fix: harden Steward checkout callback #408
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Env Audit | |
| on: | |
| pull_request: | |
| push: | |
| branches: [develop] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CI: true | |
| # Default to least privilege. Override per-job where needed. | |
| permissions: | |
| contents: read | |
| jobs: | |
| env-audit: | |
| name: env:audit:check | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install dependencies | |
| run: | | |
| if bun install --frozen-lockfile; then | |
| exit 0 | |
| fi | |
| # Bun 1.3.14 can report frozen-lockfile drift with workspace optional | |
| # peers even when a non-frozen install rewrites an identical bun.lock. | |
| # Preserve the lockfile gate by allowing the install only when | |
| # bun.lock is byte-for-byte unchanged. | |
| bun install --no-frozen-lockfile | |
| git diff --exit-code -- bun.lock | |
| - name: Env audit check | |
| run: bun run --cwd packages/feed env:audit:check | |
| continue-on-error: true |