fix(ci): skip frozen-lockfile for dependabot PRs#40
Merged
Conversation
✅ Deploy Preview for frontier-flow ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Actions CI workflow to accommodate Dependabot PRs where package.json changes can temporarily diverge from the committed Bun lockfile, by conditionally relaxing --frozen-lockfile and attempting to auto-commit a regenerated lockfile back to the Dependabot branch.
Changes:
- Make
bun installconditionally omit--frozen-lockfilefor Dependabot-triggered runs. - Add a step in each job to regenerate and auto-commit/push
bun.lockon Dependabot PRs.
Comment on lines
+43
to
+52
| - name: Commit updated lockfile (dependabot) | ||
| if: github.event_name == 'pull_request' && startsWith(github.actor, 'dependabot') | ||
| run: | | ||
| bun install | ||
| git config user.name "dependabot[bot]" | ||
| git config user.email "49699333+dependabot[bot]@users.noreply.github.com" | ||
| git add bun.lock | ||
| if ! git diff --cached --quiet; then | ||
| git commit -m "chore(deps): update bun.lock" | ||
| git push |
Comment on lines
+43
to
+53
| - name: Commit updated lockfile (dependabot) | ||
| if: github.event_name == 'pull_request' && startsWith(github.actor, 'dependabot') | ||
| run: | | ||
| bun install | ||
| git config user.name "dependabot[bot]" | ||
| git config user.email "49699333+dependabot[bot]@users.noreply.github.com" | ||
| git add bun.lock | ||
| if ! git diff --cached --quiet; then | ||
| git commit -m "chore(deps): update bun.lock" | ||
| git push | ||
| fi |
Comment on lines
+41
to
+44
| run: bun install ${{ !startsWith(github.actor, 'dependabot') && '--frozen-lockfile' || '' }} | ||
|
|
||
| - name: Commit updated lockfile (dependabot) | ||
| if: github.event_name == 'pull_request' && startsWith(github.actor, 'dependabot') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Dependabot updates
package.jsonbut cannot updatebun.lock(it only understandspackage-lock.json). Every CI job usesbun install --frozen-lockfile, which fails because the lockfile doesn't match the updatedpackage.json.Fix
--frozen-lockfilewhen the PR is from dependabot (detected viagithub.actor), allowingbun installto regenerate the lockfile.bun installand commits any regeneratedbun.lockback to the branch for dependabot PRs. Regular PRs still get--frozen-lockfileenforcement.Changes
.github/workflows/ci.yml: Added conditional install and lockfile commit step to all jobsbun.lock: Already updated on the dependabot branch (pushed separately)Already applied to dependabot branch
The lockfile update has been pushed to
dependabot/npm_and_yarn/bun-dependencies-70702ba6baso that PR #39 will pass once this PR is merged.