0f364804bc
- Replace actions/checkout@v4 with https://code.forgejo.org/actions/checkout@v4 - Replace aws-actions/configure-aws-credentials@v4 with Forgejo mirror - Replace GitHub CLI (gh) with tea CLI for PR creation - Remove GITHUB_TOKEN dependency in favor of tea authentication - Ensure full compatibility with Forgejo Actions ecosystem Updated workflows: - ci.yml - deploy-scripts.yml - release.yml - code-quality.yml - pr-labeler.yml - dependency-review.yml 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
145 lines
No EOL
5.5 KiB
YAML
145 lines
No EOL
5.5 KiB
YAML
name: Dependency Review
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
dependency-review:
|
|
runs-on: self-hosted
|
|
name: Review Dependencies
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: https://code.forgejo.org/actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
run: |
|
|
node --version
|
|
npm --version
|
|
|
|
- name: Check for major version changes
|
|
run: |
|
|
echo "Checking for major dependency updates..."
|
|
git fetch origin main
|
|
|
|
# Get the package.json from main branch
|
|
git show origin/main:package.json > package-main.json
|
|
|
|
# Compare dependencies
|
|
node -e "
|
|
const fs = require('fs');
|
|
const mainPkg = JSON.parse(fs.readFileSync('package-main.json', 'utf8'));
|
|
const currentPkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
|
|
|
|
function compareDeps(mainDeps = {}, currentDeps = {}, type) {
|
|
console.log(\`\\nChecking \${type}:\`);
|
|
let hasChanges = false;
|
|
|
|
for (const [pkg, currentVer] of Object.entries(currentDeps)) {
|
|
const mainVer = mainDeps[pkg];
|
|
if (!mainVer) {
|
|
console.log(\` ✅ Added: \${pkg}@\${currentVer}\`);
|
|
hasChanges = true;
|
|
} else if (mainVer !== currentVer) {
|
|
const mainMajor = mainVer.match(/\\d+/)?.[0];
|
|
const currentMajor = currentVer.match(/\\d+/)?.[0];
|
|
|
|
if (mainMajor && currentMajor && mainMajor !== currentMajor) {
|
|
console.log(\` ⚠️ Major update: \${pkg} \${mainVer} → \${currentVer}\`);
|
|
} else {
|
|
console.log(\` 📦 Updated: \${pkg} \${mainVer} → \${currentVer}\`);
|
|
}
|
|
hasChanges = true;
|
|
}
|
|
}
|
|
|
|
for (const [pkg, mainVer] of Object.entries(mainDeps)) {
|
|
if (!currentDeps[pkg]) {
|
|
console.log(\` ❌ Removed: \${pkg}@\${mainVer}\`);
|
|
hasChanges = true;
|
|
}
|
|
}
|
|
|
|
if (!hasChanges) {
|
|
console.log(\` No changes\`);
|
|
}
|
|
}
|
|
|
|
compareDeps(mainPkg.dependencies, currentPkg.dependencies, 'dependencies');
|
|
compareDeps(mainPkg.devDependencies, currentPkg.devDependencies, 'devDependencies');
|
|
"
|
|
|
|
- name: Check for security advisories
|
|
run: |
|
|
npm audit --json > audit.json || true
|
|
node -e "
|
|
const audit = JSON.parse(require('fs').readFileSync('audit.json', 'utf8'));
|
|
const vulns = audit.metadata?.vulnerabilities || {};
|
|
|
|
console.log('\\nSecurity Audit Summary:');
|
|
console.log(' Critical:', vulns.critical || 0);
|
|
console.log(' High:', vulns.high || 0);
|
|
console.log(' Moderate:', vulns.moderate || 0);
|
|
console.log(' Low:', vulns.low || 0);
|
|
|
|
if (vulns.critical > 0 || vulns.high > 0) {
|
|
console.error('\\n❌ Found critical or high severity vulnerabilities!');
|
|
process.exit(1);
|
|
}
|
|
"
|
|
|
|
- name: Check bundle size impact
|
|
run: |
|
|
echo "Analyzing bundle size impact..."
|
|
|
|
# Get changed files for this workflow
|
|
git fetch origin main
|
|
if git merge-base origin/main HEAD >/dev/null 2>&1; then
|
|
CHANGED_FILES=$(git diff --name-only origin/main...HEAD)
|
|
else
|
|
CHANGED_FILES=$(git diff --name-only origin/main HEAD || echo "")
|
|
fi
|
|
|
|
# Skip bundle size check if no frontend changes
|
|
if ! echo "$CHANGED_FILES" | grep -E "(src/frontend|scripts/build)" > /dev/null; then
|
|
echo "No frontend changes detected, skipping bundle size analysis"
|
|
exit 0
|
|
fi
|
|
|
|
# Install dependencies from main (including devDependencies for build tools)
|
|
git show origin/main:package-lock.json > package-lock-main.json || echo "No package-lock.json in main"
|
|
git show origin/main:package.json > package-main.json || echo "No package.json in main"
|
|
|
|
if [ -f "package-main.json" ]; then
|
|
# Temporarily use main's package files
|
|
cp package.json package-current.json
|
|
cp package-lock.json package-lock-current.json
|
|
cp package-main.json package.json
|
|
cp package-lock-main.json package-lock.json 2>/dev/null || true
|
|
|
|
npm ci --include=dev || echo "Failed to install main dependencies"
|
|
npm run build:frontend > /dev/null 2>&1 || echo "Failed to build main frontend"
|
|
du -sh public/dist 2>/dev/null > size-main.txt || echo "0B public/dist" > size-main.txt
|
|
|
|
# Restore current package files
|
|
mv package-current.json package.json
|
|
mv package-lock-current.json package-lock.json
|
|
else
|
|
echo "No main branch package.json found" > size-main.txt
|
|
fi
|
|
|
|
# Install current dependencies
|
|
npm ci --include=dev
|
|
npm run build:frontend
|
|
du -sh public/dist > size-current.txt
|
|
|
|
echo "Bundle size comparison:"
|
|
echo "Main branch: $(cat size-main.txt 2>/dev/null || echo 'Unable to determine')"
|
|
echo "This branch: $(cat size-current.txt)" |