-
Notifications
You must be signed in to change notification settings - Fork 0
ci: add CI, release, and security workflows #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # .github/labeler.yml — path-based PR auto-labels (actions/labeler@v5 format). | ||
| documentation: | ||
| - changed-files: | ||
| - any-glob-to-any-file: ["**/*.md", "docs/**"] | ||
| ci: | ||
| - changed-files: | ||
| - any-glob-to-any-file: [".github/**"] | ||
| dependencies: | ||
| - changed-files: | ||
| - any-glob-to-any-file: | ||
| ["**/package.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"] | ||
| tests: | ||
| - changed-files: | ||
| - any-glob-to-any-file: ["**/*.test.*", "**/*_test.*", "test/**", "**/__tests__/**"] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["master"] | ||
| pull_request: | ||
| branches: ["master"] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ci-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build: | ||
| name: build | ||
| runs-on: ubuntu-latest | ||
| # Dummy build-time env so steps like `next build` that read env at build | ||
| # succeed in CI (same approach as portfolio-nextjs). Add this repo's | ||
| # build-time vars here with placeholder values. | ||
| env: | ||
| CI: "true" | ||
| NEXT_PUBLIC_GITHUB_TOKEN: dummy-token-for-build | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| # Detect the package manager from the lockfile so one workflow serves | ||
| # pnpm / npm / yarn / bun repos. | ||
| - name: Detect package manager | ||
| id: pm | ||
| run: | | ||
| if [ -f bun.lockb ] || [ -f bun.lock ]; then echo "pm=bun" >> "$GITHUB_OUTPUT" | ||
| elif [ -f pnpm-lock.yaml ]; then echo "pm=pnpm" >> "$GITHUB_OUTPUT" | ||
| elif [ -f yarn.lock ]; then echo "pm=yarn" >> "$GITHUB_OUTPUT" | ||
| else echo "pm=npm" >> "$GITHUB_OUTPUT"; fi | ||
|
|
||
| - if: steps.pm.outputs.pm == 'pnpm' | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9 | ||
| - if: steps.pm.outputs.pm == 'bun' | ||
| uses: oven-sh/setup-bun@v2 | ||
| - if: steps.pm.outputs.pm != 'bun' | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: lts/* | ||
| cache: ${{ steps.pm.outputs.pm }} | ||
|
|
||
| - name: Install | ||
| run: | | ||
| case "${{ steps.pm.outputs.pm }}" in | ||
| bun) bun install --frozen-lockfile ;; | ||
| pnpm) pnpm install --frozen-lockfile ;; | ||
| yarn) yarn install --frozen-lockfile ;; | ||
| npm) npm ci ;; | ||
| esac | ||
|
|
||
| # Run a script only if package.json defines it, so repos missing lint/ | ||
| # build/test don't fail the job. `run_if` echoes then runs via the pm. | ||
| - name: Run available scripts (lint, ts:check, build, test) | ||
| env: | ||
| PM: ${{ steps.pm.outputs.pm }} | ||
| run: | | ||
| has() { jq -e --arg s "$1" '.scripts[$s] // empty' package.json >/dev/null 2>&1; } | ||
| run() { | ||
| case "$PM" in | ||
| bun) bun run "$1" ;; | ||
| *) "$PM" run "$1" ;; | ||
| esac | ||
| } | ||
| for script in lint ts:check typecheck build test; do | ||
| if has "$script"; then | ||
| echo "::group::$script"; run "$script"; echo "::endgroup::" | ||
| else | ||
| echo "skip: no \"$script\" script" | ||
| fi | ||
| done |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| name: Dependency Review | ||
|
|
||
| # Flags vulnerable or disallowed-license dependencies introduced by a PR before | ||
| # they merge. Replaces Dependabot's alerting with a hard PR gate. | ||
| on: | ||
| pull_request: | ||
| branches: ["master"] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| name: Dependency review | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| persist-credentials: false | ||
| - uses: actions/dependency-review-action@v4 | ||
| with: | ||
| fail-on-severity: high | ||
| comment-summary-in-pr: on-failure |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: Labeler | ||
|
|
||
| # Auto-labels PRs by the paths they touch (config in .github/labeler.yml). | ||
