Skip to content
Dependabot Secure Flow

chore: (deps): bump tldts from 7.0.21 to 7.0.23 #22

Sign in to view logs

chore: (deps): bump tldts from 7.0.21 to 7.0.23

chore: (deps): bump tldts from 7.0.21 to 7.0.23 #22

Workflow file for this run

.github/workflows/dependabot-secure-flow.yaml at 3beb5ca
# ⚠️ DO NOT MODIFY THIS FILE DIRECTLY ⚠️
# This workflow is a dependency of the Dependabot Secure Flow Action.
# Upstream Repository: https://github.com/EthanThePhoenix38/dependabot-secure-flow
# Marketplace Action: https://github.com/marketplace/actions/dependabotsecureflow
#
# If you need to make changes, please open an issue in the upstream repository:
# https://github.com/EthanThePhoenix38/dependabot-secure-flow/issues/new
#
# This ensures changes can be propagated automatically to this and other repositories.
# --------------------------------------------------------------------------------
name: Dependabot Secure Flow
on:
pull_request:
types: [opened, synchronize]
paths:
- 'package.json'
- 'package-lock.json'
- '.github/workflows/**'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
jobs:
auto-merge-to-securite:
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Force serial execution to prevent conflicts
concurrency:
group: secure-flow-merge
cancel-in-progress: false
needs: check-interdependencies
if: ${{ needs.check-interdependencies.outputs.should_merge == 'true' && (startsWith(github.head_ref, 'dependabot/') || contains(github.head_ref, 'dependencies')) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Ensure securite branch exists
run: |
git fetch origin securite 2>/dev/null || git switch --create securite
git push origin securite || true
- name: Merge dependabot changes to securite branch
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
# Fetch the PR branch
git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} || true
# Switch to securite and merge
git switch securite
git merge origin/${{ github.head_ref }} --no-edit || true
# Push to securite
git push origin securite
- name: Close and Delete Dependabot Branch
if: ${{ github.actor == 'dependabot[bot]' || startsWith(github.head_ref, 'dependabot/') }}
run: |
echo "Closing PR #${{ github.event.pull_request.number }} and deleting branch..."
gh pr close ${{ github.event.pull_request.number }} --delete-branch --comment "✅ Merged into **securite** branch for batch processing."
create-pr-to-main:
needs: auto-merge-to-securite
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: securite
fetch-depth: 0
- name: Update Documentation Timestamp
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
DATE=$(date -u +"%Y-%m-%d %H:%M UTC")
# 1. Update timestamp in README
sed -i "s/Last updated: .*/Last updated: $DATE/g" README.md || true
# 2. Add entry to CHANGELOG
LOG_ENTRY="- **$DATE**: Automated Security Batch Update (DependabotSecureFlow)"
if [ -f CHANGELOG.md ]; then
sed -i "/### Added/a $LOG_ENTRY" CHANGELOG.md || echo "$LOG_ENTRY" >> CHANGELOG.md
fi
git add README.md CHANGELOG.md
if git diff --staged --quiet; then
echo "No documentation changes needed."
else
git commit -m "docs: update release timestamp and changelog"
git push origin securite
fi
- name: Check if PR already exists
id: check-pr
run: |
# Target MAIN instead of master
PR_COUNT=$(gh pr list --base main --head securite --state open --json number | jq 'length')
echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT
- name: Create PR from securite to main
if: steps.check-pr.outputs.pr_count == '0'
run: |
git config --global user.name 'github-actions[bot]'
# Check commits between main and securite
NEW_COMMITS=$(git log main..securite --oneline | wc -l)
if [ "$NEW_COMMITS" -gt 0 ]; then
gh pr create \
--base main \
--head securite \
--title "chore: dependency updates batch" \
--body "Automated dependency updates validated in the securite branch." \
--label "dependencies" \
--label "automated" || echo "PR already exists"
fi
check-interdependencies:
runs-on: ubuntu-latest
if: ${{ contains(github.event.pull_request.labels.*.name, 'dependencies') || startsWith(github.head_ref, 'dependabot/') }}
outputs:
should_merge: ${{ steps.outcome.outputs.result }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Auto-Correction & Validation (Install & Build)
id: validate
continue-on-error: true
run: |
npm install --prefer-offline --no-audit
npm run build
- name: Enforce Silent Correction
id: outcome
if: always()
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ "${{ steps.validate.outcome }}" == "failure" ]; then
if [ "${{ github.event.pull_request.number }}" != "" ]; then
gh pr edit ${{ github.event.pull_request.number }} --add-label "skipped-vulnerability"
gh pr close ${{ github.event.pull_request.number }} --comment "🚫 **Auto-Correction**: Build validation failed. Closing PR." --delete-branch || true
fi
echo "result=false" >> $GITHUB_OUTPUT
else
echo "result=true" >> $GITHUB_OUTPUT
fi