Potential fix for code scanning alert no. 12: Incomplete multi-charac… #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Dependencies to Securite Branch | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] | ||
| paths: | ||
| - 'package.json' | ||
| - 'package-lock.json' | ||
| - '.github/workflows/**' | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| issues: write | ||
| jobs: | ||
| auto-merge-to-securite: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ startsWith(github.head_ref, 'dependabot/') || contains(github.head_ref, 'dependencies') }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Ensure securite branch exists | ||
| run: | | ||
| git fetch origin securite 2>/dev/null || git switch --create securite | ||
| git push origin securite || true | ||
| - name: Merge dependabot changes to securite branch | ||
| run: | | ||
| git config --global user.name 'ThePhoenixAgency' | ||
| git config --global user.email '${{ secrets.GIT_AUTHOR_EMAIL }}' | ||
| # Fetch the PR branch | ||
| git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} || true | ||
| # Switch to securite and merge | ||
| git switch securite | ||
| git merge origin/${{ github.head_ref }} --no-edit || true | ||
| # Push to securite | ||
| git push origin securite | ||
| - name: Auto-approve dependabot PR | ||
| if: ${{ github.actor == 'dependabot[bot]' || startsWith(github.head_ref, 'dependabot/') }} | ||
| run: | | ||
| echo "Dependabot PR detected and merged to securite branch" | ||
| create-pr-to-main: | ||
| needs: auto-merge-to-securite | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: securite | ||
| fetch-depth: 0 | ||
| - name: Check if PR already exists | ||
| id: check-pr | ||
| run: | | ||
| # Get list of open PRs from securite to main | ||
| PR_COUNT=$(gh pr list --base main --head securite --state open --json number | jq 'length') | ||
| echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Create PR from securite to main | ||
| if: steps.check-pr.outputs.pr_count == '0' | ||
| run: | | ||
| git config --global user.name 'ThePhoenixAgency' | ||
| git config --global user.email '${{ secrets.GIT_AUTHOR_EMAIL }}' | ||
| # Check if there are new commits on securite not in main | ||
| NEW_COMMITS=$(git log main..securite --oneline | wc -l) | ||
| if [ "$NEW_COMMITS" -gt 0 ]; then | ||
| gh pr create \ | ||
| --base main \ | ||
| --head securite \ | ||
| --title "chore: dependency updates" \ | ||
| --body "Automated dependency and package updates from automated tools. | ||
| \## Changes | ||
| This PR includes automatic dependency updates validated in the securite branch. | ||
| \## Security | ||
| All dependency updates have been vetted for security vulnerabilities. | ||
| \## Testing | ||
| - [ ] Dependencies properly installed | ||
| - [ ] No breaking changes detected | ||
| - [ ] Application runs without errors" \ | ||
| --label "dependencies" \ | ||
| --label "automated" || echo "PR already exists" | ||
| fi | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| check-interdependencies: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ contains(github.event.pull_request.labels.*.name, 'dependencies') || startsWith(github.head_ref, 'dependabot/') }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| - name: Check for dependency conflicts | ||
| id: check-conflicts | ||
| run: | | ||
| npm install --prefer-offline --no-audit 2>&1 | tee install.log || true | ||
| if grep -q "ERR!" install.log; then | ||
| echo "has_conflicts=true" >> $GITHUB_OUTPUT | ||
| echo "conflict_details=$(cat install.log)" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "has_conflicts=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Create issue for interdependency problems | ||
| if: steps.check-conflicts.outputs.has_conflicts == 'true' | ||
| run: | | ||
| gh issue create \ | ||
| --title "⚠️ Dependency Interdependency Issue Detected" \ | ||
| --body "A dependency conflict has been detected in the automated update process. | ||
| \## Details | ||
| \`\`\` | ||
| ${{ steps.check-conflicts.outputs.conflict_details }} | ||
| \`\`\` | ||
| \## Action Required | ||
| Please review the dependency conflicts and resolve manually if needed. | ||
| ## Notification | ||
| \Contact: ${{ secrets.GIT_AUTHOR_EMAIL }}" \ | ||
| --label "bug" \ | ||
| --label "dependencies" || echo "Issue creation skipped" | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
