chore: integrate npm-lockfile-changes action #846
Conversation
achou11
force-pushed
the
ac/lockfile-changes-ci
branch
from
2a9cbf6
to
1b3f796
Compare
| on: | ||
| pull_request: | ||
| paths: | ||
| - 'package-lock.json' |
There was a problem hiding this comment.
highlighting this since it's kind of out of scope for the PR and could be reverted if not desired. Figured it would be worth doing to save a few CPU cycles though 😄
There was a problem hiding this comment.
I'm fine with including this.
There was a problem hiding this comment.
Looks good, however as a post-merge-task I think we should setup a Github app for this and generate a token, see https://github.com/digidem/release-automations/blob/7eddab75ddec8324c17d532ae3b96bbd60182c60/.github/workflows/build-rc.yml#L62-L67 - we can create a new Github App for this workflow. This gives more refined control over permissions, and controls the name and icon of the actor creating the comments on the PR.
.github/workflows/lockfile.yml
Outdated
| uses: actions/checkout@v4 | ||
| - name: NPM Lockfile Changes | ||
| # The original doesn't support v3 lockfiles so we use a fork that adds support for them | ||
| uses: rvanvelzen/npm-lockfile-changes@main |
There was a problem hiding this comment.
For the sake of security, maybe pin to a specific commit?
| on: | ||
| pull_request: | ||
| paths: | ||
| - 'package-lock.json' |
There was a problem hiding this comment.
I'm fine with including this.
Addressed with Gregor's help and code changes in f9a0c06 |
|
Seems like the action is failing, not clear why |
Where are you seeing this? Wouldn't expect this to run on this PR due to the change related to only running based on the lockfile changing |
|
@gmaclennan see the example of the integration working in #853 |
Uses a fork (https://github.com/rvanvelzen/npm-lockfile-changes) of the original action (https://github.com/codepunkt/npm-lockfile-changes) because the original does not seem to work with v3 lockfiles.
Uses the action's default values for inputs for now (https://github.com/marketplace/actions/npm-lockfile-changes#-inputs)
Also omits the
permissionsconfiguration since we don't use dependabot (https://github.com/marketplace/actions/npm-lockfile-changes#the-action-fails-on-the-dependabot-pull-requests). My understanding is that we don't need to specify as a result, but could be wrong.Out of scope, but also updated this workflow to only run when the pull request changes the
package-lock.jsonfile, as opposed to anytime a pull request is opened. Happy to revert if not desired.