-
-
Save tbantle22/ff82d2ba7969be3776c801528e887733 to your computer and use it in GitHub Desktop.
Automatically save updated `yarn.lock` file for dependabot PRs. This is necessary because dependabot doesn't support Yarn v2 yet.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Inspired by https://gist.github.com/amacneil/60bf679f357bad9d62103cfdc86cbd74 | |
# Automatically save updated `yarn.lock` file for dependabot PRs. | |
# This is necessary because dependabot doesn't support Yarn v2 yet: | |
# https://github.com/dependabot/dependabot-core/issues/1297 | |
# | |
# Note: We use the `pull_request_target` event due to GitHub security measures. | |
# It is important to ensure we don't execute any untrusted PR code in this context. | |
# See: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ | |
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests | |
name: Dependabot add web yarn.lock | |
on: | |
pull_request_target: | |
paths: | |
- 'web/**' | |
jobs: | |
build: | |
name: fix | |
runs-on: ubuntu-18.04 | |
if: | | |
github.actor == 'dependabot[bot]' && | |
contains(github.event.pull_request.head.ref, 'dependabot/npm_and_yarn/') | |
# IMPORTANT: setting YARN_ENABLE_SCRIPTS=false is critical to ensure that untrusted | |
# PRs can't add an npm package and then use that to execute untrusted code in | |
# a trusted context. See links at the top of this workflow for further details. | |
# See also: https://github.com/yarnpkg/berry/issues/1679#issuecomment-669937860 | |
env: | |
YARN_ENABLE_SCRIPTS: false | |
YARN_ENABLE_IMMUTABLE_INSTALLS: false | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
# Using a Personal Access Token here is required to trigger workflows on our new commit. | |
# The default GitHub token doesn't trigger any workflows. | |
# See: https://github.community/t/push-from-action-does-not-trigger-subsequent-action/16854/2 | |
token: ${{ secrets.REPO_ACCESS_TOKEN }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
# Need fetch-depth in order to soft reset the most recent commit. | |
fetch-depth: 2 | |
- uses: actions/setup-node@v2 | |
with: | |
node-version: '14.17' | |
# Undo yarn.lock changes from last commit (if any), run yarn install, | |
# and add/commit any yarn.lock changes. Dependabot will commit an invalid | |
# yarn.lock file for dependecy changes in the root package.json. `yarn install` | |
# will not work with an invalid yarn.lock file. | |
- name: Install and commit yarn.lock | |
working-directory: ./web | |
run: | | |
git config user.name "[name]" | |
git config user.email "[email]" | |
git reset --soft HEAD~1 | |
git restore --staged yarn.lock | |
git checkout -- yarn.lock | |
yarn install | |
git add yarn.lock | |
git commit -m '${{ github.event.pull_request.title }}' | |
git push -f |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment