chore: (deps): bump sanitize-html from 2.17.0 to 2.17.1 #42
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ⚠️ DO NOT MODIFY THIS FILE DIRECTLY ⚠️ | |
| # This workflow is a dependency of the Dependabot Secure Flow Action. | |
| # Upstream Repository: https://github.com/EthanThePhoenix38/dependabot-secure-flow | |
| # Marketplace Action: https://github.com/marketplace/actions/dependabotsecureflow | |
| # | |
| # If you need to make changes, please open an issue in the upstream repository: | |
| # https://github.com/EthanThePhoenix38/dependabot-secure-flow/issues/new | |
| # | |
| # This ensures changes can be propagated automatically to this and other repositories. | |
| # -------------------------------------------------------------------------------- | |
| name: Dependabot Secure Flow | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| paths: | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - '.github/workflows/**' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| issues: write | |
| jobs: | |
| auto-merge-to-security: | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Force serial execution to prevent conflicts | |
| concurrency: | |
| group: secure-flow-merge | |
| cancel-in-progress: false | |
| needs: check-interdependencies | |
| if: ${{ needs.check-interdependencies.outputs.should_merge == 'true' && (startsWith(github.head_ref, 'dependabot/') || contains(github.head_ref, 'dependencies')) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Ensure security branch exists | |
| run: | | |
| git fetch origin security 2>/dev/null || git switch --create security | |
| git push origin security || true | |
| - name: Merge dependabot changes to security branch | |
| run: | | |
| git config --global user.name 'github-actions[bot]' | |
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | |
| # Fetch the PR branch | |
| git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} || true | |
| # Switch to security and merge | |
| git switch security | |
| git merge origin/${{ github.head_ref }} --no-edit || true | |
| # Push to security | |
| git push origin security | |
| - name: Close and Delete Dependabot Branch | |
| if: ${{ github.actor == 'dependabot[bot]' || startsWith(github.head_ref, 'dependabot/') }} | |
| run: | | |
| gh_retry() { | |
| local tries=0 | |
| local max=5 | |
| local delay=2 | |
| while ! "$@"; do | |
| tries=$((tries + 1)) | |
| if [ "$tries" -ge "$max" ]; then | |
| return 1 | |
| fi | |
| sleep "$delay" | |
| delay=$((delay * 2)) | |
| done | |
| } | |
| echo "Closing PR #${{ github.event.pull_request.number }} and deleting branch..." | |
| gh pr close ${{ github.event.pull_request.number }} --delete-branch --comment "✅ Merged into **security** branch for batch processing." | |
| create-pr-to-main: | |
| needs: auto-merge-to-security | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: security | |
| fetch-depth: 0 | |
| - name: Update Documentation Timestamp | |
| run: | | |
| git config --global user.name 'github-actions[bot]' | |
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | |
| DATE=$(date -u +"%Y-%m-%d %H:%M UTC") | |
| # 1. Update timestamp in README | |
| sed -i "s/Last updated: .*/Last updated: $DATE/g" README.md || true | |
| # 2. Add entry to CHANGELOG | |
| LOG_ENTRY="- **$DATE**: Automated Security Batch Update (DependabotSecureFlow)" | |
| if [ -f CHANGELOG.md ]; then | |
| sed -i "/### Added/a $LOG_ENTRY" CHANGELOG.md || echo "$LOG_ENTRY" >> CHANGELOG.md | |
| fi | |
| git add README.md CHANGELOG.md | |
| if git diff --staged --quiet; then | |
| echo "No documentation changes needed." | |
| else | |
| git commit -m "docs: update release timestamp and changelog" | |
| git push origin security | |
| fi | |
| - name: Check if PR already exists | |
| id: check-pr | |
| run: | | |
| gh_retry() { | |
| local tries=0 | |
| local max=5 | |
| local delay=2 | |
| while ! "$@"; do | |
| tries=$((tries + 1)) | |
| if [ "$tries" -ge "$max" ]; then | |
| return 1 | |
| fi | |
| sleep "$delay" | |
| delay=$((delay * 2)) | |
| done | |
| } | |
| # Target MAIN instead of master | |
| PR_COUNT=$(gh pr list --base main --head security --state open --json number | jq 'length') | |
| echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT | |
| - name: Create PR from security to main | |
| if: steps.check-pr.outputs.pr_count == '0' | |
| run: | | |
| gh_retry() { | |
| local tries=0 | |
| local max=5 | |
| local delay=2 | |
| while ! "$@"; do | |
| tries=$((tries + 1)) | |
| if [ "$tries" -ge "$max" ]; then | |
| return 1 | |
| fi | |
| sleep "$delay" | |
| delay=$((delay * 2)) | |
| done | |
| } | |
| git config --global user.name 'github-actions[bot]' | |
| # Check commits between main and security | |
| NEW_COMMITS=$(git log main..security --oneline | wc -l) | |
| if [ "$NEW_COMMITS" -gt 0 ]; then | |
| gh_retry gh pr create \ | |
| --base main \ | |
| --head security \ | |
| --title "chore: dependency updates batch" \ | |
| --body "Automated dependency updates validated in the security branch." \ | |
| --label "dependencies" \ | |
| --label "automated" || echo "PR already exists" | |
| fi | |
| check-interdependencies: | |
| runs-on: ubuntu-latest | |
| if: ${{ contains(github.event.pull_request.labels.*.name, 'dependencies') || startsWith(github.head_ref, 'dependabot/') }} | |
| outputs: | |
| should_merge: ${{ steps.outcome.outputs.result }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Auto-Correction & Validation (Install & Build) | |
| id: validate | |
| continue-on-error: true | |
| run: | | |
| npm install --prefer-offline --no-audit | |
| npm run build | |
| - name: Enforce Silent Correction | |
| id: outcome | |
| if: always() | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh_retry() { | |
| local tries=0 | |
| local max=5 | |
| local delay=2 | |
| while ! "$@"; do | |
| tries=$((tries + 1)) | |
| if [ "$tries" -ge "$max" ]; then | |
| return 1 | |
| fi | |
| sleep "$delay" | |
| delay=$((delay * 2)) | |
| done | |
| } | |
| if [ "${{ steps.validate.outcome }}" == "failure" ]; then | |
| if [ "${{ github.event.pull_request.number }}" != "" ]; then | |
| gh_retry gh pr edit ${{ github.event.pull_request.number }} --add-label "skipped-vulnerability" || true | |
| gh_retry gh pr close ${{ github.event.pull_request.number }} --comment "Auto-Correction: Build validation failed. Closing PR." --delete-branch || true | |
| fi | |
| echo "result=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "result=true" >> $GITHUB_OUTPUT | |
| fi |