Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# .github/labeler.yml — path-based PR auto-labels (actions/labeler@v5 format).
documentation:
- changed-files:
- any-glob-to-any-file: ["**/*.md", "docs/**"]
ci:
- changed-files:
- any-glob-to-any-file: [".github/**"]
dependencies:
- changed-files:
- any-glob-to-any-file:
["**/package.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]
Comment on lines +10 to +11

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Include package-lock.json in the dependency globs.

Line 11 misses npm lockfile-only updates, because package-lock.json matches neither **/*.lock nor **/*lock.yaml. Those PRs will skip the dependencies label even though they only change resolved dependencies.

Suggested patch
 dependencies:
   - changed-files:
       - any-glob-to-any-file:
-          ["**/package.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]
+          ["**/package.json", "**/package-lock.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- any-glob-to-any-file:
["**/package.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]
- any-glob-to-any-file:
["**/package.json", "**/package-lock.json", "**/pubspec.yaml", "**/go.mod", "**/*.lock", "**/*lock.yaml"]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/labeler.yml around lines 10 - 11, The dependency label glob in the
labeler config is missing npm lockfiles, so PRs that only update resolved
dependencies in package-lock.json won’t get the dependencies label. Update the
any-glob-to-any-file list in the label configuration to include
package-lock.json alongside the existing dependency manifest and lockfile
patterns, keeping the rule name and glob structure consistent.

tests:
- changed-files:
- any-glob-to-any-file: ["**/*.test.*", "**/*_test.*", "test/**", "**/__tests__/**"]
81 changes: 81 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: CI

on:
push:
branches: ["master"]
pull_request:
branches: ["master"]

permissions:
contents: read

concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true

jobs:
build:
name: build
runs-on: ubuntu-latest
# Dummy build-time env so steps like `next build` that read env at build
# succeed in CI (same approach as portfolio-nextjs). Add this repo's
# build-time vars here with placeholder values.
env:
CI: "true"
NEXT_PUBLIC_GITHUB_TOKEN: dummy-token-for-build
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false

# Detect the package manager from the lockfile so one workflow serves
# pnpm / npm / yarn / bun repos.
- name: Detect package manager
id: pm
run: |
if [ -f bun.lockb ] || [ -f bun.lock ]; then echo "pm=bun" >> "$GITHUB_OUTPUT"
elif [ -f pnpm-lock.yaml ]; then echo "pm=pnpm" >> "$GITHUB_OUTPUT"
elif [ -f yarn.lock ]; then echo "pm=yarn" >> "$GITHUB_OUTPUT"
else echo "pm=npm" >> "$GITHUB_OUTPUT"; fi

- if: steps.pm.outputs.pm == 'pnpm'
uses: pnpm/action-setup@v4
with:
version: 9
- if: steps.pm.outputs.pm == 'bun'
uses: oven-sh/setup-bun@v2
- if: steps.pm.outputs.pm != 'bun'
uses: actions/setup-node@v4
with:
node-version: lts/*
cache: ${{ steps.pm.outputs.pm }}

- name: Install
run: |
case "${{ steps.pm.outputs.pm }}" in
bun) bun install --frozen-lockfile ;;
pnpm) pnpm install --frozen-lockfile ;;
yarn) yarn install --frozen-lockfile ;;
npm) npm ci ;;
esac

# Run a script only if package.json defines it, so repos missing lint/
# build/test don't fail the job. `run_if` echoes then runs via the pm.
- name: Run available scripts (lint, ts:check, build, test)
env:
PM: ${{ steps.pm.outputs.pm }}
run: |
has() { jq -e --arg s "$1" '.scripts[$s] // empty' package.json >/dev/null 2>&1; }
run() {
case "$PM" in
bun) bun run "$1" ;;
*) "$PM" run "$1" ;;
esac
}
for script in lint ts:check typecheck build test; do
if has "$script"; then
echo "::group::$script"; run "$script"; echo "::endgroup::"
else
echo "skip: no \"$script\" script"
fi
done
23 changes: 23 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Dependency Review

# Flags vulnerable or disallowed-license dependencies introduced by a PR before
# they merge. Replaces Dependabot's alerting with a hard PR gate.
on:
pull_request:
branches: ["master"]

permissions:
contents: read

jobs:
dependency-review:
name: Dependency review
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
comment-summary-in-pr: on-failure
18 changes: 18 additions & 0 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Labeler

