localstack-toolkit-vscode/.github/workflows/audit-fix.yml at b544994fc8933af3fbc71ef3ab03a2d17f8b23b7 · localstack/localstack-toolkit-vscode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Audit fix

on:
  schedule:
    - cron: '0 9 * * *'
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  audit-fix:
    name: Run npm audit fix and create pull request
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          cache: npm

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit fix
        run: |
          npm audit 2>&1 > audit-report.txt || true
          npm audit fix || npm audit fix --force || true

      - name: Create pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_REPO: ${{ github.repository }}
        run: |
          if git diff --quiet; then
            echo "No changes after npm audit fix, skipping PR creation"
            exit 0
          fi

          BRANCH="npm-audit-fix-$(date +%Y%m%d-%H%M%S)"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git checkout -b "$BRANCH"
          git add package.json package-lock.json
          git commit -m "chore(deps): npm audit fix"
          git push origin "$BRANCH"

          cat > pr-body.md << 'BODYEOF'
          Automated security fixes via `npm audit fix`.

          ## Audit Report

          ```
          BODYEOF
          cat audit-report.txt >> pr-body.md
          echo '```' >> pr-body.md

          gh pr create \
            --title "chore(deps): npm audit fix" \
            --body-file pr-body.md \
            --label "audit: fix" \
            --base main \
            --head "$BRANCH"