Skip to content

Instantly share code, notes, and snippets.

@Purpzie

Purpzie/update-lockfile.yml

Last active May 6, 2023 13:22
Show Gist options
  • Star 24 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Purpzie/8ed86ae38c73f440881bbee0523a324b to your computer and use it in GitHub Desktop.
Save Purpzie/8ed86ae38c73f440881bbee0523a324b to your computer and use it in GitHub Desktop.
Download ZIP
Action to update pnpm-lock.yaml when Dependabot opens a PR. Be warned that this may cause lots of merge conflicts.
Raw
update-lockfile.yml
# https://github.com/dependabot/dependabot-core/issues/1736
name: Dependabot
on: pull_request_target
permissions: read-all
jobs:
update-lockfile:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
permissions:
pull-requests: write
contents: write
steps:
- uses: pnpm/action-setup@v2
with:
version: ^7
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
- run: pnpm i --lockfile-only
- run: |
git config --global user.name github-actions[bot]
git config --global user.email github-actions[bot]@users.noreply.github.com
git add pnpm-lock.yaml
git commit -m "Update pnpm-lock.yaml"
git push
@TakitoTech
Copy link

Does this work or is this pending the feature request from dependabot/dependabot-core#1736 ?

@Purpzie
Copy link
Author

Purpzie commented Jun 27, 2022

This works, it only exists because Dependabot doesn't support pnpm yet. Once it does this will likely break

@armenr
Copy link

armenr commented Jul 11, 2022

Wow. @Purpzie - You deserve a gold medal for this. Thank you!

@donferi
Copy link

donferi commented Jul 15, 2022

Thanks for this, the main issue I see is that dependabot also open PRs for transitive dependencies. This action can't do much about those right? It will only work for the ones that change package.json

@Purpzie
Copy link
Author

Purpzie commented Jul 17, 2022
edited

@donferi Yes, currently that's a limitation of dependabot not having proper pnpm support yet.

I wonder... You could maybe force it to work by having a regular package-lock.json in your repository. Since dependabot would keep that up to date, this action would trigger for transitive dependencies, and you never need to stop using pnpm locally (except to generate package-lock.json the first time). Just make sure anyone working on the repo knows to use pnpm instead of npm.

@jvanderen1
Copy link

I was running to some workflow issues with this approach. The only thing I would recommend adding is a Personal Access Token to ensure that push workflows are called properly.

@schirato
Copy link

schirato commented Aug 19, 2022
edited

Hi, using the code in the project it gave me the error when trying to update a repo with ssh, showing the error below:

ERROR  Command failed with exit code 128: git ls-remote --refs git+ssh://git@github.com/xxxxxxxx/xxxxxxx.git
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Can you help me with this error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment