From 9b3d0e5bfa6cf9564423c077a92e4b0f3177c331 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 8 Sep 2025 21:24:14 +0100 Subject: [PATCH 01/27] Add GitHub Actions workflow for NPM audit fixes --- .github/workflows/main.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000000..0df843f0344 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,23 @@ +name: NPM Audit Fix + +on: + schedule: + - cron: '0 7 * * 1' # Weekly + workflow_dispatch: + +jobs: + npm-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install + - run: npm audit fix || true + - name: Check for changes and PR + uses: stefanzweifel/git-auto-commit-action@v5 + with: + commit_message: "chore: npm audit fix" + branch: chore/npm-audit-fix + create_branch: true + push_options: '--set-upstream' + commit_user_name: github-actions + commit_user_email: github-actions@github.com From 82dfec2261066ffaf7dd9f854396912742b03d39 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 8 Sep 2025 21:25:18 +0100 Subject: [PATCH 02/27] node-upgrade script --- .github/workflows/node-upgrade.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/node-upgrade.yml diff --git a/.github/workflows/node-upgrade.yml b/.github/workflows/node-upgrade.yml new file mode 100644 index 00000000000..72481b81454 --- /dev/null +++ b/.github/workflows/node-upgrade.yml @@ -0,0 +1,27 @@ +name: Auto Update Node Version + +on: + schedule: + - cron: '0 6 * * 1' # Weekly, every Monday + workflow_dispatch: + +jobs: + update-node: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - name: Get latest Node version + id: node-version + run: | + LATEST_NODE=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json | jq -r '.[0].version') + echo "latest_node=$LATEST_NODE" >> $GITHUB_OUTPUT + - name: Update externals.sh + run: | + sed -i "s/^NODE_VERSION=.*/NODE_VERSION=${{ steps.node-version.outputs.latest_node }}/" src/Misc/externals.sh + - name: Create PR + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "chore: update Node version to ${{ steps.node-version.outputs.latest_node }}" + branch: chore/update-node + title: "chore: update Node version to ${{ steps.node-version.outputs.latest_node }}" + labels: dependency From ba6105a4b9ebb65254750340de3cacc925027f0d Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 8 Sep 2025 21:27:20 +0100 Subject: [PATCH 03/27] rename files --- .github/workflows/{main.yml => npm-upgrade.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{main.yml => npm-upgrade.yml} (100%) diff --git a/.github/workflows/main.yml b/.github/workflows/npm-upgrade.yml similarity index 100% rename from .github/workflows/main.yml rename to .github/workflows/npm-upgrade.yml From 53ab704fbafd88e095f83064ce056fe1d656e454 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 21:39:08 +0100 Subject: [PATCH 04/27] Add automated workflows for dependency management and update documentation --- .github/workflows/dependency-check.yml | 192 ++++++++++++++++++++ .github/workflows/docker-buildx-upgrade.yml | 33 ++-- .github/workflows/dotnet-upgrade.yml | 32 ++-- .github/workflows/node-upgrade.yml | 85 +++++++-- .github/workflows/npm-upgrade.yml | 51 ++++-- docs/dependency-management.md | 145 +++++++++++++++ 6 files changed, 480 insertions(+), 58 deletions(-) create mode 100644 .github/workflows/dependency-check.yml create mode 100644 docs/dependency-management.md diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 00000000000..c546baaf39c --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,192 @@ +name: Dependency Status Check + +on: + workflow_dispatch: + inputs: + check_type: + description: "Type of dependency check" + required: false + default: "all" + type: choice + options: + - all + - node + - dotnet + - docker + - npm + schedule: + - cron: "0 8 * * 1" # Weekly on Monday at 8 AM + +jobs: + dependency-status: + runs-on: ubuntu-latest + outputs: + node20-status: ${{ steps.check-versions.outputs.node20-status }} + node24-status: ${{ steps.check-versions.outputs.node24-status }} + dotnet-status: ${{ steps.check-versions.outputs.dotnet-status }} + docker-status: ${{ steps.check-versions.outputs.docker-status }} + buildx-status: ${{ steps.check-versions.outputs.buildx-status }} + npm-vulnerabilities: ${{ steps.check-versions.outputs.npm-vulnerabilities }} + open-dependency-prs: ${{ steps.check-prs.outputs.open-dependency-prs }} + steps: + - uses: actions/checkout@v5 + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "20" + + - name: Check dependency versions + id: check-versions + run: | + echo "## Dependency Status Report" >> $GITHUB_STEP_SUMMARY + echo "Generated on: $(date)" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Check Node versions + if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "node" ]]; then + echo "### Node.js Versions" >> $GITHUB_STEP_SUMMARY + + VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json) + LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1) + LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1) + + CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2) + CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2) + + NODE20_STATUS="✅ up-to-date" + NODE24_STATUS="✅ up-to-date" + + if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then + NODE20_STATUS="⚠️ outdated" + fi + + if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then + NODE24_STATUS="⚠️ outdated" + fi + + echo "| Version | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY + echo "|---------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| Node 20 | $CURRENT_NODE20 | $LATEST_NODE20 | $NODE20_STATUS |" >> $GITHUB_STEP_SUMMARY + echo "| Node 24 | $CURRENT_NODE24 | $LATEST_NODE24 | $NODE24_STATUS |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + echo "node20-status=$NODE20_STATUS" >> $GITHUB_OUTPUT + echo "node24-status=$NODE24_STATUS" >> $GITHUB_OUTPUT + fi + + # Check .NET version + if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "dotnet" ]]; then + echo "### .NET SDK Version" >> $GITHUB_STEP_SUMMARY + + current_dotnet_version=$(jq -r .sdk.version ./src/global.json) + current_major_minor=$(echo "$current_dotnet_version" | cut -d '.' -f 1,2) + latest_dotnet_version=$(curl -sb -H "Accept: application/json" "https://dotnetcli.blob.core.windows.net/dotnet/Sdk/$current_major_minor/latest.version") + + DOTNET_STATUS="✅ up-to-date" + if [ "$current_dotnet_version" != "$latest_dotnet_version" ]; then + DOTNET_STATUS="⚠️ outdated" + fi + + echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY + echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| .NET SDK | $current_dotnet_version | $latest_dotnet_version | $DOTNET_STATUS |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + echo "dotnet-status=$DOTNET_STATUS" >> $GITHUB_OUTPUT + fi + + # Check Docker versions + if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "docker" ]]; then + echo "### Docker Versions" >> $GITHUB_STEP_SUMMARY + + current_docker=$(grep "ARG DOCKER_VERSION=" ./images/Dockerfile | cut -d'=' -f2) + current_buildx=$(grep "ARG BUILDX_VERSION=" ./images/Dockerfile | cut -d'=' -f2) + + latest_docker=$(curl -s https://download.docker.com/linux/static/stable/x86_64/ | grep -o 'docker-[0-9]*\.[0-9]*\.[0-9]*\.tgz' | sort -V | tail -n 1 | sed 's/docker-\(.