Dependencies #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependencies | |
| on: | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| update-dependencies: | |
| name: Update Dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20.x | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Setup Yarn version | |
| run: corepack prepare yarn@3.6.1 --activate | |
| - name: Update Yarn to latest | |
| run: | | |
| corepack prepare yarn@stable --activate | |
| yarn set version stable | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Check for outdated packages | |
| run: | | |
| echo "π Checking for outdated dependencies..." | |
| echo "Note: Yarn v3 doesn't have 'yarn outdated'. Using 'yarn up' dry-run to check for updates." | |
| # Check what packages could be updated | |
| yarn up --dry-run > outdated.txt 2>&1 || true | |
| if [ -s outdated.txt ]; then | |
| echo "π Packages that could be updated:" | |
| cat outdated.txt | |
| else | |
| echo "β All packages are up to date" | |
| fi | |
| - name: Update dependencies | |
| run: | | |
| echo "π Updating all dependencies to latest compatible versions..." | |
| yarn up --recursive --mode=latest-safe | |
| - name: Run tests after update | |
| run: | | |
| yarn typecheck | |
| yarn test | |
| yarn build | |
| - name: Check for changes | |
| id: changes | |
| run: | | |
| if git diff --quiet yarn.lock; then | |
| echo "has_changes=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Create Pull Request | |
| if: steps.changes.outputs.has_changes == 'true' | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: 'chore(deps): update dependencies to latest compatible versions' | |
| title: 'π Weekly dependency updates' | |
| body: | | |
| ## π Automated dependency updates | |
| This PR updates all dependencies to their latest compatible versions. | |
| ### β Validation | |
| - [x] TypeScript compilation passes | |
| - [x] All tests pass | |
| - [x] Package builds successfully | |
| ### π Updated packages | |
| Check the `yarn.lock` diff for detailed changes. | |
| --- | |
| *This PR was created automatically by the dependency update workflow.* | |
| branch: chore/update-dependencies | |
| delete-branch: true | |
| labels: | | |
| dependencies | |
| automated | |
| chore | |
| check-security: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20.x | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Setup Yarn version | |
| run: corepack prepare yarn@3.6.1 --activate | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Run security audit | |
| run: | | |
| echo "π Running security audit..." | |
| yarn npm audit --all --environment production --json > audit.json || true | |
| # Check if there are any high or critical vulnerabilities | |
| if [ -f "audit.json" ]; then | |
| CRITICAL_COUNT=$(cat audit.json | jq -r '.metadata.vulnerabilities.critical // 0') | |
| HIGH_COUNT=$(cat audit.json | jq -r '.metadata.vulnerabilities.high // 0') | |
| if [ "$CRITICAL_COUNT" -gt 0 ] || [ "$HIGH_COUNT" -gt 0 ]; then | |
| echo "β High or critical vulnerabilities found!" | |
| echo "Critical: $CRITICAL_COUNT, High: $HIGH_COUNT" | |
| cat audit.json | jq -r '.advisories // {}' | |
| exit 1 | |
| else | |
| echo "β No high or critical vulnerabilities found" | |
| fi | |
| else | |
| echo "β οΈ Audit file not created, audit may have failed" | |
| fi | |
| - name: Create security issue | |
| if: failure() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: 'π¨ Security vulnerabilities detected', | |
| body: `## π¨ Security Alert | |
| High or critical security vulnerabilities have been detected in dependencies. | |
| Please review and update the affected packages as soon as possible. | |
| **Workflow Run:** [${context.runNumber}](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) | |
| --- | |
| *This issue was created automatically by the security audit workflow.*`, | |
| labels: ['security', 'bug', 'high-priority'] | |
| }) |