# Auto-labels PRs by the paths they touch (config in .github/labeler.yml).
on:
pull_request_target:
types: [opened, synchronize, reopened]

permissions:
contents: read
pull-requests: write

jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
with:
sync-labels: true
Comment on lines +16 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Mutable action refs in workflows:"
rg -n 'uses:\s+[^@]+@(main|master|v[0-9]+(\.[0-9]+)?)\b' .github/workflows

echo
echo "Resolve the current commit behind actions/labeler v5 before pinning it:"
gh api repos/actions/labeler/git/ref/tags/v5 --jq '.object.sha'

Repository: nixrajput/github-analytics

Length of output: 1235


Pin actions/labeler to a commit SHA.

actions/labeler@v5 is a mutable ref; pinning avoids supply-chain drift. v5 currently resolves to 8558fd74291d67161a8a78ce36a881fa63b766a9.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/labeler.yml around lines 16 - 18, The workflow step using
actions/labeler is pinned to a mutable version tag, so update the uses reference
in the labeler job to the recommended commit SHA instead of actions/labeler@v5.
Keep the existing sync-labels setting unchanged, and make the change in the
labeler workflow entry so the action version is fixed to the provided hash.

40 changes: 40 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Release

# On push to the default branch (a merged PR), tag v<package.json version> and
# publish a GitHub Release with generated notes — unless the tag already exists.
on:
push:
branches: ["master"]
workflow_dispatch: {}

permissions:
contents: read

jobs:
release:
name: Tag and release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- name: Read version
id: v
run: |
version=$(jq -r .version package.json)
echo "tag=v$version" >> "$GITHUB_OUTPUT"
- name: Release if new
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ steps.v.outputs.tag }}
run: |
if gh release view "$TAG" >/dev/null 2>&1 \
|| git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then
echo "Tag $TAG already exists — skipping."
exit 0
fi
gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes
Comment on lines +34 to +39

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fail on version/tag collisions instead of silently skipping.

If two PRs merge with the same package.json version, the first merge creates vX.Y.Z and the second merge lands on master with a different github.sha. This branch exits 0, so that later merge ships without a corresponding GitHub Release even though .github/workflows/version-check.yml:16-28 and package.json:1-5 define a shared version→tag contract. Treat “tag exists on another commit” as an error, and only skip when the existing tag already points at the current SHA.

Suggested fix
       - name: Release if new
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           TAG: ${{ steps.v.outputs.tag }}
         run: |
-          if gh release view "$TAG" >/dev/null 2>&1 \
-            || git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then
-            echo "Tag $TAG already exists — skipping."
-            exit 0
-          fi
+          remote_sha="$(git ls-remote --tags origin "refs/tags/$TAG" | awk '{print $1}')"
+          if [ -n "$remote_sha" ]; then
+            if [ "$remote_sha" != "${{ github.sha }}" ]; then
+              echo "::error::Tag $TAG already points to $remote_sha, but this push is ${{ github.sha }}. Bump package.json before merging."
+              exit 1
+            fi
+            echo "Tag $TAG already exists for this commit — skipping."
+            exit 0
+          fi
+
+          if gh release view "$TAG" >/dev/null 2>&1; then
+            echo "Release $TAG already exists — skipping."
+            exit 0
+          fi
+
           gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes
           echo "Released $TAG ✓"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if gh release view "$TAG" >/dev/null 2>&1 \
|| git ls-remote --tags origin "refs/tags/$TAG" | grep -q .; then
echo "Tag $TAG already exists — skipping."
exit 0
fi
gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes
remote_sha="$(git ls-remote --tags origin "refs/tags/$TAG" | awk '{print $1}')"
if [ -n "$remote_sha" ]; then
if [ "$remote_sha" != "${{ github.sha }}" ]; then
echo "::error::Tag $TAG already points to $remote_sha, but this push is ${{ github.sha }}. Bump package.json before merging."
exit 1
fi
echo "Tag $TAG already exists for this commit — skipping."
exit 0
fi
if gh release view "$TAG" >/dev/null 2>&1; then
echo "Release $TAG already exists — skipping."
exit 0
fi
gh release create "$TAG" --target "${{ github.sha }}" --title "$TAG" --generate-notes
echo "Released $TAG ✓"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 34 - 39, The release workflow
currently treats any existing tag as a success, which can hide version
collisions between different commits. Update the release step in the release job
so it only skips when gh release view or git ls-remote confirms the tag already
points to github.sha; if the tag exists on a different commit, fail the workflow
instead of exiting 0. Keep the logic localized around the tag-existence check
and gh release create flow.

