hanh.tonguyen/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: convert lockfile refresh to PR-based flow for protected master

Browse Source 
The refresh-lockfile workflow was pushing directly to master, which fails
with branch protection rules. Convert to use peter-evans/create-pull-request
to create a PR instead. Exempt the bot's branch from the lockfile policy check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dotta
2026-03-09 07:22:34 -05:00
parent 77e04407b9
commit ee7fddf8d5
2 changed files with 16 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/pr-policy.yml vendored
View File

@@ -32,6 +32,7 @@ jobs:
node-version: 20 node-version: 20
- name: Block manual lockfile edits - name: Block manual lockfile edits
if: github.head_ref != 'chore/refresh-lockfile'
run: | run: |
changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")" changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
if printf '%s\n' "$changed" | grep -qx 'pnpm-lock.yaml'; then if printf '%s\n' "$changed" | grep -qx 'pnpm-lock.yaml'; then

42
.github/workflows/refresh-lockfile.yml vendored
View File

@@ -11,11 +11,12 @@ concurrency:
cancel-in-progress: false cancel-in-progress: false
jobs: jobs:
refresh_and_verify: refresh:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 25 timeout-minutes: 10
permissions: permissions:
contents: write contents: write
pull-requests: write
steps: steps:
- name: Checkout repository - name: Checkout repository
@@ -40,6 +41,7 @@ jobs:
run: | run: |
changed="$(git status --porcelain)" changed="$(git status --porcelain)"
if [ -z "$changed" ]; then if [ -z "$changed" ]; then
echo "Lockfile is already up to date."
exit 0 exit 0
fi fi
if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
@@ -48,29 +50,15 @@ jobs:
exit 1 exit 1
fi fi
- name: Commit refreshed lockfile - name: Create pull request
run: | uses: peter-evans/create-pull-request@v7
if git diff --quiet -- pnpm-lock.yaml; then with:
exit 0 commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
fi branch: chore/refresh-lockfile
git config user.name "lockfile-bot" delete-branch: true
git config user.email "lockfile-bot@users.noreply.github.com" title: "chore(lockfile): refresh pnpm-lock.yaml"
git add pnpm-lock.yaml body: |
git commit -m "chore(lockfile): refresh pnpm-lock.yaml" Auto-generated lockfile refresh after dependencies changed on `master`.
git push || {
echo "Push failed because master moved during lockfile refresh."
echo "A later refresh run should recompute the lockfile from the newer master state."
exit 1
}
- name: Install dependencies This PR only updates `pnpm-lock.yaml` — no source changes.
run: pnpm install --frozen-lockfile labels: lockfile-bot
- name: Typecheck
run: pnpm -r typecheck
- name: Run tests
run: pnpm test:run
- name: Build
run: pnpm build