*\)\.tgz/\1/') + latest_buildx=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.tag_name' | sed 's/^v//') + + DOCKER_STATUS="✅ up-to-date" + BUILDX_STATUS="✅ up-to-date" + + if [ "$current_docker" != "$latest_docker" ]; then + DOCKER_STATUS="⚠️ outdated" + fi + + if [ "$current_buildx" != "$latest_buildx" ]; then + BUILDX_STATUS="⚠️ outdated" + fi + + echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY + echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| Docker | $current_docker | $latest_docker | $DOCKER_STATUS |" >> $GITHUB_STEP_SUMMARY + echo "| Docker Buildx | $current_buildx | $latest_buildx | $BUILDX_STATUS |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + echo "docker-status=$DOCKER_STATUS" >> $GITHUB_OUTPUT + echo "buildx-status=$BUILDX_STATUS" >> $GITHUB_OUTPUT + fi + + # Check npm vulnerabilities + if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "npm" ]]; then + echo "### NPM Security Audit" >> $GITHUB_STEP_SUMMARY + + cd src/Misc/expressionFunc/hashFiles + npm install --silent + AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || echo '{"vulnerabilities": {}}') + VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0') + + NPM_STATUS="✅ no vulnerabilities" + if [ "$VULN_COUNT" -gt 0 ]; then + NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found" + + # Get vulnerability details + HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0') + CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0') + + echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY + echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY + echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY + echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + else + echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + fi + + echo "npm-vulnerabilities=$NPM_STATUS" >> $GITHUB_OUTPUT + fi + + - name: Check for open dependency PRs + id: check-prs + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "### Open Dependency PRs" >> $GITHUB_STEP_SUMMARY + + # Get open PRs with dependency label + OPEN_PRS=$(gh pr list --label "dependency" --state open --json number,title,url) + PR_COUNT=$(echo "$OPEN_PRS" | jq '. | length') + + if [ "$PR_COUNT" -gt 0 ]; then + echo "Found $PR_COUNT open dependency PR(s):" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "$OPEN_PRS" | jq -r '.[] | "- [#\(.number)](\(.url)) \(.title)"' >> $GITHUB_STEP_SUMMARY + else + echo "No open dependency PRs found ✅" >> $GITHUB_STEP_SUMMARY + fi + + echo "" >> $GITHUB_STEP_SUMMARY + echo "open-dependency-prs=$PR_COUNT" >> $GITHUB_OUTPUT + + - name: Summary + run: | + echo "### Summary" >> $GITHUB_STEP_SUMMARY + echo "- Check for open PRs with the \`dependency\` label before releases" >> $GITHUB_STEP_SUMMARY + echo "- Review and merge dependency updates regularly" >> $GITHUB_STEP_SUMMARY + echo "- Critical vulnerabilities should be addressed immediately" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Automated workflows run weekly to check for updates:**" >> $GITHUB_STEP_SUMMARY + echo "- Node.js versions (Mondays at 6 AM)" >> $GITHUB_STEP_SUMMARY + echo "- NPM audit fix (Mondays at 7 AM)" >> $GITHUB_STEP_SUMMARY + echo "- .NET SDK updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY + echo "- Docker/Buildx updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/docker-buildx-upgrade.yml b/.github/workflows/docker-buildx-upgrade.yml index 2a214415904..ab60e012a6c 100644 --- a/.github/workflows/docker-buildx-upgrade.yml +++ b/.github/workflows/docker-buildx-upgrade.yml @@ -2,8 +2,8 @@ name: "Docker/Buildx Version Upgrade" on: schedule: - - cron: '0 0 * * 1' # Run every Monday at midnight - workflow_dispatch: # Allow manual triggering + - cron: "0 0 * * 1" # Run every Monday at midnight + workflow_dispatch: # Allow manual triggering jobs: check-versions: @@ -35,7 +35,7 @@ jobs: echo "Failed to retrieve a valid Docker version" exit 1 fi - + should_update=0 [ "$current_version" != "$latest_version" ] && should_update=1 @@ -64,17 +64,17 @@ jobs: run: | docker_should_update="${{ steps.check_docker_version.outputs.SHOULD_UPDATE }}" buildx_should_update="${{ steps.check_buildx_version.outputs.SHOULD_UPDATE }}" - + # Show annotation if only Docker needs update if [[ "$docker_should_update" == "1" && "$buildx_should_update" == "0" ]]; then echo "::warning ::Docker version (${{ steps.check_docker_version.outputs.LATEST_VERSION }}) needs update but Buildx is current. Only updating when both need updates." fi - + # Show annotation if only Buildx needs update if [[ "$docker_should_update" == "0" && "$buildx_should_update" == "1" ]]; then echo "::warning ::Buildx version (${{ steps.check_buildx_version.outputs.LATEST_VERSION }}) needs update but Docker is current. Only updating when both need updates." fi - + # Show annotation when both are current if [[ "$docker_should_update" == "0" && "$buildx_should_update" == "0" ]]; then echo "::warning ::Latest Docker version is ${{ steps.check_docker_version.outputs.LATEST_VERSION }} and Buildx version is ${{ steps.check_buildx_version.outputs.LATEST_VERSION }}. No updates needed." @@ -90,25 +90,25 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 - + - name: Update Docker version shell: bash run: | latest_version="${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }}" current_version="${{ needs.check-versions.outputs.DOCKER_CURRENT_VERSION }}" - + # Update version in Dockerfile sed -i "s/ARG DOCKER_VERSION=$current_version/ARG DOCKER_VERSION=$latest_version/g" ./images/Dockerfile - + - name: Update Buildx version shell: bash run: | latest_version="${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}" current_version="${{ needs.check-versions.outputs.BUILDX_CURRENT_VERSION }}" - + # Update version in Dockerfile sed -i "s/ARG BUILDX_VERSION=$current_version/ARG BUILDX_VERSION=$latest_version/g" ./images/Dockerfile - + - name: Commit changes and create Pull Request env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -117,7 +117,7 @@ jobs: branch_name="feature/docker-buildx-upgrade" commit_message="Upgrade Docker to v${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Buildx to v${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}" pr_title="Update Docker to v${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Buildx to v${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}" - + # Configure git git config --global user.name "github-actions[bot]" git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" @@ -129,16 +129,17 @@ jobs: else git checkout -b "$branch_name" fi - + # Commit and push changes git commit -a -m "$commit_message" git push --force origin "$branch_name" - + # Create PR pr_body="Upgrades Docker version from ${{ needs.check-versions.outputs.DOCKER_CURRENT_VERSION }} to ${{ needs.check-versions.outputs.DOCKER_LATEST_VERSION }} and Docker Buildx version from ${{ needs.check-versions.outputs.BUILDX_CURRENT_VERSION }} to ${{ needs.check-versions.outputs.BUILDX_LATEST_VERSION }}.\n\n" pr_body+="Release notes: https://docs.docker.com/engine/release-notes/\n\n" pr_body+="---\n\nAutogenerated by [Docker/Buildx Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/docker-buildx-upgrade.yml)" - + gh pr create -B main -H "$branch_name" \ --title "$pr_title" \ - --body "$pr_body" + --body "$pr_body" \ + --label "dependency" diff --git a/.github/workflows/dotnet-upgrade.yml b/.github/workflows/dotnet-upgrade.yml index 80049e64338..bd6dd08b5cf 100644 --- a/.github/workflows/dotnet-upgrade.yml +++ b/.github/workflows/dotnet-upgrade.yml @@ -2,13 +2,13 @@ name: "DotNet SDK Upgrade" on: schedule: - - cron: '0 0 * * 1' + - cron: "0 0 * * 1" workflow_dispatch: jobs: dotnet-update: runs-on: ubuntu-latest - outputs: + outputs: SHOULD_UPDATE: ${{ steps.fetch_latest_version.outputs.SHOULD_UPDATE }} BRANCH_EXISTS: ${{ steps.fetch_latest_version.outputs.BRANCH_EXISTS }} DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION: ${{ steps.fetch_latest_version.