echo "Released $TAG ✓"
32 changes: 32 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Scorecard

# OpenSSF Scorecard — supply-chain security posture. Runs on push to the default
# branch and weekly; uploads SARIF so findings show in the Security tab.
on:
push:
branches: ["master"]
schedule:
- cron: "27 3 * * 1" # Mondays 03:27 UTC
workflow_dispatch: {}

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write # upload SARIF to code scanning
id-token: write # publish results to the OpenSSF API
Comment on lines +18 to +20

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .github/workflows/scorecard.yml =="
nl -ba .github/workflows/scorecard.yml | sed -n '1,120p'

echo
echo "== Search for scorecard workflow references =="
rg -n "scorecard|checkout@|permissions:" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

echo
echo "== Exact action refs in workflow =="
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    if 'uses:' in line or 'permissions:' in line:
        print(f"{i}: {line}")
PY

Repository: nixrajput/github-analytics

Length of output: 242


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
text = p.read_text().splitlines()
for i, line in enumerate(text, 1):
    print(f"{i:4} {line}")
PY

echo
echo "== uses: lines =="
python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/scorecard.yml')
for i, line in enumerate(p.read_text().splitlines(), 1):
    if 'uses:' in line or 'permissions:' in line:
        print(f"{i:4} {line}")
PY

echo
echo "== repo files matching scorecard workflow references =="
python3 - <<'PY'
from pathlib import Path
for path in Path('.github/workflows').glob('*.yml'):
    text = path.read_text()
    if 'scorecard' in text.lower():
        print(path)
PY

Repository: nixrajput/github-analytics

Length of output: 1504


🌐 Web query:

GitHub Actions workflow permissions job-level permissions override unspecified scopes none checkout requires contents: read scorecard action private repo queries permissions

💡 Result:

In GitHub Actions, workflow permissions follow these principles: Job-level permissions override, rather than merge with, workflow-level permissions [1]. If a permissions key is defined at the job level, it completely replaces any permissions configured at the workflow level for that specific job [1]. When you explicitly define the permissions key (at either the workflow or job level), all unspecified permissions are set to none [2][3][4]. The only exception is the metadata scope, which always receives read access [3]. Regarding the checkout action and scorecard: 1. The actions/checkout action requires contents: read permission to successfully clone your repository [5][6][7]. If you have defined a permissions block in your workflow or job and do not include contents: read, the checkout action will fail [8]. 2. For private repositories, if you use the Scorecard action, it also typically requires specific permissions (often read access to contents, pull-requests, and potentially security-events) to analyze the repository [4][8]. Because job-level permissions do not merge with workflow-level settings, ensure that if you override permissions at the job level, you include all required scopes for both checkout and any other actions running in that job [1]. Best practice suggests setting permissions at the job level to adhere to the principle of least privilege [1][9]. If you define them at the job level, you must manually list every permission required by the steps within that job, as they will not inherit from any top-level definitions [1].

Citations:


Restore contents: read on the job. The job-level permissions block replaces read-all, so actions/checkout loses repository read access without contents: read. Add that scope here and keep any other read scopes only if Scorecard actually needs them.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 18 - 20, The job-level
permissions block for the Scorecard workflow currently replaces the default
repository read access, which breaks actions/checkout. Update the workflow’s
permissions stanza to include contents: read alongside the existing
security-events and id-token scopes, and keep any additional read scopes only if
the Scorecard job actually requires them.

steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: ossf/scorecard-action@v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- uses: github/codeql-action/upload-sarif@v3
Comment on lines +22 to +30

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/checkout.git 'refs/tags/v6^{}' 'refs/tags/v6'
git ls-remote https://github.com/ossf/scorecard-action.git 'refs/tags/v2.4.0^{}' 'refs/tags/v2.4.0'
git ls-remote https://github.com/github/codeql-action.git 'refs/tags/v3^{}' 'refs/tags/v3'

Repository: nixrajput/github-analytics

Length of output: 448


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cat -n .github/workflows/scorecard.yml | sed -n '1,120p'

Repository: nixrajput/github-analytics

Length of output: 1268


Pin the privileged workflow actions to full commit SHAs

security-events: write and id-token: write make this job sensitive to supply-chain drift. Keep the release tags as comments, but use immutable SHAs for actions/checkout, ossf/scorecard-action, and github/codeql-action/upload-sarif.

