signal-works/ice
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
ice/.forgejo/workflows/dependency-review.yml
Claude Code ab5cddeec5 Add workflow concurrency controls to cancel in-progress runs 
Prevents multiple workflow runs from the same PR/branch from running simultaneously, saving runner resources and providing faster feedback.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-07 20:00:59 -04:00

115 lines
No EOL
4 KiB
YAML
Raw Blame History

name: Dependency Review
on:
pull_request:
paths:
- 'package.json'
- 'package-lock.json'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
runs-on: self-hosted
name: Review Dependencies
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
run: |
node --version
npm --version
- name: Check for major version changes
run: |
echo "Checking for major dependency updates..."
git fetch origin main
# Get the package.json from main branch
git show origin/main:package.json > package-main.json
# Compare dependencies
node -e "
const fs = require('fs');
const mainPkg = JSON.parse(fs.readFileSync('package-main.json', 'utf8'));
const currentPkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
function compareDeps(mainDeps = {}, currentDeps = {}, type) {
console.log(\`\\nChecking \${type}:\`);
let hasChanges = false;
for (const [pkg, currentVer] of Object.entries(currentDeps)) {
const mainVer = mainDeps[pkg];
if (!mainVer) {
console.log(\` ✅ Added: \${pkg}@\${currentVer}\`);
hasChanges = true;
} else if (mainVer !== currentVer) {
const mainMajor = mainVer.match(/\\d+/)?.[0];
const currentMajor = currentVer.match(/\\d+/)?.[0];
if (mainMajor && currentMajor && mainMajor !== currentMajor) {
console.log(\` ⚠️ Major update: \${pkg} \${mainVer} → \${currentVer}\`);
} else {
console.log(\` 📦 Updated: \${pkg} \${mainVer} → \${currentVer}\`);
}
hasChanges = true;
}
}
for (const [pkg, mainVer] of Object.entries(mainDeps)) {
if (!currentDeps[pkg]) {
console.log(\` ❌ Removed: \${pkg}@\${mainVer}\`);
hasChanges = true;
}
}
if (!hasChanges) {
console.log(\` No changes\`);
}
}
compareDeps(mainPkg.dependencies, currentPkg.dependencies, 'dependencies');
compareDeps(mainPkg.devDependencies, currentPkg.devDependencies, 'devDependencies');
"
- name: Check for security advisories
run: |
npm audit --json > audit.json || true
node -e "
const audit = JSON.parse(require('fs').readFileSync('audit.json', 'utf8'));
const vulns = audit.metadata?.vulnerabilities || {};
console.log('\\nSecurity Audit Summary:');
console.log(' Critical:', vulns.critical || 0);
console.log(' High:', vulns.high || 0);
console.log(' Moderate:', vulns.moderate || 0);
console.log(' Low:', vulns.low || 0);
if (vulns.critical > 0 || vulns.high > 0) {
console.error('\\n❌ Found critical or high severity vulnerabilities!');
process.exit(1);
}
"
- name: Check bundle size impact
run: |
echo "Analyzing bundle size impact..."
# Install dependencies from main
git show origin/main:package-lock.json > package-lock-main.json
npm ci --package-lock-only --package-lock=package-lock-main.json
npm run build:frontend || true
du -sh public/dist > size-main.txt
# Install current dependencies
npm ci
npm run build:frontend
du -sh public/dist > size-current.txt
echo "Bundle size comparison:"
echo "Main branch: $(cat size-main.txt)"
echo "This branch: $(cat size-current.txt)"
Reference in a new issue View git blame Copy permalink