feat: add release relay and npm audit fix workflows#921
Conversation
Signed-off-by: kyteinsky <kyteinsky@gmail.com>
Signed-off-by: kyteinsky <kyteinsky@gmail.com>
|
/backport 70c83d3 to stable34 |
|
/backport 70c83d3 to stable33 |
📝 WalkthroughWalkthroughTwo new GitHub Actions workflows were added. The first, npm-audit-fix.yml, runs on a weekly schedule or manual trigger, iterates over the default branch plus stable34, stable33, and stable32, checks out each branch, resolves Node/npm versions, runs an npm audit-fix action, rebuilds the project, and opens a pull request with the fixes. The second, release-relay.yml, triggers on published releases restricted to the nextcloud-releases owner, verifies the triggering actor has write permission, and dispatches an app-tagged repository-dispatch event with repository and tag information to the nextcloud-gmbh/release-relay repository. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/release-relay.yml (1)
38-38: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winUse
toJSON()to safely construct theclient-payload.The
client-payloadis a manually constructed JSON string with raw${{ }}interpolation. Ifgithub.event.release.tag_namecontains a double quote or backslash, the JSON becomes malformed; if it contains a single quote, the surrounding YAML single-quoted string breaks. Using GitHub Actions' built-intoJSON()function properly escapes all values.♻️ Proposed refactor: use toJSON() for safe payload construction
- client-payload: '{"app": "${{ github.repository }}", "tag": "${{ github.event.release.tag_name }}"}' + client-payload: ${{ toJSON({ "app": github.repository, "tag": github.event.release.tag_name }) }}
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: d7f3d81e-867d-4f09-b6f8-4926ff9ded10
📒 Files selected for processing (2)
.github/workflows/npm-audit-fix.yml.github/workflows/release-relay.yml
| - name: Read package.json node and npm engines version | ||
| uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 | ||
| id: versions | ||
| with: | ||
| fallbackNode: '^24' | ||
| fallbackNpm: '^11.3' | ||
|
|
||
| - name: Set up node ${{ steps.versions.outputs.nodeVersion }} | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: ${{ steps.versions.outputs.nodeVersion }} | ||
|
|
||
| - name: Set up npm ${{ steps.versions.outputs.npmVersion }} | ||
| run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' | ||
|
|
||
| - name: Fix npm audit | ||
| id: npm-audit | ||
| uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0 |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Intermediate steps lack checkout outcome guard, causing job failures for missing branches.
Checkout uses continue-on-error: true (line 42) to gracefully handle branches that don't exist, and the build/PR steps (lines 64, 72) correctly guard with if: steps.checkout.outcome == 'success'. However, the steps in between — read package versions (44-49), setup node (51-54), setup npm (56-57), and npm audit fix (59-61) — have no such guard. When a branch doesn't exist, these steps will run against an empty workspace and fail (no package.json), stopping the job and defeating the purpose of continue-on-error on checkout.
🛡️ Proposed fix: add checkout outcome guard to intermediate steps
- name: Read package.json node and npm engines version
+ if: steps.checkout.outcome == 'success'
uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
id: versions
with:
fallbackNode: '^24'
fallbackNpm: '^11.3'
- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
+ if: steps.checkout.outcome == 'success'
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
+ if: steps.checkout.outcome == 'success'
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
- name: Fix npm audit
+ if: steps.checkout.outcome == 'success'
id: npm-audit
uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Read package.json node and npm engines version | |
| uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 | |
| id: versions | |
| with: | |
| fallbackNode: '^24' | |
| fallbackNpm: '^11.3' | |
| - name: Set up node ${{ steps.versions.outputs.nodeVersion }} | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ steps.versions.outputs.nodeVersion }} | |
| - name: Set up npm ${{ steps.versions.outputs.npmVersion }} | |
| run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' | |
| - name: Fix npm audit | |
| id: npm-audit | |
| uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0 | |
| - name: Read package.json node and npm engines version | |
| if: steps.checkout.outcome == 'success' | |
| uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 | |
| id: versions | |
| with: | |
| fallbackNode: '^24' | |
| fallbackNpm: '^11.3' | |
| - name: Set up node ${{ steps.versions.outputs.nodeVersion }} | |
| if: steps.checkout.outcome == 'success' | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ steps.versions.outputs.nodeVersion }} | |
| - name: Set up npm ${{ steps.versions.outputs.npmVersion }} | |
| if: steps.checkout.outcome == 'success' | |
| run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' | |
| - name: Fix npm audit | |
| if: steps.checkout.outcome == 'success' | |
| id: npm-audit | |
| uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0 |
|
/backport 70c83d3 to stable32 |
🤖 AI (if applicable)