Suggested shape
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
...
-      - uses: ossf/scorecard-action@v2.4.0
+      - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
...
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: ossf/scorecard-action@v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- uses: github/codeql-action/upload-sarif@v3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 22 - 30, The workflow uses
privileged actions by tag, which can drift over time; update the job in the
scorecard workflow to pin actions/checkout, ossf/scorecard-action, and
github/codeql-action/upload-sarif to immutable full commit SHAs while keeping
the current release tags as comments for reference. Use the existing action
references in the workflow step list to locate and replace the versioned uses
entries, and preserve the current inputs for checkout, scorecard, and SARIF
upload.

with:
sarif_file: results.sarif
30 changes: 30 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Stale

# Marks inactive issues/PRs stale, then closes them after a grace period.
on:
schedule:
- cron: "0 4 * * *" # daily 04:00 UTC
workflow_dispatch: {}

permissions:
issues: write
pull-requests: write

jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/stale.git 'refs/tags/v9^{}' 'refs/tags/v9'

Repository: nixrajput/github-analytics

Length of output: 218


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cat -n .github/workflows/stale.yml

Repository: nixrajput/github-analytics

Length of output: 1303


🏁 Script executed:

#!/bin/bash
set -euo pipefail
git ls-remote https://github.com/actions/stale.git 'refs/tags/v9^{}' 'refs/tags/v9'

Repository: nixrajput/github-analytics

Length of output: 218


Pin actions/stale to the full commit SHA. Replace actions/stale@v9 with actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 so this write-capable workflow uses an immutable reference.

Suggested shape
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/stale@v9
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/stale.yml at line 17, The stale workflow currently
references actions/stale with a floating version tag, which should be replaced
with the pinned full commit SHA to keep this write-capable action immutable.
Update the actions/stale step in the workflow to use the provided commit
reference instead of v9, and keep the rest of the workflow unchanged.

with:
days-before-stale: 60
days-before-close: 14
stale-issue-label: stale
stale-pr-label: stale
exempt-issue-labels: pinned,security,blocked
exempt-pr-labels: pinned,security,blocked
stale-issue-message: >
This issue has been inactive for 60 days and is now marked stale.
Comment to keep it open; it will close in 14 days otherwise.
stale-pr-message: >
This PR has been inactive for 60 days and is now marked stale.
Push or comment to keep it open; it will close in 14 days otherwise.
45 changes: 45 additions & 0 deletions .github/workflows/version-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Version Check

# Every PR into the default branch must bump package.json "version". The Release
# workflow turns that version into a tag + GitHub Release on merge.
on:
pull_request:
branches: ["master"]
types: [opened, synchronize, reopened]

permissions:
contents: read

jobs:
version-bumped:
name: version bumped
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0 # need the base branch to diff the version
persist-credentials: false
- name: Read versions
id: v
run: |
git fetch --no-tags --depth=1 origin "${{ github.base_ref }}"
pr=$(jq -r .version package.json)
base=$(git show "origin/${{ github.base_ref }}:package.json" | jq -r .version)
echo "pr=$pr" >> "$GITHUB_OUTPUT"
echo "base=$base" >> "$GITHUB_OUTPUT"
- name: Compare
env:
PR: ${{ steps.v.outputs.pr }}
BASE: ${{ steps.v.outputs.base }}
run: |
echo "base=$BASE pr=$PR"
if [ "$PR" = "$BASE" ]; then
echo "::error::package.json version not bumped (still $BASE). Bump it: patch for fixes, minor for features, major for breaking."
exit 1
fi
greater=$(printf '%s\n%s\n' "$BASE" "$PR" | sort -V | tail -n1)
if [ "$greater" != "$PR" ]; then
echo "::error::package.json version $PR is lower than base $BASE; it must move forward."
exit 1
fi
echo "Version bumped $BASE -> $PR ✓"
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "nextjs",
"version": "0.1.0",
"version": "0.1.1",
"private": true,
"scripts": {
"dev": "next dev -p 3000 --turbo",
Expand Down
Loading