chore: Add automated npm dependency update workflow#6969
Conversation
Co-authored-by: louislam <1336778+louislam@users.noreply.github.com>
louislam
changed the title
github-actions
bot
added
the
pr:needs review
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to automatically run npm update on master daily and open/refresh a dependency update pull request for maintainers to review.
Changes:
- Introduces a new scheduled/manual workflow to run
npm updatedaily. - Detects
package-lock.jsonchanges, commits them, and force-pushes to annpm-updatebranch. - Creates a PR (if one doesn’t already exist) from
npm-updateintomaster.
| - name: Run npm update | ||
| run: npm update |
There was a problem hiding this comment.
npm update will materialize node_modules on the runner even though only package-lock.json is committed. To reduce runtime/disk usage (and typically avoid running install scripts), consider using a lockfile-only update mode (e.g., updating just package-lock.json) so the job focuses on generating the PR diff rather than performing a full install/update.
| - name: Run npm update | |
| run: npm update | |
| - name: Run npm update (lockfile only) | |
| run: npm update --package-lock-only |
| - name: Checkout master branch | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: | ||
| ref: master | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 | ||
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Run npm update | ||
| run: npm update |
There was a problem hiding this comment.
The workflow checks out with persisted GitHub credentials and then runs npm update, which can execute dependency lifecycle scripts. With contents: write / pull-requests: write, this increases the blast radius of a supply-chain compromise (scripts could potentially read persisted credentials and push/modify PRs). Consider checking out with persist-credentials: false and only injecting the token in the specific steps that need it (push/gh), to keep write credentials out of the workspace during npm update.
Runs
npm updatedaily and creates a pull request.