Skip to content

Update Dependencies #33

Update Dependencies

Update Dependencies #33

Workflow file for this run

name: Update Dependencies
on:
schedule:
- cron: "0 6 * * MON" # Run every Monday at 6 AM UTC
workflow_dispatch: # Allow manual triggering
jobs:
check-updates:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
lfs: true
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: 20
cache: "npm"
- name: Install dependencies
run: npm install
- name: Update dependencies
id: update
run: |
# Capture current package.json content
cp package.json package.json.backup
# Run npm-check-updates to update all dependencies
npx ncu -u
# Check if package.json was modified
if ! diff -q package.json package.json.backup > /dev/null; then
echo "changed=true" >> $GITHUB_OUTPUT
echo "Dependencies updated"
# Generate summary of changes
{
echo 'update_summary<<EOF'
echo "Updated dependencies to their latest versions:"
echo ""
echo '```diff'
# Show the diff in a readable format
diff -u package.json.backup package.json | grep "^[-+]" | grep -v "^[-+][-+][-+]"
echo '```'
echo 'EOF'
} >> $GITHUB_OUTPUT
else
echo "changed=false" >> $GITHUB_OUTPUT
echo "No updates available"
fi
# Clean up backup
rm -f package.json.backup
- name: Install updated dependencies
if: steps.update.outputs.changed == 'true'
run: npm install
- name: Create Pull Request
if: steps.update.outputs.changed == 'true'
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
# Use GITHUB_TOKEN for signed commits (like the working exiftool-vendored.pl workflow)
# This allows automatic GitHub signing and you can approve PRs created by github-actions[bot]
# NOTE: We tried using a PAT to trigger CI workflows automatically,
# but hit issues with signed commits and self-approval restrictions. The trade-offs:
# GITHUB_TOKEN (current):
# ✅ Works with signed commit requirements
# ✅ You can approve PRs (created by github-actions[bot], not you)
# ❌ CI workflows don't auto-trigger (must manually trigger if needed)
# PAT approach:
# ✅ CI workflows auto-trigger
# ❌ Can't approve your own PRs (PAT owner becomes author)
# ❌ Bot accounts require signed commit setups
# Conclusion: GITHUB_TOKEN is simpler and more reliable for this use
# case. We lose automatic CI triggering, but at least it works.
token: ${{ secrets.GITHUB_TOKEN }}
sign-commits: true
commit-message: "chore(deps): update dependencies"
title: "Update dependencies"
body: |
Updates dependencies to their latest versions.
This is an automated update created by the check-updates workflow.
## Changes
${{ steps.update.outputs.update_summary }}
## Next Steps
After merging this PR, consider creating a new release to publish the updated dependencies.
Please review the changes and merge if everything looks good.
branch: update-dependencies-${{ github.run_id }}
delete-branch: true
labels: |
dependencies
automated