fix: pnpm with bot

Author: gengjiawen

.github/dependabot.yml

@@ -1,13 +1,12 @@
 version: 2
 updates:
-- package-ecosystem: npm
-  directory: "/"
-  schedule:
-    interval: monthly
-    time: "21:00"
-    timezone: Asia/Shanghai
-  open-pull-requests-limit: 10
-  reviewers:
-  - gengjiawen
-  versioning-strategy: increase
-
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: monthly
+      time: '21:00'
+      timezone: Asia/Shanghai
+    open-pull-requests-limit: 10
+    reviewers:
+      - gengjiawen
+    versioning-strategy: increase

.github/workflows/update-lockfile.yml

@@ -0,0 +1,25 @@
+# https://github.com/dependabot/dependabot-core/issues/1736
+name: Dependabot
+on: pull_request_target
+permissions: read-all
+jobs:
+  update-lockfile:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      pull-requests: write
+      contents: write
+    steps:
+      - uses: pnpm/action-setup@v2
+        with:
+          version: ^7
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - run: pnpm i --lockfile-only
+      - run: |
+          git config --global user.name github-actions[bot]
+          git config --global user.email github-actions[bot]@users.noreply.github.com
+          git add pnpm-lock.yaml
+          git commit -m "Update pnpm-lock.yaml"
+          git push