# dependencies.yml | n1ch0las | 1493814938
# Dependency Updates and Security
name: Dependencies
on:
schedule:
# Weekly on Monday at 9am UTC
- cron: '0 9 * * 1'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
env:
NODE_VERSION: '20'
PNPM_VERSION: '9'
jobs:
# =============================================================================
# Update Dependencies
# =============================================================================
update-deps:
name: Update Dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
- name: Check for updates
id: updates
run: |
pnpm outdated --format json > outdated.json || true
if [ -s outdated.json ]; then
echo "has_updates=true" >> $GITHUB_OUTPUT
else
echo "has_updates=false" >> $GITHUB_OUTPUT
fi
- name: Update dependencies
if: steps.updates.outputs.has_updates == 'true'
run: |
pnpm update --latest
pnpm install
- name: Run tests
if: steps.updates.outputs.has_updates == 'true'
run: |
pnpm build
pnpm test
continue-on-error: true
- name: Create PR
if: steps.updates.outputs.has_updates == 'true'
uses: peter-evans/create-pull-request@v8
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore(deps): update dependencies'
title: '⬆️ Update Dependencies'
body: |
## Automated Dependency Update
This PR updates project dependencies to their latest versions.
### Changes
See the diff for details on updated packages.
### Checklist
- [ ] Tests pass
- [ ] No breaking changes
- [ ] Reviewed changelog of major updates
branch: deps/update-dependencies
delete-branch: true
labels: dependencies
# =============================================================================
# Security Audit
# =============================================================================
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run audit
id: audit
run: |
pnpm audit --json > audit.json || true
if grep -q '"severity":"critical"' audit.json; then
echo "critical=true" >> $GITHUB_OUTPUT
else
echo "critical=false" >> $GITHUB_OUTPUT
fi
- name: Create issue for critical vulnerabilities
if: steps.audit.outputs.critical == 'true'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const audit = JSON.parse(fs.readFileSync('audit.json', 'utf8'));
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: '🚨 Critical Security Vulnerabilities Found',
body: `## Security Audit Alert\n\nCritical vulnerabilities were found in dependencies.\n\nPlease review and update affected packages immediately.`,
labels: ['security', 'critical']
});
# =============================================================================
# License Check
# =============================================================================
license-check:
name: License Check
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Check licenses
run: |
npx license-checker --summary || true
echo "✅ License check complete"
# ucm:n1ch52aa9fe9
