name: Dependency Management
on:
schedule:
# Run weekly on Mondays at 9 AM UTC
- cron: '0 9 * * 1'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
update-dependencies:
name: Update Dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Check for outdated packages
run: |
echo "## Outdated Packages" > outdated-report.md
npm outdated --json > outdated.json || true
if [ -s outdated.json ]; then
echo "Found outdated packages"
cat outdated.json
else
echo "All packages are up to date"
fi
- name: Update patch and minor versions
run: |
npm update
npm audit fix --audit-level=moderate || true
- name: Run tests after updates
run: |
npm run build
npm test
- name: Create Pull Request
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore(deps): update dependencies'
title: 'chore(deps): automated dependency updates'
body: |
## Automated Dependency Updates
This PR contains automated updates for patch and minor version dependencies.
### Changes
- Updated npm dependencies to latest compatible versions
- Applied security fixes where available
- All tests passing after updates
### Verification
- [x] Build successful
- [x] Tests passing
- [x] Security audit clean
**Note**: This PR was created automatically. Please review changes before merging.
branch: chore/dependency-updates
delete-branch: true
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run security audit
run: |
echo "## Security Audit Report" > security-report.md
npm audit --audit-level=low --json > audit.json || true
if [ -s audit.json ]; then
echo "Security vulnerabilities found:"
cat audit.json | jq '.vulnerabilities'
# Create issue if vulnerabilities found
echo "VULNERABILITIES_FOUND=true" >> $GITHUB_ENV
else
echo "No security vulnerabilities found"
echo "VULNERABILITIES_FOUND=false" >> $GITHUB_ENV
fi
- name: Create security issue
if: env.VULNERABILITIES_FOUND == 'true'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const auditData = JSON.parse(fs.readFileSync('audit.json', 'utf8'));
const vulnerabilities = Object.values(auditData.vulnerabilities || {});
const highSeverity = vulnerabilities.filter(v => v.severity === 'high' || v.severity === 'critical');
if (highSeverity.length > 0) {
const issueBody = `
## 🚨 Security Vulnerabilities Detected
High or critical severity vulnerabilities have been found in dependencies.
### Summary
- Total vulnerabilities: ${vulnerabilities.length}
- High/Critical: ${highSeverity.length}
### Action Required
Please run \`npm audit fix\` to resolve these issues.
### Details
\`\`\`json
${JSON.stringify(highSeverity, null, 2)}
\`\`\`
`;
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: '🚨 Security Vulnerabilities Detected',
body: issueBody,
labels: ['security', 'high-priority']
});
}
