Skip to content

DTL-5961 Fix vulnerabilities #642

DTL-5961 Fix vulnerabilities

DTL-5961 Fix vulnerabilities #642

name: Compile dependabot updates
on:
pull_request:
jobs:
fetch-dependabot-metadata:
runs-on: ubuntu-latest
# We only want to check the metadata on pull_request events from Dependabot itself,
# any subsequent pushes to the PR should just skip this step so we don't go into
# a loop on commits created by the `build-dependabot-changes` job
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
# Map the step output to a job output for subsequent jobs
outputs:
dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }}
package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Fetch dependabot metadata
id: dependabot-metadata
uses: ./
build-dependabot-changes:
runs-on: ubuntu-latest
needs: [fetch-dependabot-metadata]
# We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
steps:
- name: Generate token
id: generate_token
uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0
with:
app-id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
private-key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
# Check out using an app token so any pushed changes will trigger checkruns
token: ${{ steps.generate_token.outputs.token }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
- name: Install NPM dependencies
run: npm ci
- name: Rebuild the dist/ directory
run: npm run build
- name: Check in any change to dist/
run: |
git add dist/
# Specifying the full email allows the avatar to show up: https://github.com/orgs/community/discussions/26560
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0
git push