geti-instant-learn/.github/workflows/npm-audit-fix.yml at main · rajeshgangireddy/geti-instant-learn · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: NPM Audit Fix

on:
  schedule:
    - cron: "0 3 2,16 * *"
  workflow_dispatch:
    inputs:
      force_fix:
        description: "Run npm audit fix --force (includes breaking changes)"
        required: false
        default: false
        type: boolean
permissions: {} # No permissions by default on workflow level

jobs:
  npm-audit-fix:
    runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: application/ui/.nvmrc

      - name: Install dependencies
        working-directory: application/ui
        run: npm ci

      - name: Display audit report
        working-directory: application/ui
        continue-on-error: true
        run: |
          npm audit || true

      - name: Run npm audit fix (safe mode)
        if: ${{ github.event_name == 'schedule' || github.event.inputs.force_fix != 'true' }}
        working-directory: application/ui
        continue-on-error: true
        run: npm audit fix --package-lock-only || echo "Some issues could not be auto-fixed"

      - name: Run npm audit fix (force mode)
        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.force_fix == 'true' }}
        working-directory: application/ui
        continue-on-error: true
        run: npm audit fix --force || true

      - name: Check for changes
        id: check-changes
        working-directory: application/ui
        run: |
          if git diff --quiet package-lock.json package.json; then
            echo "changed=false" >> $GITHUB_OUTPUT
          else
            echo "changed=true" >> $GITHUB_OUTPUT
          fi

      # GitHub App token is required to trigger other workflows (GITHUB_TOKEN cannot trigger workflows)
      - name: Get token
        if: steps.check-changes.outputs.changed == 'true'
        id: get-github-app-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.RENOVATE_APP_ID }}
          private-key: ${{ secrets.RENOVATE_APP_PEM }}

      - name: Create PR if lockfile changed
        if: steps.check-changes.outputs.changed == 'true'
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ steps.get-github-app-token.outputs.token }}
          author: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
          committer: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
          commit-message: "fix(deps): npm audit fixes [security]"
          title: "fix(deps): npm audit fixes [security]"
          body: |
            This PR was automatically created to update NPM dependencies with:
            ${{ github.event.inputs.force_fix == 'true' && '`npm audit fix --force`' || '`npm audit fix --package-lock-only`' }}
          branch: "npm-audit-fix-${{ github.run_id }}"
          base: main
          delete-branch: true