-
-
Save Purpzie/8ed86ae38c73f440881bbee0523a324b to your computer and use it in GitHub Desktop.
# https://github.com/dependabot/dependabot-core/issues/1736 | |
name: Dependabot | |
on: pull_request_target | |
permissions: read-all | |
jobs: | |
update-lockfile: | |
runs-on: ubuntu-latest | |
if: ${{ github.actor == 'dependabot[bot]' }} | |
permissions: | |
pull-requests: write | |
contents: write | |
steps: | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: ^7 | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
- run: pnpm i --lockfile-only | |
- run: | | |
git config --global user.name github-actions[bot] | |
git config --global user.email github-actions[bot]@users.noreply.github.com | |
git add pnpm-lock.yaml | |
git commit -m "Update pnpm-lock.yaml" | |
git push |
This works, it only exists because Dependabot doesn't support pnpm yet. Once it does this will likely break
Wow. @Purpzie - You deserve a gold medal for this. Thank you!
Thanks for this, the main issue I see is that dependabot also open PRs for transitive dependencies. This action can't do much about those right? It will only work for the ones that change package.json
@donferi Yes, currently that's a limitation of dependabot not having proper pnpm support yet.
I wonder... You could maybe force it to work by having a regular package-lock.json
in your repository. Since dependabot would keep that up to date, this action would trigger for transitive dependencies, and you never need to stop using pnpm
locally (except to generate package-lock.json
the first time). Just make sure anyone working on the repo knows to use pnpm
instead of npm
.
I was running to some workflow issues with this approach. The only thing I would recommend adding is a Personal Access Token to ensure that push
workflows are called properly.
Hi, using the code in the project it gave me the error when trying to update a repo with ssh, showing the error below:
ERROR Command failed with exit code 128: git ls-remote --refs git+ssh://[email protected]/xxxxxxxx/xxxxxxx.git
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Can you help me with this error?
Does this work or is this pending the feature request from dependabot/dependabot-core#1736 ?