chore(ci): enable automatic audit fix pull requests (#125)

skyrpex · web-flow · commit 7fd59203ef25 · 2026-04-02T12:04:33.000+02:00
diff --git a/.github/workflows/audit-fix-auto-merge.yml b/.github/workflows/audit-fix-auto-merge.yml
@@ -0,0 +1,26 @@
+name: Audit fix Auto-merge
+
+on:
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto-merge audit fix pull requests
+    runs-on: ubuntu-latest
+    if: "contains(github.event.pull_request.labels.*.name, 'audit: fix')"
+    steps:
+      - name: Approve
+        run: gh pr review "$PR_URL" --approve --comment --body "Auto-approve audit fix pull requests"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
+      - name: Enable auto-merge
+        run: gh pr merge "$PR_URL" --auto --squash
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
diff --git a/.github/workflows/audit-fix.yml b/.github/workflows/audit-fix.yml
@@ -0,0 +1,54 @@
+name: Audit fix
+
+on:
+  schedule:
+    - cron: '0 9 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  audit-fix:
+    name: Run npm audit fix and create pull request
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit fix
+        run: npm audit fix --force
+
+      - name: Create pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          if git diff --quiet; then
+            echo "No changes after npm audit fix, skipping PR creation"
+            exit 0
+          fi
+
+          BRANCH="npm-audit-fix-$(date +%Y%m%d)"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
+          git add package.json package-lock.json
+          git commit -m "chore(deps): npm audit fix"
+          git push origin "$BRANCH"
+
+          gh pr create \
+            --title "chore(deps): npm audit fix" \
+            --body "Automated security fixes via \`npm audit fix --force\`." \
+            --label "audit: fix" \
+            --base main \
+            --head "$BRANCH"