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} @@ -37,7 +37,7 @@ jobs: # check if git branch already exists for the upgrade branch_already_exists=0 - + if git ls-remote --heads --exit-code origin refs/heads/feature/dotnetsdk-upgrade/${latest_patch_version}; then branch_already_exists=1 @@ -89,17 +89,17 @@ jobs: if: ${{ needs.dotnet-update.outputs.SHOULD_UPDATE == 1 && needs.dotnet-update.outputs.BRANCH_EXISTS == 0 }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - with: - ref: feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} - - name: Create Pull Request - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --body " - https://dotnetcli.blob.core.windows.net/dotnet/Sdk/${{ needs.dotnet-update.outputs.DOTNET_CURRENT_MAJOR_MINOR_VERSION }}/latest.version - - - --- + - uses: actions/checkout@v5 + with: + ref: feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} + - name: Create Pull Request + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr create -B main -H feature/dotnetsdk-upgrade/${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }} --title "Update dotnet sdk to latest version @${{ needs.dotnet-update.outputs.DOTNET_LATEST_MAJOR_MINOR_PATCH_VERSION }}" --label "dependency" --body " + https://dotnetcli.blob.core.windows.net/dotnet/Sdk/${{ needs.dotnet-update.outputs.DOTNET_CURRENT_MAJOR_MINOR_VERSION }}/latest.version - Autogenerated by [DotNet SDK Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/dotnet-upgrade.yml)" + + --- + + Autogenerated by [DotNet SDK Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/dotnet-upgrade.yml)" diff --git a/.github/workflows/node-upgrade.yml b/.github/workflows/node-upgrade.yml index 72481b81454..42d42f17806 100644 --- a/.github/workflows/node-upgrade.yml +++ b/.github/workflows/node-upgrade.yml @@ -2,7 +2,7 @@ name: Auto Update Node Version on: schedule: - - cron: '0 6 * * 1' # Weekly, every Monday + - cron: "0 6 * * 1" # Weekly, every Monday workflow_dispatch: jobs: @@ -10,18 +10,75 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 - - name: Get latest Node version - id: node-version + - name: Get latest Node versions + id: node-versions run: | - LATEST_NODE=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json | jq -r '.[0].version') - echo "latest_node=$LATEST_NODE" >> $GITHUB_OUTPUT - - name: Update externals.sh + # Get latest versions from the versions manifest + VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json) + + # Get latest v20 and v24 versions + LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1) + LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1) + + echo "latest_node20=$LATEST_NODE20" >> $GITHUB_OUTPUT + echo "latest_node24=$LATEST_NODE24" >> $GITHUB_OUTPUT + + # Check current versions in externals.sh + CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2) + CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2) + + echo "current_node20=$CURRENT_NODE20" >> $GITHUB_OUTPUT + echo "current_node24=$CURRENT_NODE24" >> $GITHUB_OUTPUT + + # Determine if updates are needed + NEEDS_UPDATE20="false" + NEEDS_UPDATE24="false" + + if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then + NEEDS_UPDATE20="true" + fi + + if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then + NEEDS_UPDATE24="true" + fi + + echo "needs_update20=$NEEDS_UPDATE20" >> $GITHUB_OUTPUT + echo "needs_update24=$NEEDS_UPDATE24" >> $GITHUB_OUTPUT + + - name: Update externals.sh and create PR + if: steps.node-versions.outputs.needs_update20 == 'true' || steps.node-versions.outputs.needs_update24 == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - sed -i "s/^NODE_VERSION=.*/NODE_VERSION=${{ steps.node-version.outputs.latest_node }}/" src/Misc/externals.sh - - name: Create PR - uses: peter-evans/create-pull-request@v6 - with: - commit-message: "chore: update Node version to ${{ steps.node-version.outputs.latest_node }}" - branch: chore/update-node - title: "chore: update Node version to ${{ steps.node-version.outputs.latest_node }}" - labels: dependency + # Update the files + if [ "${{ steps.node-versions.outputs.needs_update20 }}" == "true" ]; then + sed -i 's/NODE20_VERSION="[^"]*"/NODE20_VERSION="${{ steps.node-versions.outputs.latest_node20 }}"/' src/Misc/externals.sh + fi + + if [ "${{ steps.node-versions.outputs.needs_update24 }}" == "true" ]; then + sed -i 's/NODE24_VERSION="[^"]*"/NODE24_VERSION="${{ steps.node-versions.outputs.latest_node24 }}"/' src/Misc/externals.sh + fi + + # Configure git + git config --global user.name "github-actions[bot]" + git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" + + # Create branch and commit changes + branch_name="chore/update-node" + git checkout -b "$branch_name" + git commit -a -m "chore: update Node versions (20: ${{ steps.node-versions.outputs.latest_node20 }}, 24: ${{ steps.node-versions.outputs.latest_node24 }})" + git push --force origin "$branch_name" + + # Create PR body + pr_body="Automated Node.js version update:" + pr_body+="\n\n- Node 20: ${{ steps.node-versions.outputs.current_node20 }} → ${{ steps.node-versions.outputs.latest_node20 }}" + pr_body+="\n- Node 24: ${{ steps.node-versions.outputs.current_node24 }} → ${{ steps.node-versions.outputs.latest_node24 }}" + pr_body+="\n\nThis update ensures we're using the latest stable Node.js versions for security and performance improvements." + pr_body+="\n\n**Note**: When updating Node versions, remember to also create a new release of alpine_nodejs at the updated version following the instructions at: https://github.com/actions/alpine_nodejs" + pr_body+="\n\n---\n\nAutogenerated by [Node Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/node-upgrade.yml)" + + # Create PR + gh pr create -B main -H "$branch_name" \ + --title "chore: update Node versions" \ + --label "dependency" \ + --body "$pr_body" diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml index 0df843f0344..43d976b975a 100644 --- a/.github/workflows/npm-upgrade.yml +++ b/.github/workflows/npm-upgrade.yml @@ -2,22 +2,49 @@ name: NPM Audit Fix on: schedule: - - cron: '0 7 * * 1' # Weekly + - cron: "0 7 * * 1" # Weekly workflow_dispatch: jobs: npm-audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - run: npm install - - run: npm audit fix || true - - name: Check for changes and PR - uses: stefanzweifel/git-auto-commit-action@v5 + - uses: actions/checkout@v5 + - name: Setup Node.js + uses: actions/setup-node@v4 with: - commit_message: "chore: npm audit fix" - branch: chore/npm-audit-fix - create_branch: true - push_options: '--set-upstream' - commit_user_name: github-actions - commit_user_email: github-actions@github.com + node-version: "20" + - name: NPM install and audit fix + working-directory: src/Misc/expressionFunc/hashFiles + run: | + npm install + npm audit fix || true + - name: Create PR if changes exist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Check if there are any changes + if [ -n "$(git status --porcelain)" ]; then + # Configure git + git config --global user.name "github-actions[bot]" + git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" + + # Create branch and commit changes + branch_name="chore/npm-audit-fix" + git checkout -b "$branch_name" + git commit -a -m "chore: npm audit fix for hashFiles dependencies" + git push --force origin "$branch_name" + + # Create PR body + pr_body="Automated npm audit fix for security vulnerabilities in hashFiles dependencies." + pr_body+="\n\nThis PR was automatically created to address npm security advisories." + pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml)" + + # Create PR + gh pr create -B main -H "$branch_name" \ + --title "chore: npm audit fix for hashFiles dependencies" \ + --label "dependency" \ + --body "$pr_body" + else + echo "No changes to commit" + fi diff --git a/docs/dependency-management.md b/docs/dependency-management.md new file mode 100644 index 00000000000..6e73ac38f54 --- /dev/null +++ b/docs/dependency-management.md @@ -0,0 +1,145 @@ +# Runner Dependency Management Process + +## Overview + +This document outlines the automated dependency management process for the GitHub Actions Runner, designed to ensure we maintain up-to-date and secure dependencies while providing predictable release cycles. + +## Release Schedule + +- **Monthly Runner Releases**: New runner versions are released monthly +- **Weekly Dependency Checks**: Automated workflows check for dependency