockfile workflow." \
|
|
--base main \
|
|
--head "$BRANCH"
|
|
fi
|