| on: | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| label: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/labeler@v5 | ||
| with: | ||
| sync-labels: true | ||
|
Comment on lines
+16
to
+18
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "Mutable action refs in workflows:"
rg -n 'uses:\s+[^@]+@(main|master|v[0-9]+(\.[0-9]+)?)\b' .github/workflows
echo
echo "Resolve the current commit behind actions/labeler v5 before pinning it:"
gh api repos/actions/labeler/git/ref/tags/v5 --jq '.object.sha'Repository: nixrajput/github-analytics Length of output: 1235 Pin
🤖 Prompt for AI Agents |
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,40 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||
| name: Release | ||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||
| # On push to the default branch (a merged PR), tag v<package.json version> and | ||||||||||||||||||||||||||||||||||||||||||||||||
| # publish a GitHub Release with generated notes — unless the tag already exists. | ||||||||||||||||||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||||||||||||||||||||||||
| branches: ["master"] | ||||||||||||||||||||||||||||||||||||||||||||||||
| workflow_dispatch: {} | ||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||||||||||||
| contents: read | ||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||||||||||||||||||
| release: | ||||||||||||||||||||||||||||||||||||||||||||||||
| name: Tag and release | ||||||||||||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||||||||||||||||||
| - uses: actions/checkout@v6 | ||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||||||||||||||||||||||||||
| persist-credentials: false | ||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Read version | ||||||||||||||||||||||||||||||||||||||||||||||||
| id: v | ||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||
| version=$(jq -r .version package.json) | ||||||||||||||||||||||||||||||||||||||||||||||||
| echo "tag=v$version" >> "$GITHUB_OUTPUT" | ||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Release if new | ||||||||||||||||||||||||||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||||||||||||||||||||||||||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||||||||||||||||||||||
| TAG: ${{ steps.v.outputs.tag }} | ||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||
| if gh release view "$TAG" >/dev/null 2>&1 \ | ||||||||||||||||||||||||||||||||||||||||||||||||
| || git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then | ||||||||||||||||||||||||||||||||||||||||||||||||
| echo "Tag $TAG already exists — skipping." | ||||||||||||||||||||||||||||||||||||||||||||||||
| exit 0 | ||||||||||||||||||||||||||||||||||||||||||||||||
| fi | ||||||||||||||||||||||||||||||||||||||||||||||||
| gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes | ||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+34
to
+39
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win Fail on version/tag collisions instead of silently skipping. If two PRs merge with the same Suggested fix - name: Release if new
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ steps.v.outputs.tag }}
run: |
- if gh release view "$TAG" >/dev/null 2>&1 \
- || git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then
- echo "Tag $TAG already exists — skipping."
- exit 0
- fi
+ remote_sha="$(git ls-remote --tags origin "refs/tags/$TAG" | awk '{print $1}')"
+ if [ -n "$remote_sha" ]; then
+ if [ "$remote_sha" != "${{ github.sha }}" ]; then
+ echo "::error::Tag $TAG already points to $remote_sha, but this push is ${{ github.sha }}. Bump package.json before merging."
+ exit 1
+ fi
+ echo "Tag $TAG already exists for this commit — skipping."
+ exit 0
+ fi
+
+ if gh release view "$TAG" >/dev/null 2>&1; then
+ echo "Release $TAG already exists — skipping."
