-
Notifications
You must be signed in to change notification settings - Fork 3
69 lines (57 loc) · 2.41 KB
/
npm-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Npm audit
on:
workflow_dispatch:
schedule:
- cron: '0 12 * * 0' # Run every fortnight on Sunday at 12
jobs:
npm_audit:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run npm audit
id: npm_audit
run: |
find public/modules/custom public/themes/custom -type f -name ".nvmrc" -exec sh -c '
dir=$(dirname "$1")
node_version=$(cat "$1")
echo "Using Node.js version $node_version in $dir"
cd "$dir"
export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
nvm install $node_version
nvm use $node_version
set +e
npm audit --package-lock-only --loglevel=error;
# The npm audit command will exit with a 0 exit code if no vulnerabilities were found.
if [ $? -gt 0 ]; then
npm audit fix --package-lock-only --loglevel=error;
if [ $? -gt 0 ]; then
echo "BC_BREAK=:exclamation: NPM Audit fix could not fix all vulnerabilities. Fix them manually by running \`npm audit fix --force\` and test the functionalities thoroughly as there might be breaking changes. :exclamation:" >> $GITHUB_ENV;
fi;
echo "CREATE_PR=true" >> $GITHUB_OUTPUT;
fi;
set -e
' sh {} \;
- name: Create Pull Request
if: steps.npm_audit.outputs.CREATE_PR == 'true'
uses: peter-evans/create-pull-request@v4
with:
committer: GitHub <[email protected]>
author: actions-bot <[email protected]>
commit-message: Updated node modules based on npm audit fix
title: Automatic npm audit fix
labels: auto-update
body: |
# Npm audit
${{ env.BC_BREAK }}
## How to install
* Update the HDBT theme
* `git fetch --all`
* `git checkout automation/npm-audit`
* `git pull origin automation/npm-audit`
* In the custom module or custom theme folder, run `nvm use && npm i && npm run build`
## How to test
Run `npm audit`
* [ ] Check that the `npm audit` prints `found 0 vulnerabilities`
* [ ] Check that the changes for distributed files are sensible
branch: automation/npm-audit