Skip to content

Instantly share code, notes, and snippets.

Created March 19, 2021 03:29
Show Gist options
  • Save amacneil/60bf679f357bad9d62103cfdc86cbd74 to your computer and use it in GitHub Desktop.
Save amacneil/60bf679f357bad9d62103cfdc86cbd74 to your computer and use it in GitHub Desktop.
GitHub Action to update yarn 2 `yarn.lock` on dependabot PRs
# Automatically save updated `yarn.lock` file for dependabot PRs.
# This is necessary because dependabot doesn't support Yarn v2 yet:
# Note: We use the `pull_request_target` event due to GitHub security measures.
# It is important to ensure we don't execute any untrusted PR code in this context.
# See:
name: Dependabot
- pull_request_target
name: fix
runs-on: ubuntu-latest
if: | == 'dependabot[bot]' &&
contains(github.event.pull_request.head.ref, 'dependabot/npm_and_yarn/')
# IMPORTANT: setting YARN_ENABLE_SCRIPTS=false is critical to ensure that untrusted
# PRs can't add an npm package and then use that to execute untrusted code in
# a trusted context. See links at the top of this workflow for further details.
# See also:
- uses: actions/checkout@v2
# Using a Personal Access Token here is required to trigger workflows on our new commit.
# The default GitHub token doesn't trigger any workflows.
# See:
token: ${{ secrets.DEPENDABOT_FIX_GITHUB_TOKEN }}
ref: ${{ github.event.pull_request.head.ref }}
- run: git lfs pull --include .yarn/
- name: Configure Node.js
uses: actions/setup-node@v2.1.5
node-version: 15.x
- name: Restore cache
uses: actions/cache@v2.1.4
path: |
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: ${{ runner.os }}-yarn-
- run: yarn install --skip-builds
- run: yarn dedupe
- name: Commit yarn.lock
run: |
git config "dependabot-fix"
git config ""
git add yarn.lock
git commit -m '[dependabot skip] Fix yarn.lock'
git push
Copy link

Any explainations why pull_request_target instead of pull_request?
Does this would fit?

      - opened
      - 'dependabot/**'

Copy link

That is required to work around GitHub not allowing third party PRs write access to the repo (and they treat dependabot as third party)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment