Skip to content

tradeshift-larsbojensen/actions-workflow-npm

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
README.md
README.md
 
 
Repofile
Repofile
 
 
catalog-info.yml
catalog-info.yml
 
 

Repository files navigation

actions-workflow-npm

Shared workflows for npm packages, such as creating pre-releases and semantic release automation.

npm publish

# .github/workflows/npm-publish.yml
name: npm publish
on:
  issue_comment:
    types: [created]

jobs:
  npm-publish:
    uses: tradeshift/actions-workflow-npm/.github/workflows/comment-npm-publish.yml@v1
    secrets:
      github-token: ${{ secrets.GITHUB_TOKEN }}
      npm-read-token: ${{ secrets.NPM_TOKEN }}

Dependency tree auto-update

Shared workflow that auto-updates the dependency tree for the lock file of your node project.

By regenerating the lockfiles, the dependency tree will be updated to pull in the latest packages that match the dependency ranges in package.json. For each of those dependencies, the sub-dependencies are updated, and so on.

None of these updates should be a breaking change, since they respect the version ranges. They'll potentially save you and your team a lot of time by preventing Dependabot vulnerability alerts that you'd have to deal with manually otherwise.

The lock file will be generated using the npm/yarn version that matches the node version specified on the .nvmrc file for your project. The workflow also removes entries for package-lock.json or yarn.lock on your .gitignore file.

For the workflow to work, you need to give write access for your repo to the ci-workers team.

To enable it, create a new workflow with the following contents:

# .github/workflows/dependency-auto-update.yml
name: Dependency tree auto-update
on:
  schedule:
    - cron:  '0 11 * * 1,4' # Frequency of your preference, this one runs Mondays and Thursdays at 11am
  workflow_dispatch: # Allow running manually
jobs:
  update:
    uses: tradeshift/actions-workflow-npm/.github/workflows/dependency-tree-update.yml@v1 # Reference to the shared workflow
    secrets:
      gpg-key: ${{ secrets.TRADESHIFTCI_GPG_KEY }} # The client key to use for commit author and signing
      github-token: ${{ secrets.GH_TOKEN }} # Token used to checkout code and create PR. Using a personal access token to have workflows run on the created PR.
      npm-token: ${{ secrets.NPM_TOKEN }} # Token used to authenticate to the private GitHub npm registry
    with:
      path: . # Optional paramater in case your application is not at the root of your repo, otherwise it defaults to "."
      # runs-on: self-hosted # Optional paramater to define where to run the workflow, otherwise it defaults to ubuntu-latest. More information at https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on

If you have multiple subfolders with managed node modules you can specify multiple folders on the same schedule like this:

# .github/workflows/dependency-auto-update.yml
name: Dependency tree update
on:
  schedule:
    ...
jobs:
  update:
    uses: tradeshift/actions-workflow-npm/.github/workflows/dependency-tree-update.yml@v1
    secrets:
      ...
    with:
      path: . # Main path
  update-submodule:
    uses: tradeshift/actions-workflow-npm/.github/workflows/dependency-tree-update.yml@v1
    secrets:
      ...
    with:
      path: ./client/ # Module path

About

This is actions-workflow-npm

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published