Skip to content

Commit 0c502a1

Browse files
karlhorkykarlhorky
authored
Add Dependabot Alert Bridge Security Updates workflow
1 parent 9efb2d4 commit 0c502a1

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

.github/workflows/dependabot-alert-bridge-security-updates.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
name: Dependabot Alert Bridge - Security Updates
2+
3+
on:
4+
repository_dispatch:
5+
types: [dependabot-alert-bridge.dependabot-alert-opened]
6+
7+
jobs:
8+
dependabot_alert_bridge_apply_security_updates:
9+
name: Dependabot Alert Bridge - Apply Security Updates
10+
runs-on: ubuntu-latest
11+
if: ${{ github.event.client_payload.ecosystem == 'npm' && github.event.client_payload.dependencies && github.event.client_payload.dependencies[0] }}
12+
13+
steps:
14+
- uses: actions/checkout@v6
15+
16+
- uses: pnpm/action-setup@v4
17+
18+
- uses: actions/setup-node@v6
19+
with:
20+
node-version: 24.13.0
21+
cache: pnpm
22+
23+
- run: pnpm install --frozen-lockfile
24+
25+
- run: pnpm up --depth 100 ${{ join(github.event.client_payload.dependencies, ' ') }}
26+
27+
- run: pnpm up -r --depth 100 ${{ join(github.event.client_payload.dependencies, ' ') }}
28+
29+
- uses: peter-evans/create-pull-request@v8
30+
with:
31+
token: ${{ secrets.DEPENDABOT_ALERT_BRIDGE_PR_TOKEN }}
32+
branch: dependabot-alert-${{ github.event.client_payload.alert_number }}
33+
title: "Update ${{ join(github.event.client_payload.dependencies, ', ') }} [SECURITY]"
34+
body: |
35+
This PR updates dependencies from a `dependabot_alert` webhook.
36+
37+
- Updated packages: `${{ join(github.event.client_payload.dependencies, ', ') }}`
38+
- GHSA: ${{ github.event.client_payload.ghsa_id }}
39+
- Advisory: https://github.com/advisories/${{ github.event.client_payload.ghsa_id }}
40+
- Severity: ${{ github.event.client_payload.severity }}
41+
- Ecosystem: ${{ github.event.client_payload.ecosystem }}
42+
43+
Created through [dependabot-alert-bridge](https://github.com/karlhorky/dependabot-alert-bridge)
44+
commit-message: Update vulnerable dependencies [SECURITY]
45+
author: "dependabot-alert-bridge[bot] <263013106+dependabot-alert-bridge[bot]@users.noreply.github.com>"
46+
committer: "dependabot-alert-bridge[bot] <263013106+dependabot-alert-bridge[bot]@users.noreply.github.com>"

0 commit comments

Comments
 (0)