updates every Monday +- **Security Patches**: Critical security vulnerabilities are addressed immediately outside the regular schedule + +## Automated Workflows + +### 1. Node.js Version Updates +- **Workflow**: `.github/workflows/node-upgrade.yml` +- **Schedule**: Mondays at 6:00 AM UTC +- **Purpose**: Updates Node.js 20 and 24 versions in `src/Misc/externals.sh` +- **Source**: [actions/node-versions](https://github.com/actions/node-versions) + +### 2. NPM Security Audit +- **Workflow**: `.github/workflows/npm-upgrade.yml` +- **Schedule**: Mondays at 7:00 AM UTC +- **Purpose**: Runs `npm audit fix` on hashFiles dependencies +- **Location**: `src/Misc/expressionFunc/hashFiles/` + +### 3. .NET SDK Updates +- **Workflow**: `.github/workflows/dotnet-upgrade.yml` +- **Schedule**: Mondays at 12:00 AM UTC +- **Purpose**: Updates .NET SDK patch versions in `src/global.json` + +### 4. Docker/Buildx Updates +- **Workflow**: `.github/workflows/docker-buildx-upgrade.yml` +- **Schedule**: Mondays at 12:00 AM UTC +- **Purpose**: Updates Docker and Docker Buildx versions in `images/Dockerfile` + +### 5. Dependency Status Check +- **Workflow**: `.github/workflows/dependency-check.yml` +- **Schedule**: Mondays at 8:00 AM UTC +- **Purpose**: Provides comprehensive status report of all dependencies + +## Release Process Integration + +### Pre-Release Checklist + +Before each monthly runner release: + +1. **Check Dependency PRs**: + ```bash + # List open dependency PRs + gh pr list --label "dependency" --state open + ``` + +2. **Run Manual Dependency Check**: + - Go to Actions tab → "Dependency Status Check" → "Run workflow" + - Review the summary for any outdated dependencies + +3. **Review and Merge Updates**: + - Prioritize security-related updates + - Test dependency updates in development environment + - Merge approved dependency PRs + +### Vulnerability Response + +#### Critical Security Vulnerabilities +- **Response Time**: Within 24 hours +- **Process**: + 1. Assess impact on runner security + 2. Create hotfix branch if runner data security is affected + 3. Expedite patch release if necessary + 4. Document in security advisory if applicable + +#### Non-Critical Vulnerabilities +- **Response Time**: Next monthly release +- **Process**: + 1. Evaluate if vulnerability affects runner functionality + 2. Include fix in regular dependency update cycle + 3. Document in release notes + +## Monitoring and Alerts + +### GitHub Actions Workflow Status +- All dependency workflows create PRs with the `dependency` label +- Failed workflows should be investigated immediately +- Weekly dependency status reports are generated automatically + +### Manual Checks +You can manually trigger dependency checks: +- **Full Status**: Run "Dependency Status Check" workflow +- **Specific Component**: Use the dropdown to check individual dependencies + +## Dependency Labels + +All automated dependency PRs are tagged with the `dependency` label for easy filtering: +- Node.js updates: `chore/update-node` branch +- NPM security fixes: `chore/npm-audit-fix` branch +- .NET updates: `feature/dotnetsdk-upgrade/*` branch +- Docker updates: Branch named with versions + +## Special Considerations + +### Node.js Updates +When updating Node.js versions, remember to: +1. Create a corresponding release in [actions/alpine_nodejs](https://github.com/actions/alpine_nodejs) +2. Follow the alpine_nodejs getting started guide +3. Test container builds with new Node versions + +### .NET SDK Updates +- Only patch versions are auto-updated within the same major.minor version +- Major/minor version updates require manual review and testing + +### Docker Updates +- Updates include both Docker Engine and Docker Buildx +- Verify compatibility with runner container workflows + +## Troubleshooting + +### Common Issues + +1. **NPM Audit Workflow Fails**: + - Check if `package.json` exists in `src/Misc/expressionFunc/hashFiles/` + - Verify Node.js setup step succeeded + +2. **Version Detection Fails**: + - Check if upstream APIs are available + - Verify parsing logic for version extraction + +3. **PR Creation Fails**: + - Ensure `GITHUB_TOKEN` has sufficient permissions + - Check if branch already exists + +### Contact + +For questions about the dependency management process: +- Create an issue with the `dependencies` label +- Review existing dependency management workflows +- Consult the runner team for security-related concerns + +## Metrics and KPIs + +Track these metrics to measure dependency management effectiveness: +- Number of open dependency PRs at release time +- Time to merge dependency updates +- Number of security vulnerabilities by severity +- Release cycle adherence (monthly target) From cea2d6a4156df9d360cbeb90e92a36acacea8501 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 21:41:40 +0100 Subject: [PATCH 05/27] Skip husky checks --- .github/workflows/npm-upgrade.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml index 43d976b975a..95683e1c377 100644 --- a/.github/workflows/npm-upgrade.yml +++ b/.github/workflows/npm-upgrade.yml @@ -19,9 +19,14 @@ jobs: run: | npm install npm audit fix || true + + # Try to run the build to see if there are any issues after audit fix + npm run build || echo "Build failed after audit fix - this may require manual intervention" + - name: Create PR if changes exist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HUSKY: 0 # Disable husky hooks for automated commits run: | # Check if there are any changes if [ -n "$(git status --porcelain)" ]; then @@ -32,12 +37,26 @@ jobs: # Create branch and commit changes branch_name="chore/npm-audit-fix" git checkout -b "$branch_name" - git commit -a -m "chore: npm audit fix for hashFiles dependencies" + + # Commit with --no-verify to skip husky hooks + git commit -a -m "chore: npm audit fix for hashFiles dependencies" --no-verify git push --force origin "$branch_name" + # Check if build passes after changes + build_status="✅ Build passes" + cd src/Misc/expressionFunc/hashFiles + if ! npm run build; then + build_status="⚠️ Build fails - manual review required" + fi + cd - > /dev/null + # Create PR body pr_body="Automated npm audit fix for security vulnerabilities in hashFiles dependencies." + pr_body+="\n\n**Build Status**: $build_status" pr_body+="\n\nThis PR was automatically created to address npm security advisories." + if [[ "$build_status" == *"fails"* ]]; then + pr_body+="\n\n⚠️ **Note**: The build is currently failing after the audit fix. This likely indicates type compatibility issues that require manual review and fixing." + fi pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml)" # Create PR From d8bc6ca3e7f9a340eb5abc97634ccc5cedd3aede Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 8 Sep 2025 21:44:21 +0100 Subject: [PATCH 06/27] Update Node.js version numbers in externals.sh --- src/Misc/externals.