gui.do
Barazo AppView backend
barazo.forum
1name: Fix Lockfile
2
3# Dependabot doesn't handle pnpm catalogs correctly -- it resolves
4# catalog: specifiers to concrete versions in the lockfile, causing
5# a mismatch that fails `pnpm install --frozen-lockfile` in CI.
6# This workflow regenerates the lockfile on Dependabot PRs.
7#
8# Uses pull_request_target so the workflow has access to repo secrets
9# (Dependabot PRs don't get secrets with plain pull_request).
10# Safe because: only runs for dependabot[bot], only executes pnpm install
11# (no PR-supplied scripts), and only commits pnpm-lock.yaml.
12
13on:
14 pull_request_target:
15 paths:
16 - 'package.json'
17 - 'pnpm-lock.yaml'
18 - 'pnpm-workspace.yaml'
19
20permissions:
21 contents: write
22
23jobs:
24 fix-lockfile:
25 name: Regenerate lockfile
26 if: github.actor == 'dependabot[bot]'
27 runs-on: ubuntu-latest
28 timeout-minutes: 5
29
30 steps:
31 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32 with:
33 ref: ${{ github.event.pull_request.head.ref }}
34 token: ${{ secrets.DEPLOY_PAT }}
35
36 - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
37
38 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
39 with:
40 node-version: 24
41
42 - name: Regenerate lockfile
43 run: pnpm install --no-frozen-lockfile
44
45 - name: Commit updated lockfile
46 run: |
47 if git diff --quiet pnpm-lock.yaml; then
48 echo "Lockfile is already in sync."
49 exit 0
50 fi
51 git config user.name "github-actions[bot]"
52 git config user.email "github-actions[bot]@users.noreply.github.com"
53 git add pnpm-lock.yaml
54 git commit -m "fix(deps): regenerate lockfile for pnpm catalog compatibility"
55 git push