fix(ci): use PR-based flow for lockfile sync (#96) · gui.do/barazo-workspace@6e42fda

pnpm workspace root for Barazo forum development — shared configuration, tooling, and cross-package dependency management barazo.forum

fork atom

fix(ci): use PR-based flow for lockfile sync (#96)

* fix(deps): regenerate lockfile with latest sub-repo dependencies

* fix(ci): use PR-based flow for lockfile sync to respect branch protection

The sync-lockfile workflow was pushing directly to main, which fails
because branch protection requires pull requests. Switch to creating a
PR via peter-evans/create-pull-request and auto-merging it. The merged
push to main triggers deploy-staging.yml, so the direct deploy dispatch
is now only needed when a sub-repo triggers a sync but the lockfile
has not changed.

authored by

Guido X Jansen and committed by

GitHub 1 week ago 6e42fda3 9b183879

+33 -10

1 changed file

expand all

unified split

.github

workflows

sync-lockfile.yml

+33 -10

.github/workflows/sync-lockfile.yml

··· 10 10 11 11 permissions: 12 12 contents: write 13 + pull-requests: write 13 14 14 15 jobs: 15 16 sync: ··· 71 72 git diff --stat pnpm-lock.yaml 72 73 fi 73 74 74 - - name: Commit lockfile to main 75 + # ------------------------------------------------------------------ 76 + # Create a PR for lockfile changes, then auto-merge it. 77 + # Direct pushes to main are blocked by branch protection, so we 78 + # go through a PR instead. The squash-merge to main triggers 79 + # deploy-staging.yml automatically (it watches lockfile paths). 80 + # ------------------------------------------------------------------ 81 + - name: Create lockfile PR 75 82 if: steps.diff.outputs.changed == 'true' 83 + id: pr 84 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 85 + with: 86 + commit-message: "fix(deps): auto-sync lockfile with sub-repo dependencies" 87 + branch: auto/sync-lockfile 88 + delete-branch: true 89 + title: "fix(deps): auto-sync lockfile with sub-repo dependencies" 90 + body: | 91 + Automated lockfile regeneration. 92 + 93 + Triggered by: `${{ steps.refs.outputs.trigger }}` 94 + 95 + - name: Auto-merge lockfile PR 96 + if: steps.diff.outputs.changed == 'true' && steps.pr.outputs.pull-request-number 97 + env: 98 + GH_TOKEN: ${{ secrets.DEPLOY_PAT }} 76 99 run: | 77 - git config user.name "github-actions[bot]" 78 - git config user.email "github-actions[bot]@users.noreply.github.com" 79 - git add pnpm-lock.yaml 80 - git commit -m "fix(deps): auto-sync lockfile with sub-repo dependencies" 81 - git push origin main 100 + gh pr merge ${{ steps.pr.outputs.pull-request-number }} \ 101 + --repo singi-labs/barazo-workspace \ 102 + --squash \ 103 + --auto 82 104 83 105 # ------------------------------------------------------------------ 84 - # Trigger staging deploy 85 - # - Always deploy when dispatched by a sub-repo (PR merge) 86 - # - Only deploy on schedule/manual if the lockfile actually changed 106 + # Trigger staging deploy directly ONLY when a sub-repo dispatched 107 + # this workflow but the lockfile did not change. When the lockfile 108 + # does change, the PR merge to main triggers deploy-staging.yml 109 + # automatically, so we skip here to avoid a duplicate deploy. 87 110 # ------------------------------------------------------------------ 88 111 - name: Trigger staging deploy 89 - if: steps.refs.outputs.deploy == 'true' || steps.diff.outputs.changed == 'true' 112 + if: steps.refs.outputs.deploy == 'true' && steps.diff.outputs.changed == 'false' 90 113 uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 91 114 with: 92 115 token: ${{ secrets.DEPLOY_PAT }}