Skip to content
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/pull-request-no-npm.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Do not use the npm command

on:
workflow_call:
Comment thread
coderabbitai[bot] marked this conversation as resolved.

jobs:
Detect-NPM:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"

if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi
Comment on lines +13 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Self-scan causes the workflow to always fail — the detection is broken.

grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" scans every file under .github/workflows/, which includes this workflow file itself. The file contains the word "npm" as a standalone token in at least three places (the name: fields on lines 1 and 13, and the error message on line 18), so the check immediately matches and exits with code 1 on every run regardless of actual violations.

The fix is to exclude the current workflow file from the scan. The cleanest approach uses GITHUB_WORKFLOW_REF:

🐛 Proposed fix — exclude the current workflow file from the scan
      - name: Scan workflow file for forbidden npm commands
        run: |
          WORKFLOW_DIRECTORY=".github/workflows"
+         SELF_WORKFLOW=$(basename "$GITHUB_WORKFLOW_REF" | cut -d'@' -f1)

-         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
+         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="$SELF_WORKFLOW"; then
            echo "::error::Forbidden 'npm' command found in one or more workflow files!"
            echo "Please use 'pnpm' instead."
            exit 1
          else
            echo "No forbidden 'npm' commands found. The job can proceed."
          fi

If you prefer a simpler, hardcoded exclusion (acceptable since the filename is stable):

-         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
+         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="pull-request-no-npm.yml"; then
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"
if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi
- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"
SELF_WORKFLOW=$(basename "$GITHUB_WORKFLOW_REF" | cut -d'@' -f1)
if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="$SELF_WORKFLOW"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request-no-npm.yml around lines 13 - 23, The
self-scan currently fails because the grep line (grep -rE '\bnpm\b'
"$WORKFLOW_DIRECTORY") scans this workflow file itself; update the check in the
block that sets WORKFLOW_DIRECTORY and runs grep so it excludes the current
workflow file (use the GITHUB_WORKFLOW_REF env var or hardcode the filename) —
e.g., modify the grep/find invocation used in the detection step to skip
"$GITHUB_WORKFLOW_REF" (or ".github/workflows/pull-request-no-npm.yml") so the
workflow file is not scanned and the error/exit logic only triggers for other
workflow files.