Skip to content

Dependency review

Dependency review #2

Workflow file for this run

name: Dependency review
on:
schedule:
- cron: '0 3 * * 1' # weekly on Monday
workflow_dispatch:
permissions:
contents: read
issues: write
jobs:
npm-audit:
name: npm audit (omit dev)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Install
run: npm ci
- name: Run audit
id: audit
continue-on-error: true
run: npm audit --omit=dev
- name: Open issue on regression
if: steps.audit.outcome != 'success'
uses: actions/github-script@v7
with:
script: |
const title = 'Dependency regression detected by npm audit (weekly)';
const body = `npm audit failed for the repository.\n\nRun: npm audit --omit=dev\n\nGitHub Actions workflow: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\nPlease review dependency vulnerabilities and update package-lock as needed.`;
// Prevent duplicate issues by searching for an existing open issue with the same title.
const { data: existing } = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
per_page: 100,
});
const match = existing.find(i => i.title === title);
if (match) {
core.info(`Issue already exists: #${match.number}`);
return;
}
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title,
body
});