DTL-5961 Fix vulnerabilities #642
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Compile dependabot updates | |
on: | |
pull_request: | |
jobs: | |
fetch-dependabot-metadata: | |
runs-on: ubuntu-latest | |
# We only want to check the metadata on pull_request events from Dependabot itself, | |
# any subsequent pushes to the PR should just skip this step so we don't go into | |
# a loop on commits created by the `build-dependabot-changes` job | |
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} | |
# Map the step output to a job output for subsequent jobs | |
outputs: | |
dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} | |
package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Fetch dependabot metadata | |
id: dependabot-metadata | |
uses: ./ | |
build-dependabot-changes: | |
runs-on: ubuntu-latest | |
needs: [fetch-dependabot-metadata] | |
# We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes. | |
if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production' | |
steps: | |
- name: Generate token | |
id: generate_token | |
uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0 | |
with: | |
app-id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }} | |
private-key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }} | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
# Check out using an app token so any pushed changes will trigger checkruns | |
token: ${{ steps.generate_token.outputs.token }} | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: .nvmrc | |
- name: Install NPM dependencies | |
run: npm ci | |
- name: Rebuild the dist/ directory | |
run: npm run build | |
- name: Check in any change to dist/ | |
run: | | |
git add dist/ | |
# Specifying the full email allows the avatar to show up: https://github.com/orgs/community/discussions/26560 | |
git config user.name "github-actions[bot]" | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 | |
git push |