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Misc/externals.sh b/src/Misc/externals.sh index 29e83c853ad..ca8f6c28ca2 100755 --- a/src/Misc/externals.sh +++ b/src/Misc/externals.sh @@ -6,8 +6,8 @@ NODE_URL=https://nodejs.org/dist NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download # When you update Node versions you must also create a new release of alpine_nodejs at that updated version. # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started -NODE20_VERSION="20.19.5" -NODE24_VERSION="24.7.0" +NODE20_VERSION="20.19.4" +NODE24_VERSION="24.5.0" get_abs_path() { # exploits the fact that pwd will print abs path when no args From d9ab6d96050d58f622450b3574097d3286f5171c Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 21:48:24 +0100 Subject: [PATCH 07/27] Add workflows for automated npm audit fixes and TypeScript compatibility repairs --- .github/workflows/npm-audit-ts-fix.yml | 148 +++++++++++++++++++++++++ .github/workflows/npm-upgrade.yml | 28 +++-- .github/workflows/setup-labels.yml | 32 ++++++ 3 files changed, 199 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/npm-audit-ts-fix.yml create mode 100644 .github/workflows/setup-labels.yml diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml new file mode 100644 index 00000000000..408743b682b --- /dev/null +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -0,0 +1,148 @@ +name: NPM Audit Fix with TypeScript Auto-Fix + +on: + schedule: + - cron: "0 7 * * 1" # Weekly + workflow_dispatch: + +jobs: + npm-audit-with-ts-fix: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "20" + - name: NPM install and audit fix with TypeScript auto-repair + working-directory: src/Misc/expressionFunc/hashFiles + run: | + npm install + npm audit fix || true + + # Try to fix TypeScript issues automatically + echo "Attempting to fix TypeScript compatibility issues..." + + # Check if build fails + if ! npm run build 2>/dev/null; then + echo "Build failed, attempting automated fixes..." + + # Common fix 1: Update @types/node to latest compatible version + echo "Trying to update @types/node to latest version..." + npm update @types/node || true + + # Common fix 2: If that doesn't work, try installing a specific known-good version + if ! npm run build 2>/dev/null; then + echo "Trying specific @types/node version..." + # Try Node 20 compatible version + npm install --save-dev @types/node@^20.0.0 || true + fi + + # Common fix 3: Clear node_modules and reinstall if still failing + if ! npm run build 2>/dev/null; then + echo "Clearing node_modules and reinstalling..." + rm -rf node_modules package-lock.json + npm install + npm audit fix || true + fi + + # Common fix 4: Try updating TypeScript itself + if ! npm run build 2>/dev/null; then + echo "Trying to update TypeScript..." + npm update typescript || true + fi + + # Final check + if npm run build 2>/dev/null; then + echo "✅ Successfully fixed TypeScript issues automatically" + else + echo "⚠️ Could not automatically fix TypeScript issues" + fi + else + echo "✅ Build passes after audit fix" + fi + + - name: Create PR if changes exist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HUSKY: 0 # Disable husky hooks for automated commits + run: | + # Check if there are any changes + if [ -n "$(git status --porcelain)" ]; then + # Configure git + git config --global user.name "github-actions[bot]" + git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" + + # Create branch and commit changes + branch_name="chore/npm-audit-fix-with-ts-repair" + git checkout -b "$branch_name" + + # Commit with --no-verify to skip husky hooks + git commit -a -m "chore: npm audit fix with automated TypeScript compatibility fixes" --no-verify + git push --force origin "$branch_name" + + # Check final build status and gather info about what was changed + build_status="✅ Build passes" + fixes_applied="" + cd src/Misc/expressionFunc/hashFiles + + # Check what packages were updated + if git diff HEAD~1 package.json | grep -q "@types/node"; then + fixes_applied+="\n- Updated @types/node version for TypeScript compatibility" + fi + if git diff HEAD~1 package.json | grep -q "typescript"; then + fixes_applied+="\n- Updated TypeScript version" + fi + if git diff HEAD~1 package-lock.json | grep -q "resolved"; then + fixes_applied+="\n- Updated package dependencies via npm audit fix" + fi + + if ! npm run build 2>/dev/null; then + build_status="⚠️ Build fails - manual review required" + fi + cd - > /dev/null + + # Create enhanced PR body + pr_body="Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies." + pr_body+="\n\n**Build Status**: $build_status" + + if [ -n "$fixes_applied" ]; then + pr_body+="\n\n**Automated Fixes Applied**:$fixes_applied" + fi + + pr_body+="\n\nThis workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes." + + if [[ "$build_status" == *"fails"* ]]; then + pr_body+="\n\n⚠️ **Manual Review Required**: The build is currently failing after automated fixes were attempted." + pr_body+="\nCommon issues and solutions:" + pr_body+="\n- Check for TypeScript version compatibility with Node.js types" + pr_body+="\n- Review breaking changes in updated dependencies" + pr_body+="\n- Consider pinning problematic dependency versions temporarily" + pr_body+="\n- Review tsconfig.json for compatibility settings" + else + pr_body+="\n\n✅ **Ready to Merge**: All automated fixes were successful and the build passes." + fi + + pr_body+="\n\n**Automated Fix Strategy**:" + pr_body+="\n1. Run npm audit fix" + pr_body+="\n2. Update @types/node to latest compatible version" + pr_body+="\n3. Try Node 20 specific @types/node version if needed" + pr_body+="\n4. Clean reinstall dependencies if conflicts persist" + pr_body+="\n5. Update TypeScript compiler if necessary" + + pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml)" + + # Create PR with appropriate labels + labels="dependency,typescript" + if [[ "$build_status" == *"fails"* ]]; then + labels="dependency,typescript,needs-manual-review" + fi + + # Create PR + gh pr create -B main -H "$branch_name" \ + --title "chore: npm audit fix with TypeScript auto-repair" \ + --label "$labels" \ + --body "$pr_body" + else + echo "No changes to commit" + fi diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml index 95683e1c377..f2fad809c0b 100644 --- a/.github/workflows/npm-upgrade.yml +++ b/.github/workflows/npm-upgrade.yml @@ -20,9 +20,6 @@ jobs: npm install npm audit fix || true - # Try to run the build to see if there are any issues after audit fix - npm run build || echo "Build failed after audit fix - this may require manual intervention" - - name: Create PR if changes exist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -45,8 +42,8 @@ jobs: # Check if build passes after changes build_status="✅ Build passes" cd src/Misc/expressionFunc/hashFiles - if ! npm run build; then - build_status="⚠️ Build fails - manual review required" + if ! npm run build 2>/dev/null; then + build_status="⚠️ Build fails - TypeScript auto-fix workflow recommended" fi cd - > /dev/null @@ -54,16 +51,29 @@ jobs: pr_body="Automated npm audit fix for security vulnerabilities in hashFiles dependencies." pr_body+="\n\n**Build Status**: $build_status" pr_body+="\n\nThis PR was automatically created to address npm security advisories." + if [[ "$build_status" == *"fails"* ]]; then - pr_body+="\n\n⚠️ **Note**: The build is currently failing after the audit fix. This likely indicates type compatibility issues that require manual review and fixing." + pr_body+="\n\n⚠️ **Action Required**: The build is failing after the audit fix." + pr_body+="\n\n**Next Steps**:" + pr_body+="\n1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes" + pr_body+="\n2. Or manually fix TypeScript compatibility issues" + pr_body+="\n3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version" + else + pr_body+="\n\n✅ **Ready to Merge**: Audit fix successful with no build issues." fi + pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml)" - # Create PR + # Create PR (without label since it may not exist) gh pr create -B main -H "$branch_name" \ --title "chore: npm audit fix for hashFiles dependencies" \ - --label "dependency" \ - --body "$pr_body" + --body "$pr_body" || \ + # Fallback: try with explicit label creation + (gh label create "dependency" --description "Dependency updates" --color "0366d6" 2>/dev/null || true && \ + gh pr create -B main -H "$branch_name" \ + --title "chore: npm audit fix for hashFiles dependencies" \ + --label "dependency" \ + --body "$pr_body") else echo "No changes to commit" fi diff --git a/.github/workflows/setup-labels.yml b/.github/workflows/setup-labels.yml new file mode 100644 index 00000000000..2d2d7155742 --- /dev/null +++ b/.github/workflows/setup-labels.yml @@ -0,0 +1,32 @@ +name: Setup Repository Labels + +on: + workflow_dispatch: + +jobs: + setup-labels: + runs-on: ubuntu-latest + steps: + - name: Create necessary labels + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Create dependency label + gh label create "dependency" \ + --description "Dependency updates and security fixes" \ + --color "0366d6" \ + --repo ${{ github.repository }} || echo "dependency label already exists" + + # Create typescript label + gh label create "typescript" \ + --description "TypeScript related changes" \ + --color "3178C6" \ + --repo ${{ github.repository }} || echo "typescript label already exists" + + # Create needs-manual-review label + gh label create "needs-manual-review" \ + --description "Requires manual review and intervention" \ + --color "D93F0B" \ + --repo ${{ github.repository }} || echo "needs-manual-review label already exists" + + echo "✅ Labels created successfully" From b0cab2e57daca95d5bcb8de5a2ea867afba154c1 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 21:56:58 +0100 Subject: [PATCH 08/27] Format the PR descriptions --- .github/workflows/node-upgrade.yml | 26 ++++++--- .github/workflows/npm-audit-ts-fix.yml | 80 +++++++++++++++++--------- .github/workflows/npm-upgrade.yml | 49 +++++++++++----- 3 files changed, 105 insertions(+), 50 deletions(-) diff --git a/.github/workflows/node-upgrade.yml b/.github/workflows/node-upgrade.yml index 42d42f17806..9661e0e098d 100644 --- a/.github/workflows/node-upgrade.yml +++ b/.github/workflows/node-upgrade.yml @@ -69,16 +69,24 @@ jobs: git commit -a -m "chore: update Node versions (20: ${{ steps.node-versions.outputs.latest_node20 }}, 24: ${{ steps.node-versions.outputs.latest_node24 }})" git push --force origin "$branch_name" - # Create PR body - pr_body="Automated Node.js version update:" - pr_body+="\n\n- Node 20: ${{ steps.node-versions.outputs.current_node20 }} → ${{ steps.node-versions.outputs.latest_node20 }}" - pr_body+="\n- Node 24: ${{ steps.node-versions.outputs.current_node24 }} → ${{ steps.node-versions.outputs.latest_node24 }}" - pr_body+="\n\nThis update ensures we're using the latest stable Node.js versions for security and performance improvements." - pr_body+="\n\n**Note**: When updating Node versions, remember to also create a new release of alpine_nodejs at the updated version following the instructions at: https://github.com/actions/alpine_nodejs" - pr_body+="\n\n---\n\nAutogenerated by [Node Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/node-upgrade.yml)" - + # Create PR body using here-doc for proper formatting + cat > pr_body.txt << 'EOF' + Automated Node.js version update: + + - Node 20: ${{ steps.node-versions.outputs.current_node20 }} → ${{ steps.node-versions.outputs.latest_node20 }} + - Node 24: ${{ steps.node-versions.outputs.current_node24 }} → ${{ steps.node-versions.outputs.latest_node24 }} + + This update ensures we're using the latest stable Node.js versions for security and performance improvements. + + **Note**: When updating Node versions, remember to also create a new release of alpine_nodejs at the updated version following the instructions at: https://github.com/actions/alpine_nodejs + + --- + + Autogenerated by [Node Version Upgrade Workflow](https://github.com/actions/runner/blob/main/.github/workflows/node-upgrade.yml) + EOF + # Create PR gh pr create -B main -H "$branch_name" \ --title "chore: update Node versions" \ --label "dependency" \ - --body "$pr_body" + --body-file pr_body.txt \ No newline at end of file diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index 408743b682b..34fcede7b5b 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -102,35 +102,63 @@ jobs: fi cd - > /dev/null - # Create enhanced PR body - pr_body="Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies." - pr_body+="\n\n**Build Status**: $build_status" - - if [ -n "$fixes_applied" ]; then - pr_body+="\n\n**Automated Fixes Applied**:$fixes_applied" - fi - - pr_body+="\n\nThis workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes." - + # Create enhanced PR body using here-doc for proper formatting if [[ "$build_status" == *"fails"* ]]; then - pr_body+="\n\n⚠️ **Manual Review Required**: The build is currently failing after automated fixes were attempted." - pr_body+="\nCommon issues and solutions:" - pr_body+="\n- Check for TypeScript version compatibility with Node.js types" - pr_body+="\n- Review breaking changes in updated dependencies" - pr_body+="\n- Consider pinning problematic dependency versions temporarily" - pr_body+="\n- Review tsconfig.json for compatibility settings" + cat > pr_body.txt << 'EOF' + Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. + + **Build Status**: ⚠️ Build fails - manual review required + + This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. + + ⚠️ **Manual Review Required**: The build is currently failing after automated fixes were attempted. + + Common issues and solutions: + - Check for TypeScript version compatibility with Node.js types + - Review breaking changes in updated dependencies + - Consider pinning problematic dependency versions temporarily + - Review tsconfig.json for compatibility settings + + **Automated Fix Strategy**: + 1. Run npm audit fix + 2. Update @types/node to latest compatible version + 3. Try Node 20 specific @types/node version if needed + 4. Clean reinstall dependencies if conflicts persist + 5. Update TypeScript compiler if necessary + + --- + + Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml) + EOF else - pr_body+="\n\n✅ **Ready to Merge**: All automated fixes were successful and the build passes." + cat > pr_body.txt << 'EOF' + Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. + + **Build Status**: ✅ Build passes + + This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. + + ✅ **Ready to Merge**: All automated fixes were successful and the build passes. + + **Automated Fix Strategy**: + 1. Run npm audit fix + 2. Update @types/node to latest compatible version + 3. Try Node 20 specific @types/node version if needed + 4. Clean reinstall dependencies if conflicts persist + 5. Update TypeScript compiler if necessary + + --- + + Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml) + EOF fi - pr_body+="\n\n**Automated Fix Strategy**:" - pr_body+="\n1. Run npm audit fix" - pr_body+="\n2. Update @types/node to latest compatible version" - pr_body+="\n3. Try Node 20 specific @types/node version if needed" - pr_body+="\n4. Clean reinstall dependencies if conflicts persist" - pr_body+="\n5. Update TypeScript compiler if necessary" - - pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml)" + if [ -n "$fixes_applied" ]; then + # Add the fixes applied section to the file + sed -i "/This workflow attempts/a\\ + \\ + **Automated Fixes Applied**:$fixes_applied" pr_body.txt + fi # Create PR with appropriate labels labels="dependency,typescript" @@ -142,7 +170,7 @@ jobs: gh pr create -B main -H "$branch_name" \ --title "chore: npm audit fix with TypeScript auto-repair" \ --label "$labels" \ - --body "$pr_body" + --body-file pr_body.txt else echo "No changes to commit" fi diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml index f2fad809c0b..54a329d392a 100644 --- a/.github/workflows/npm-upgrade.yml +++ b/.github/workflows/npm-upgrade.yml @@ -47,33 +47,52 @@ jobs: fi cd - > /dev/null - # Create PR body - pr_body="Automated npm audit fix for security vulnerabilities in hashFiles dependencies." - pr_body+="\n\n**Build Status**: $build_status" - pr_body+="\n\nThis PR was automatically created to address npm security advisories." - + # Create PR body using here-doc for proper formatting if [[ "$build_status" == *"fails"* ]]; then - pr_body+="\n\n⚠️ **Action Required**: The build is failing after the audit fix." - pr_body+="\n\n**Next Steps**:" - pr_body+="\n1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes" - pr_body+="\n2. Or manually fix TypeScript compatibility