gui.do / barazo-api
Barazo AppView backend barazo.forum
fork atom

ci: add lockfile regeneration for Dependabot PRs (#135)

Dependabot doesn't handle pnpm catalogs correctly -- it resolves
catalog: specifiers to concrete versions in the lockfile, causing
frozen-lockfile failures in CI. This workflow detects Dependabot PRs
that touch package.json or the lockfile, regenerates pnpm-lock.yaml,
and commits the fix back to the PR branch.

authored by

Guido X Jansen and committed by
GitHub 063f2791 5f1413b4

+50
+50
.github/workflows/fix-lockfile.yml
··· 1 + name: Fix Lockfile 2 + 3 + # Dependabot doesn't handle pnpm catalogs correctly -- it resolves 4 + # catalog: specifiers to concrete versions in the lockfile, causing 5 + # a mismatch that fails `pnpm install --frozen-lockfile` in CI. 6 + # This workflow regenerates the lockfile on Dependabot PRs. 7 + 8 + on: 9 + pull_request: 10 + paths: 11 + - 'package.json' 12 + - 'pnpm-lock.yaml' 13 + - 'pnpm-workspace.yaml' 14 + 15 + permissions: 16 + contents: write 17 + 18 + jobs: 19 + fix-lockfile: 20 + name: Regenerate lockfile 21 + if: github.actor == 'dependabot[bot]' 22 + runs-on: ubuntu-latest 23 + timeout-minutes: 5 24 + 25 + steps: 26 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 27 + with: 28 + ref: ${{ github.head_ref }} 29 + token: ${{ secrets.GITHUB_TOKEN }} 30 + 31 + - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 32 + 33 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 34 + with: 35 + node-version: 24 36 + 37 + - name: Regenerate lockfile 38 + run: pnpm install --no-frozen-lockfile 39 + 40 + - name: Commit updated lockfile 41 + run: | 42 + if git diff --quiet pnpm-lock.yaml; then 43 + echo "Lockfile is already in sync." 44 + exit 0 45 + fi 46 + git config user.name "github-actions[bot]" 47 + git config user.email "github-actions[bot]@users.noreply.github.com" 48 + git add pnpm-lock.yaml 49 + git commit -m "fix(deps): regenerate lockfile for pnpm catalog compatibility" 50 + git push