Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

159 lines
6.7 KiB
YAML

name: Update NPM dependencies
on:
workflow_call:
inputs:
npm_args:
description: Arguments to pass to npm update
type: string
default: --save
workflow_dispatch:
inputs:
npm_args:
description: Arguments to pass to npm update
type: string
default: --save
schedule:
- cron: '0 8 * * 4' # every Thursday at 08:00 UTC (day after PDM updates)
permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions
jobs:
update:
name: 📦 Update with NPM
runs-on: ubuntu-latest
permissions:
contents: write # Required for creating PRs
pull-requests: write # Required for creating PRs
strategy:
matrix:
npm_directory:
- { path: '.', build_cmd: 'npm run build', test_cmd: '', cache_path: 'package-lock.json' }
- { path: 'tests', build_cmd: '', test_cmd: 'echo "Skipping API-key tests in CI - requires real API key"', cache_path: 'package-lock.json' }
- { path: 'tests/ui_tests', build_cmd: '', test_cmd: 'echo "Skipping UI tests in CI - requires server"', cache_path: 'package-lock.json' }
- { path: 'tests/puppeteer', build_cmd: '', test_cmd: 'echo "Skipping Puppeteer tests in CI - requires server"', cache_path: 'package-lock.json' }
- { path: 'tests/api_tests_with_login', build_cmd: '', test_cmd: 'echo "Skipping API-with-login tests in CI - requires server + auth"', cache_path: 'package-lock.json' }
- { path: 'tests/infrastructure_tests', build_cmd: '', test_cmd: 'echo "Skipping infrastructure tests in CI - requires server"', cache_path: 'package-lock.json' }
- { path: 'tests/accessibility_tests', build_cmd: '', test_cmd: 'echo "Skipping accessibility tests in CI - requires server"', cache_path: 'package-lock.json' }
- { path: 'tests/ui_tests/playwright', build_cmd: '', test_cmd: 'echo "Skipping playwright UI tests in CI - requires server"', cache_path: 'package-lock.json' }
continue-on-error: false
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: 📰 Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
ref: main
- name: 🟢 Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
cache: 'npm'
cache-dependency-path: ${{ matrix.npm_directory.path }}/${{ matrix.npm_directory.cache_path }}
- name: 🔍 Security audit
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
run: |
cd "$NPM_DIR"
# Don't fail the workflow if unfixable vulns remain — the next step
# (`npm audit fix --package-lock-only`) will attempt the auto-fix and
# report what it couldn't fix. Failing here would skip the dependency
# update entirely on the first unpatchable advisory. Use a ::warning
# workflow command (not a bare echo) so the soft-fail surfaces as a
# visible annotation in the run UI instead of getting lost in the
# step log.
npm audit --audit-level moderate || echo "::warning::Vulnerabilities detected — proceeding to auto-fix attempt"
- name: 🔐 Fix security vulnerabilities (lockfile only)
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
run: |
cd "$NPM_DIR"
# Update lockfile only - actual install happens via npm ci below
npm audit fix --package-lock-only || echo "Some vulnerabilities could not be auto-fixed"
- name: 👚 Update to latest compatible versions (lockfile only)
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
NPM_ARGS: ${{ inputs.npm_args || '--save' }}
run: |
cd "$NPM_DIR"
# Update lockfile only - actual install happens via npm ci below
# Intentional word splitting for npm args
# shellcheck disable=SC2086
npm update --package-lock-only $NPM_ARGS
- name: 📦 Install from lockfile with integrity verification
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
run: |
cd "$NPM_DIR"
# npm ci installs from lockfile with integrity hash verification
# This satisfies OSSF Scorecard pinned-dependencies requirement
npm ci
- name: 🔨 Build (if applicable)
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
BUILD_CMD: ${{ matrix.npm_directory.build_cmd }}
run: |
cd "$NPM_DIR"
eval "$BUILD_CMD"
if: matrix.npm_directory.build_cmd != ''
- name: 🧪 Test (if applicable)
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
TEST_CMD: ${{ matrix.npm_directory.test_cmd }}
run: |
cd "$NPM_DIR"
eval "$TEST_CMD"
if: matrix.npm_directory.test_cmd != ''
- name: 📝 Check for changes
id: verify-changed-files
env:
NPM_DIR: ${{ matrix.npm_directory.path }}
run: |
cd "$NPM_DIR"
# Check if package.json or package-lock.json have changed
if git diff --quiet package.json package-lock.json; then
echo "changed=false" >> "$GITHUB_OUTPUT"
else
echo "changed=true" >> "$GITHUB_OUTPUT"
echo "path=${{ matrix.npm_directory.path }}" >> "$GITHUB_OUTPUT"
fi
- name: 📝 Create pull request
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
if: steps.verify-changed-files.outputs.changed == 'true'
with:
branch: update-npm-dependencies-${{ github.run_number }}
title: 🤖 Update dependencies
body: |
This PR updates dependencies to their latest compatible versions.
**Updated directory:** `${{ steps.verify-changed-files.outputs.path }}`
**Changes include:**
- Security vulnerability fixes (moderate severity and above)
- Compatible version updates for dependencies
- Updated lock files for reproducible builds
This PR was created by the Dependency Update Bot.
sign-commits: true
add-paths: |
${{ steps.verify-changed-files.outputs.path }}/package.json
${{ steps.verify-changed-files.outputs.path }}/package-lock.json
commit-message: 🤖 Update dependencies
labels: maintenance
draft: false
base: main
reviewers: djpetti,HashedViking,LearningCircuit