+ exit 0
+ fi
+
gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes
echo "Released $TAG ✓"📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||||||||||||
| echo "Released $TAG ✓" | ||||||||||||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,32 @@ | ||||||||||||||||||||||||||||||||||||||
| name: Scorecard | ||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||
| # OpenSSF Scorecard — supply-chain security posture. Runs on push to the default | ||||||||||||||||||||||||||||||||||||||
| # branch and weekly; uploads SARIF so findings show in the Security tab. | ||||||||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||||||||||||||
| branches: ["master"] | ||||||||||||||||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||||||||||||||||
| - cron: "27 3 * * 1" # Mondays 03:27 UTC | ||||||||||||||||||||||||||||||||||||||
| workflow_dispatch: {} | ||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||
| permissions: read-all | ||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||||||||
| analysis: | ||||||||||||||||||||||||||||||||||||||
| name: Scorecard analysis | ||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||
| security-events: write # upload SARIF to code scanning | ||||||||||||||||||||||||||||||||||||||
| id-token: write # publish results to the OpenSSF API | ||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+18
to
+20
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "== .github/workflows/scorecard.yml =="
nl -ba .github/workflows/scorecard.yml | sed -n '1,120p'
echo
echo "== Search for scorecard workflow references =="
rg -n "scorecard|checkout@|permissions:" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true
echo
echo "== Exact action refs in workflow =="
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
if 'uses:' in line or 'permissions:' in line:
print(f"{i}: {line}")
PYRepository: nixrajput/github-analytics Length of output: 242 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
text = p.read_text().splitlines()
for i, line in enumerate(text, 1):
print(f"{i:4} {line}")
PY
echo
echo "== uses: lines =="
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
for i, line in enumerate(p.read_text().splitlines(), 1):
if 'uses:' in line or 'permissions:' in line:
print(f"{i:4} {line}")
PY
echo
echo "== repo files matching scorecard workflow references =="
python3 - <<'PY'
from pathlib import Path
for path in Path('.github/workflows').glob('*.yml'):
text = path.read_text()
if 'scorecard' in text.lower():
print(path)
PYRepository: nixrajput/github-analytics Length of output: 1504 🌐 Web query:
💡 Result: In GitHub Actions, workflow permissions follow these principles: Job-level permissions override, rather than merge with, workflow-level permissions [1]. If a permissions key is defined at the job level, it completely replaces any permissions configured at the workflow level for that specific job [1]. When you explicitly define the permissions key (at either the workflow or job level), all unspecified permissions are set to none [2][3][4]. The only exception is the metadata scope, which always receives read access [3]. Regarding the checkout action and scorecard: 1. The actions/checkout action requires contents: read permission to successfully clone your repository [5][6][7]. If you have defined a permissions block in your workflow or job and do not include contents: read, the checkout action will fail [8]. 2. For private repositories, if you use the Scorecard action, it also typically requires specific permissions (often read access to contents, pull-requests, and potentially security-events) to analyze the repository [4][8]. Because job-level permissions do not merge with workflow-level settings, ensure that if you override permissions at the job level, you include all required scopes for both checkout and any other actions running in that job [1]. Best practice suggests setting permissions at the job level to adhere to the principle of least privilege [1][9]. If you define them at the job level, you must manually list every permission required by the steps within that job, as they will not inherit from any top-level definitions [1]. Citations:
Restore 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||||||||
| - uses: actions/checkout@v6 | ||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||
| persist-credentials: false | ||||||||||||||||||||||||||||||||||||||
| - uses: ossf/scorecard-action@v2.4.0 | ||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||
| results_file: results.sarif | ||||||||||||||||||||||||||||||||||||||
| results_format: sarif | ||||||||||||||||||||||||||||||||||||||
| publish_results: true | ||||||||||||||||||||||||||||||||||||||
| - uses: github/codeql-action/upload-sarif@v3 | ||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+22
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/checkout.git 'refs/tags/v6^{}' 'refs/tags/v6'
git ls-remote https://github.com/ossf/scorecard-action.git 'refs/tags/v2.4.0^{}' 'refs/tags/v2.4.0'
git ls-remote https://github.com/github/codeql-action.git 'refs/tags/v3^{}' 'refs/tags/v3'Repository: nixrajput/github-analytics Length of output: 448 🏁 Script executed: #!/bin/bash
set -euo pipefail
cat -n .github/workflows/scorecard.yml | sed -n '1,120p'Repository: nixrajput/github-analytics Length of output: 1268 Pin the privileged workflow actions to full commit SHAs
Suggested shape- - uses: actions/checkout@v6
+ - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
...