issues" - pr_body+="\n3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version" + cat > pr_body.txt << 'EOF' + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. + + **Build Status**: ⚠️ Build fails - TypeScript auto-fix workflow recommended + + This PR was automatically created to address npm security advisories. + + ⚠️ **Action Required**: The build is failing after the audit fix. + + **Next Steps**: + 1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes + 2. Or manually fix TypeScript compatibility issues + 3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version + + --- + + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) + EOF else - pr_body+="\n\n✅ **Ready to Merge**: Audit fix successful with no build issues." + cat > pr_body.txt << 'EOF' + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. + + **Build Status**: ✅ Build passes + + This PR was automatically created to address npm security advisories. + + ✅ **Ready to Merge**: Audit fix successful with no build issues. + + --- + + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) + EOF fi - pr_body+="\n\n---\n\nAutogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml)" - # Create PR (without label since it may not exist) gh pr create -B main -H "$branch_name" \ --title "chore: npm audit fix for hashFiles dependencies" \ - --body "$pr_body" || \ + --body-file pr_body.txt || \ # Fallback: try with explicit label creation (gh label create "dependency" --description "Dependency updates" --color "0366d6" 2>/dev/null || true && \ gh pr create -B main -H "$branch_name" \ --title "chore: npm audit fix for hashFiles dependencies" \ --label "dependency" \ - --body "$pr_body") + --body-file pr_body.txt) else echo "No changes to commit" fi From 1e5bf223169b921ea267a93083f4c789133825dc Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:04:57 +0100 Subject: [PATCH 09/27] Fix npm audit output handling and ensure vulnerability count is numeric --- .github/workflows/dependency-check.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index c546baaf39c..965af9e6be4 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -132,11 +132,15 @@ jobs: cd src/Misc/expressionFunc/hashFiles npm install --silent - AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || echo '{"vulnerabilities": {}}') + AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || echo '{"metadata":{"vulnerabilities":{"total":0}}}') VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0') + # Ensure VULN_COUNT is a number + VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1) + VULN_COUNT=${VULN_COUNT:-0} + NPM_STATUS="✅ no vulnerabilities" - if [ "$VULN_COUNT" -gt 0 ]; then + if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found" # Get vulnerability details From 28d477ce55bdb29758db97a8d21cbe9d6259e787 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:08:53 +0100 Subject: [PATCH 10/27] bump verisons back --- src/Misc/externals.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Misc/externals.sh b/src/Misc/externals.sh index ca8f6c28ca2..29e83c853ad 100755 --- a/src/Misc/externals.sh +++ b/src/Misc/externals.sh @@ -6,8 +6,8 @@ NODE_URL=https://nodejs.org/dist NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download # When you update Node versions you must also create a new release of alpine_nodejs at that updated version. # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started -NODE20_VERSION="20.19.4" -NODE24_VERSION="24.5.0" +NODE20_VERSION="20.19.5" +NODE24_VERSION="24.7.0" get_abs_path() { # exploits the fact that pwd will print abs path when no args From 6020b37c58f9760c4b701a5cb6bea7fce9adec5c Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:11:32 +0100 Subject: [PATCH 11/27] Remove broken workflow file --- .github/workflows/npm-upgrade.yml | 98 ------------------------------- 1 file changed, 98 deletions(-) delete mode 100644 .github/workflows/npm-upgrade.yml diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml deleted file mode 100644 index 54a329d392a..00000000000 --- a/.github/workflows/npm-upgrade.yml +++ /dev/null @@ -1,98 +0,0 @@ -name: NPM Audit Fix - -on: - schedule: - - cron: "0 7 * * 1" # Weekly - workflow_dispatch: - -jobs: - npm-audit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - - name: NPM install and audit fix - working-directory: src/Misc/expressionFunc/hashFiles - run: | - npm install - npm audit fix || true - - - name: Create PR if changes exist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HUSKY: 0 # Disable husky hooks for automated commits - run: | - # Check if there are any changes - if [ -n "$(git status --porcelain)" ]; then - # Configure git - git config --global user.name "github-actions[bot]" - git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" - - # Create branch and commit changes - branch_name="chore/npm-audit-fix" - git checkout -b "$branch_name" - - # Commit with --no-verify to skip husky hooks - git commit -a -m "chore: npm audit fix for hashFiles dependencies" --no-verify - git push --force origin "$branch_name" - - # Check if build passes after changes - build_status="✅ Build passes" - cd src/Misc/expressionFunc/hashFiles - if ! npm run build 2>/dev/null; then - build_status="⚠️ Build fails - TypeScript auto-fix workflow recommended" - fi - cd - > /dev/null - - # Create PR body using here-doc for proper formatting - if [[ "$build_status" == *"fails"* ]]; then - cat > pr_body.txt << 'EOF' - Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - - **Build Status**: ⚠️ Build fails - TypeScript auto-fix workflow recommended - - This PR was automatically created to address npm security advisories. - - ⚠️ **Action Required**: The build is failing after the audit fix. - - **Next Steps**: - 1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes - 2. Or manually fix TypeScript compatibility issues - 3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version - - --- - - Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) - EOF - else - cat > pr_body.txt << 'EOF' - Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - - **Build Status**: ✅ Build passes - - This PR was automatically created to address npm security advisories. - - ✅ **Ready to Merge**: Audit fix successful with no build issues. - - --- - - Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) - EOF - fi - - # Create PR (without label since it may not exist) - gh pr create -B main -H "$branch_name" \ - --title "chore: npm audit fix for hashFiles dependencies" \ - --body-file pr_body.txt || \ - # Fallback: try with explicit label creation - (gh label create "dependency" --description "Dependency updates" --color "0366d6" 2>/dev/null || true && \ - gh pr create -B main -H "$branch_name" \ - --title "chore: npm audit fix for hashFiles dependencies" \ - --label "dependency" \ - --body-file pr_body.txt) - else - echo "No changes to commit" - fi From 60062afc2e185bd8d2dc2fdfae397c8986a15770 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:16:20 +0100 Subject: [PATCH 12/27] Update for silent failures --- .github/workflows/npm-audit-ts-fix.yml | 79 ++++++++++-- .github/workflows/npm-upgrade.yml | 162 +++++++++++++++++++++++++ 2 files changed, 232 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/npm-upgrade.yml diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index 34fcede7b5b..f43c846f513 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -18,7 +18,42 @@ jobs: working-directory: src/Misc/expressionFunc/hashFiles run: | npm install - npm audit fix || true + + # Check for vulnerabilities first + echo "Checking for npm vulnerabilities..." + if npm audit --audit-level=moderate; then + echo "✅ No moderate or higher vulnerabilities found" + exit 0 + fi + + echo "⚠️ Vulnerabilities found, attempting npm audit fix..." + + # Attempt audit fix and capture the result + if npm audit fix; then + echo "✅ npm audit fix completed