fix: replace third-party action with gh CLI for lockfile PR creation

Replace peter-evans/create-pull-request with plain gh CLI commands to avoid third-party supply chain risk. Uses only GitHub's own tooling (GITHUB_TOKEN + gh CLI) to create the lockfile refresh PR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:26:31 -05:00
parent ee7fddf8d5
commit f32b76f213
1 changed files with 27 additions and 11 deletions
--- a/.github/workflows/refresh-lockfile.yml
+++ b/.github/workflows/refresh-lockfile.yml
@@ -50,15 +50,31 @@ jobs:
            exit 1
          fi
-      - name: Create pull request
+      - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v7
+        env:
-        with:
+          GH_TOKEN: ${{ github.token }}
-          commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
+        run: |
-          branch: chore/refresh-lockfile
+          if git diff --quiet -- pnpm-lock.yaml; then
-          delete-branch: true
+            echo "Lockfile unchanged, nothing to do."
-          title: "chore(lockfile): refresh pnpm-lock.yaml"
+            exit 0
-          body: |
+          fi
            Auto-generated lockfile refresh after dependencies changed on `master`.
-            This PR only updates `pnpm-lock.yaml` — no source changes.
+          BRANCH="chore/refresh-lockfile"
-          labels: lockfile-bot
+          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git checkout -B "$BRANCH"
          git add pnpm-lock.yaml
          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
          git push -f origin "$BRANCH"
          # Create PR if one doesn't already exist for this branch
          existing=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number')
          if [ -n "$existing" ]; then
            echo "PR #$existing already exists for $BRANCH, updated branch."
          else
            gh pr create \
              --head "$BRANCH" \
              --title "chore(lockfile): refresh pnpm-lock.yaml" \
              --body "Auto-generated lockfile refresh after dependencies changed on \`master\`.\n\nThis PR only updates \`pnpm-lock.yaml\` — no source changes."
            echo "Created new PR."
          fi