Action to update pnpm-lock.yaml when Dependabot opens a PR. Be warned that this may cause lots of merge conflicts.

update-lockfile.yml

# https://github.com/dependabot/dependabot-core/issues/1736
name: Dependabot
on: pull_request_target
permissions: read-all
jobs:
  update-lockfile:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    permissions:
      pull-requests: write
      contents: write
    steps:
    - uses: pnpm/action-setup@v2
      with:
        version: ^7
    - uses: actions/checkout@v3
      with:
        ref: ${{ github.event.pull_request.head.ref }}
    - run: pnpm i --lockfile-only
    - run: |
        git config --global user.name github-actions[bot]
        git config --global user.email github-actions[bot]@users.noreply.github.com
        git add pnpm-lock.yaml
        git commit -m "Update pnpm-lock.yaml"
        git push

@donferi Yes, currently that's a limitation of dependabot not having proper pnpm support yet.

I wonder... You could maybe force it to work by having a regular package-lock.json in your repository. Since dependabot would keep that up to date, this action would trigger for transitive dependencies, and you never need to stop using pnpm locally (except to generate package-lock.json the first time). Just make sure anyone working on the repo knows to use pnpm instead of npm.

I was running to some workflow issues with this approach. The only thing I would recommend adding is a Personal Access Token to ensure that push workflows are called properly.

Hi, using the code in the project it gave me the error when trying to update a repo with ssh, showing the error below:

ERROR  Command failed with exit code 128: git ls-remote --refs git+ssh://[email protected]/xxxxxxxx/xxxxxxx.git
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Can you help me with this error?