github-actions-database-persistence/.github/workflows/dependabot-alert-bridge-security-updates.yml at 1354dcf2aaeb5e1fbe1e9ac12849a381bf4e1e0e · karlhorky/github-actions-database-persistence · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Dependabot Alert Bridge - Security Updates

on:
  repository_dispatch:
    types: [dependabot-alert-bridge.dependabot-alert-opened]

jobs:
  dependabot_alert_bridge_apply_security_updates:
    name: Dependabot Alert Bridge - Apply Security Updates
    runs-on: ubuntu-latest
    if: ${{ github.event.client_payload.ecosystem == 'npm' && github.event.client_payload.dependencies && github.event.client_payload.dependencies[0] }}

    steps:
      - uses: actions/checkout@v6

      - uses: pnpm/action-setup@v5

      - uses: actions/setup-node@v6
        with:
          node-version: 24.15.0
          cache: pnpm

      - run: pnpm install --frozen-lockfile

      - run: pnpm up --depth 100 ${{ join(github.event.client_payload.dependencies, ' ') }}

      - run: pnpm up -r --depth 100 ${{ join(github.event.client_payload.dependencies, ' ') }}

      - uses: peter-evans/create-pull-request@v8
        with:
          token: ${{ secrets.DEPENDABOT_ALERT_BRIDGE_PR_TOKEN }}
          branch: dependabot-alert-${{ github.event.client_payload.alert_number }}
          title: "Update ${{ join(github.event.client_payload.dependencies, ', ') }} [SECURITY]"
          body: |
            This PR updates dependencies from a `dependabot_alert` webhook.

            - Updated packages: `${{ join(github.event.client_payload.dependencies, ', ') }}`
            - GHSA: ${{ github.event.client_payload.ghsa_id }}
            - Advisory: https://github.com/advisories/${{ github.event.client_payload.ghsa_id }}
            - Severity: ${{ github.event.client_payload.severity }}
            - Ecosystem: ${{ github.event.client_payload.ecosystem }}

            Created through [dependabot-alert-bridge](https://github.com/karlhorky/dependabot-alert-bridge)
          commit-message: Update vulnerable dependencies [SECURITY]
          author: "dependabot-alert-bridge[bot] <263013106+dependabot-alert-bridge[bot]@users.noreply.github.com>"
          committer: "dependabot-alert-bridge[bot] <263013106+dependabot-alert-bridge[bot]@users.noreply.github.com>"