starknet-react-native-sdk/.github/workflows/dependencies.yml at ed5f5ddbfe5529abad47c64ac78c5e3cdae8f7be · keep-starknet-strange/starknet-react-native-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: Dependencies

on:
  schedule:
    - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  update-dependencies:
    name: Update Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x

      - name: Enable Corepack
        run: corepack enable

      - name: Setup Yarn version
        run: corepack prepare yarn@3.6.1 --activate

      - name: Update Yarn to latest
        run: |
          corepack prepare yarn@stable --activate
          yarn set version stable

      - name: Install dependencies
        run: yarn install --immutable

      - name: Check for outdated packages
        run: |
          echo "📊 Checking for outdated dependencies..."
          echo "Note: Yarn v3 doesn't have 'yarn outdated'. Using 'yarn up' dry-run to check for updates."

          # Check what packages could be updated
          yarn up --dry-run > outdated.txt 2>&1 || true

          if [ -s outdated.txt ]; then
            echo "📋 Packages that could be updated:"
            cat outdated.txt
          else
            echo "✅ All packages are up to date"
          fi

      - name: Update dependencies
        run: |
          echo "🔄 Updating all dependencies to latest compatible versions..."
          yarn up --recursive --mode=latest-safe

      - name: Run tests after update
        run: |
          yarn typecheck
          yarn test
          yarn build

      - name: Check for changes
        id: changes
        run: |
          if git diff --quiet yarn.lock; then
            echo "has_changes=false" >> $GITHUB_OUTPUT
          else
            echo "has_changes=true" >> $GITHUB_OUTPUT
          fi

      - name: Create Pull Request
        if: steps.changes.outputs.has_changes == 'true'
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: 'chore(deps): update dependencies to latest compatible versions'
          title: '🔄 Weekly dependency updates'
          body: |
            ## 🔄 Automated dependency updates

            This PR updates all dependencies to their latest compatible versions.

            ### ✅ Validation
            - [x] TypeScript compilation passes
            - [x] All tests pass
            - [x] Package builds successfully

            ### 📊 Updated packages
            Check the `yarn.lock` diff for detailed changes.

            ---
            *This PR was created automatically by the dependency update workflow.*
          branch: chore/update-dependencies
          delete-branch: true
          labels: |
            dependencies
            automated
            chore

  check-security:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x

      - name: Enable Corepack
        run: corepack enable

      - name: Setup Yarn version
        run: corepack prepare yarn@3.6.1 --activate

      - name: Install dependencies
        run: yarn install --immutable

      - name: Run security audit
        run: |
          echo "🔍 Running security audit..."
          yarn npm audit --all --environment production --json > audit.json || true

          # Check if there are any high or critical vulnerabilities
          if [ -f "audit.json" ]; then
            CRITICAL_COUNT=$(cat audit.json | jq -r '.metadata.vulnerabilities.critical // 0')
            HIGH_COUNT=$(cat audit.json | jq -r '.metadata.vulnerabilities.high // 0')

            if [ "$CRITICAL_COUNT" -gt 0 ] || [ "$HIGH_COUNT" -gt 0 ]; then
              echo "❌ High or critical vulnerabilities found!"
              echo "Critical: $CRITICAL_COUNT, High: $HIGH_COUNT"
              cat audit.json | jq -r '.advisories // {}'
              exit 1
            else
              echo "✅ No high or critical vulnerabilities found"
            fi
          else
            echo "⚠️ Audit file not created, audit may have failed"
          fi

      - name: Create security issue
        if: failure()
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: '🚨 Security vulnerabilities detected',
              body: `## 🚨 Security Alert

              High or critical security vulnerabilities have been detected in dependencies.

              Please review and update the affected packages as soon as possible.

              **Workflow Run:** [${context.runNumber}](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})

              ---
              *This issue was created automatically by the security audit workflow.*`,
              labels: ['security', 'bug', 'high-priority']
            })