- - uses: ossf/scorecard-action@v2.4.0
+ - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
...
- - uses: github/codeql-action/upload-sarif@v3
+ - uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||
| sarif_file: results.sarif | ||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,30 @@ | ||||||
| name: Stale | ||||||
|
|
||||||
| # Marks inactive issues/PRs stale, then closes them after a grace period. | ||||||
| on: | ||||||
| schedule: | ||||||
| - cron: "0 4 * * *" # daily 04:00 UTC | ||||||
| workflow_dispatch: {} | ||||||
|
|
||||||
| permissions: | ||||||
| issues: write | ||||||
| pull-requests: write | ||||||
|
|
||||||
| jobs: | ||||||
| stale: | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/stale@v9 | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/stale.git 'refs/tags/v9^{}' 'refs/tags/v9'Repository: nixrajput/github-analytics Length of output: 218 🏁 Script executed: #!/bin/bash
set -euo pipefail
cat -n .github/workflows/stale.ymlRepository: nixrajput/github-analytics Length of output: 1303 🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/stale.git 'refs/tags/v9^{}' 'refs/tags/v9'Repository: nixrajput/github-analytics Length of output: 218 Pin Suggested shape- - uses: actions/stale@v9
+ - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||
| with: | ||||||
| days-before-stale: 60 | ||||||
| days-before-close: 14 | ||||||
| stale-issue-label: stale | ||||||
| stale-pr-label: stale | ||||||
| exempt-issue-labels: pinned,security,blocked | ||||||
| exempt-pr-labels: pinned,security,blocked | ||||||
| stale-issue-message: > | ||||||
| This issue has been inactive for 60 days and is now marked stale. | ||||||
| Comment to keep it open; it will close in 14 days otherwise. | ||||||
| stale-pr-message: > | ||||||
| This PR has been inactive for 60 days and is now marked stale. | ||||||
| Push or comment to keep it open; it will close in 14 days otherwise. | ||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| name: Version Check | ||
|
|
||
| # Every PR into the default branch must bump package.json "version". The Release | ||
| # workflow turns that version into a tag + GitHub Release on merge. | ||
| on: | ||
| pull_request: | ||
| branches: ["master"] | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| version-bumped: | ||
| name: version bumped | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 # need the base branch to diff the version | ||
| persist-credentials: false | ||
| - name: Read versions | ||
| id: v | ||
| run: | | ||
| git fetch --no-tags --depth=1 origin "${{ github.base_ref }}" | ||
| pr=$(jq -r .version package.json) | ||
| base=$(git show "origin/${{ github.base_ref }}:package.json" | jq -r .version) | ||
| echo "pr=$pr" >> "$GITHUB_OUTPUT" | ||
| echo "base=$base" >> "$GITHUB_OUTPUT" | ||
| - name: Compare | ||
| env: | ||
| PR: ${{ steps.v.outputs.pr }} | ||
| BASE: ${{ steps.v.outputs.base }} | ||
| run: | | ||
| echo "base=$BASE pr=$PR" | ||
| if [ "$PR" = "$BASE" ]; then | ||
| echo "::error::package.json version not bumped (still $BASE). Bump it: patch for fixes, minor for features, major for breaking." | ||
| exit 1 | ||
| fi | ||
| greater=$(printf '%s\n%s\n' "$BASE" "$PR" | sort -V | tail -n1) | ||
| if [ "$greater" != "$PR" ]; then | ||
| echo "::error::package.json version $PR is lower than base $BASE; it must move forward." | ||
| exit 1 | ||
| fi | ||
| echo "Version bumped $BASE -> $PR ✓" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Include
package-lock.jsonin the dependency globs.Line 11 misses npm lockfile-only updates, because
package-lock.jsonmatches neither**/*.locknor**/*lock.yaml. Those PRs will skip thedependencieslabel even though they only change resolved dependencies.Suggested patch
dependencies: - changed-files: - any-glob-to-any-file: - ["**/package.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"] + ["**/package.json", "**/package-lock.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]📝 Committable suggestion
🤖 Prompt for AI Agents