Update Dependencies #35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Dependencies | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 1' # Every Monday at midnight UTC | |
| workflow_dispatch: # Allow manual triggering | |
| jobs: | |
| update-dependencies: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| - run: npm install | |
| # Fix security vulnerabilities | |
| - name: Run npm audit fix | |
| id: audit_fix | |
| continue-on-error: true | |
| run: npm audit fix | |
| # Update dependencies within semver ranges | |
| - run: npm update | |
| # Check for remaining vulnerabilities and fail on high/critical | |
| - name: Check for remaining vulnerabilities | |
| id: audit_check | |
| run: | | |
| # Get audit results as JSON | |
| npm audit --json > audit-report.json | |
| # Extract vulnerability counts by severity | |
| CRITICAL=$(jq '.metadata.vulnerabilities.critical // 0' audit-report.json) | |
| HIGH=$(jq '.metadata.vulnerabilities.high // 0' audit-report.json) | |
| MODERATE=$(jq '.metadata.vulnerabilities.moderate // 0' audit-report.json) | |
| LOW=$(jq '.metadata.vulnerabilities.low // 0' audit-report.json) | |
| echo "critical=$CRITICAL" >> $GITHUB_OUTPUT | |
| echo "high=$HIGH" >> $GITHUB_OUTPUT | |
| echo "moderate=$MODERATE" >> $GITHUB_OUTPUT | |
| echo "low=$LOW" >> $GITHUB_OUTPUT | |
| # Fail if there are critical or high severity vulnerabilities | |
| if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then | |
| echo "::error::Found $CRITICAL critical and $HIGH high severity vulnerabilities" | |
| npm audit | |
| exit 1 | |
| fi | |
| # Warn about moderate/low but don't fail | |
| if [ "$MODERATE" -gt 0 ] || [ "$LOW" -gt 0 ]; then | |
| echo "::warning::Found $MODERATE moderate and $LOW low severity vulnerabilities" | |
| npm audit | |
| fi | |
| # Check if package-lock.json has changed | |
| - name: Check for package-lock.json changes | |
| id: check_lockfile | |
| run: | | |
| git diff --exit-code package-lock.json || echo "lockfile_changed=true" >> $GITHUB_OUTPUT | |
| # Create PR for dependency updates if changed | |
| - name: Create PR for dependency updates | |
| if: steps.check_lockfile.outputs.lockfile_changed == 'true' | |
| run: | | |
| # Configure Git | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| # Create a new branch | |
| BRANCH_NAME="dependency-update-$(date +%Y%m%d%H%M%S)" | |
| git checkout -b $BRANCH_NAME | |
| # Commit changes | |
| git add package-lock.json | |
| git commit -m "chore: update dependencies and fix security vulnerabilities" | |
| # Push the branch | |
| git push --set-upstream origin $BRANCH_NAME | |
| # Create PR body with audit info | |
| PR_BODY="## Dependency Updates | |
| Automated dependency updates and security fixes. | |
| ### Security Audit Status | |
| " | |
| if [ "${{ steps.audit_check.outputs.moderate }}" -gt 0 ] || [ "${{ steps.audit_check.outputs.low }}" -gt 0 ]; then | |
| PR_BODY+="⚠️ Some low/moderate vulnerabilities remain (Critical: ${{ steps.audit_check.outputs.critical }}, High: ${{ steps.audit_check.outputs.high }}, Moderate: ${{ steps.audit_check.outputs.moderate }}, Low: ${{ steps.audit_check.outputs.low }}) | |
| These are acceptable risk levels. Run \`npm audit\` locally to review details. | |
| " | |
| else | |
| PR_BODY+="✅ No vulnerabilities found | |
| " | |
| fi | |
| PR_BODY+=" | |
| ### Next Steps | |
| - Review changes in package-lock.json | |
| - Run tests to ensure nothing broke | |
| - Create changesets if packages need republishing" | |
| # Create PR with helpful labels and instructions | |
| gh pr create --title "Update dependencies $(date +%Y-%m-%d)" \ | |
| --body "$PR_BODY" \ | |
| --label "dependencies" \ | |
| --label "security" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: No changes needed | |
| if: steps.check_lockfile.outputs.lockfile_changed != 'true' | |
| run: echo "Dependencies are up to date - no changes needed" |