successfully" + AUDIT_FIX_STATUS="success" + else + echo "⚠️ npm audit fix failed or had issues" + AUDIT_FIX_STATUS="failed" + + # Try audit fix with --force as a last resort for critical/high vulns only + echo "Checking if critical/high vulnerabilities remain..." + if ! npm audit --audit-level=high; then + echo "🚨 Critical/high vulnerabilities remain, attempting --force fix..." + if npm audit fix --force; then + echo "⚠️ npm audit fix --force completed (may have breaking changes)" + AUDIT_FIX_STATUS="force-fixed" + else + echo "❌ npm audit fix --force also failed" + AUDIT_FIX_STATUS="force-failed" + fi + else + echo "✅ Only moderate/low vulnerabilities remain after failed fix" + AUDIT_FIX_STATUS="partial-success" + fi + fi + + echo "AUDIT_FIX_STATUS=$AUDIT_FIX_STATUS" >> $GITHUB_ENV # Try to fix TypeScript issues automatically echo "Attempting to fix TypeScript compatibility issues..." @@ -29,13 +64,13 @@ jobs: # Common fix 1: Update @types/node to latest compatible version echo "Trying to update @types/node to latest version..." - npm update @types/node || true + npm update @types/node # Common fix 2: If that doesn't work, try installing a specific known-good version if ! npm run build 2>/dev/null; then echo "Trying specific @types/node version..." # Try Node 20 compatible version - npm install --save-dev @types/node@^20.0.0 || true + npm install --save-dev @types/node@^20.0.0 fi # Common fix 3: Clear node_modules and reinstall if still failing @@ -43,13 +78,18 @@ jobs: echo "Clearing node_modules and reinstalling..." rm -rf node_modules package-lock.json npm install - npm audit fix || true + + # Re-run audit fix after clean install if it was successful before + if [[ "$AUDIT_FIX_STATUS" == "success" || "$AUDIT_FIX_STATUS" == "force-fixed" ]]; then + echo "Re-running npm audit fix after clean install..." + npm audit fix || echo "Audit fix failed on second attempt" + fi fi # Common fix 4: Try updating TypeScript itself if ! npm run build 2>/dev/null; then echo "Trying to update TypeScript..." - npm update typescript || true + npm update typescript fi # Final check @@ -103,11 +143,31 @@ jobs: cd - > /dev/null # Create enhanced PR body using here-doc for proper formatting + audit_status_msg="" + case "$AUDIT_FIX_STATUS" in + "success") + audit_status_msg="✅ **Audit Fix**: Completed successfully" + ;; + "partial-success") + audit_status_msg="⚠️ **Audit Fix**: Partial success (only moderate/low vulnerabilities remain)" + ;; + "force-fixed") + audit_status_msg="⚠️ **Audit Fix**: Completed with --force (may have breaking changes)" + ;; + "failed"|"force-failed") + audit_status_msg="❌ **Audit Fix**: Failed to resolve vulnerabilities" + ;; + *) + audit_status_msg="❓ **Audit Fix**: Status unknown" + ;; + esac + if [[ "$build_status" == *"fails"* ]]; then - cat > pr_body.txt << 'EOF' + cat > pr_body.txt << EOF Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. **Build Status**: ⚠️ Build fails - manual review required + $audit_status_msg This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. @@ -120,7 +180,7 @@ jobs: - Review tsconfig.json for compatibility settings **Automated Fix Strategy**: - 1. Run npm audit fix + 1. Run npm audit fix with proper error handling 2. Update @types/node to latest compatible version 3. Try Node 20 specific @types/node version if needed 4. Clean reinstall dependencies if conflicts persist @@ -131,17 +191,18 @@ jobs: Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml) EOF else - cat > pr_body.txt << 'EOF' + cat > pr_body.txt << EOF Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. **Build Status**: ✅ Build passes + $audit_status_msg This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. ✅ **Ready to Merge**: All automated fixes were successful and the build passes. **Automated Fix Strategy**: - 1. Run npm audit fix + 1. Run npm audit fix with proper error handling 2. Update @types/node to latest compatible version 3. Try Node 20 specific @types/node version if needed 4. Clean reinstall dependencies if conflicts persist diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml new file mode 100644 index 00000000000..3ed48cbc7b1 --- /dev/null +++ b/.github/workflows/npm-upgrade.yml @@ -0,0 +1,162 @@ +name: NPM Audit Fix + +on: + schedule: + - cron: "0 7 * * 1" # Weekly + workflow_dispatch: + +jobs: + npm-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "20" + - name: NPM install and audit fix + working-directory: src/Misc/expressionFunc/hashFiles + run: | + npm install + + # Check for vulnerabilities first + echo "Checking for npm vulnerabilities..." + if npm audit --audit-level=moderate; then + echo "✅ No moderate or higher vulnerabilities found" + echo "AUDIT_NEEDED=false" >> $GITHUB_ENV + exit 0 + fi + + echo "⚠️ Vulnerabilities found, attempting npm audit fix..." + echo "AUDIT_NEEDED=true" >> $GITHUB_ENV + + # Attempt audit fix and capture the result + if npm audit fix; then + echo "✅ npm audit fix completed successfully" + echo "AUDIT_FIX_STATUS=success" >> $GITHUB_ENV + else + echo "⚠️ npm audit fix failed or had issues" + + # Check if critical/high vulnerabilities remain + if ! npm audit --audit-level=high; then + echo "🚨 Critical/high vulnerabilities remain - manual intervention required" + echo "AUDIT_FIX_STATUS=failed-critical" >> $GITHUB_ENV + else + echo "✅ Only moderate/low vulnerabilities remain after failed fix" + echo "AUDIT_FIX_STATUS=failed-minor" >> $GITHUB_ENV + fi + fi + + - name: Create PR if changes exist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HUSKY: 0 # Disable husky hooks for automated commits + run: | + # Check if there are any changes + if [ -n "$(git status --porcelain)" ]; then + # Configure git + git config --global user.name "github-actions[bot]" + git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" + + # Create branch and commit changes + branch_name="chore/npm-audit-fix" + git checkout -b "$branch_name" + + # Commit with --no-verify to skip husky hooks + git commit -a -m "chore: npm audit fix for hashFiles dependencies" --no-verify + git push --force origin "$branch_name" + + # Check if build passes after changes + build_status="✅ Build passes" + cd src/Misc/expressionFunc/hashFiles + if ! npm run build 2>/dev/null; then + build_status="⚠️ Build fails - TypeScript auto-fix workflow recommended" + fi + cd - > /dev/null + + # Determine audit status message + audit_status_msg="" + if [[ "$AUDIT_NEEDED" == "false" ]]; then + audit_status_msg="ℹ️ **Audit Status**: No vulnerabilities found" + else + case "$AUDIT_FIX_STATUS" in + "success") + audit_status_msg="✅ **Audit Fix**: Completed successfully" + ;; + "failed-minor") + audit_status_msg="⚠️ **Audit Fix**: Failed, but only minor vulnerabilities remain" + ;; + "failed-critical") + audit_status_msg="🚨 **Audit Fix**: Failed with critical/high vulnerabilities remaining" + ;; + *) + audit_status_msg="❓ **Audit Fix**: Status unknown" + ;; + esac + fi + + # Create PR body using here-doc for proper formatting + if [[ "$build_status" == *"fails"* ]]; then + cat > pr_body.txt << EOF + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. + + **Build Status**: ⚠️ Build fails - TypeScript auto-fix workflow recommended + $audit_status_msg + + This PR was automatically created to address npm security advisories. + + ⚠️ **Action Required**: The build is failing after the audit fix. + + **Next Steps**: + 1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes + 2. Or manually fix TypeScript compatibility issues + 3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version + + --- + + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) + EOF + else + cat > pr_body.txt << EOF + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. + + **Build Status**: ✅ Build passes + $audit_status_msg + + This PR was automatically created to address npm security advisories. + + ✅ **Ready to Merge**: Audit fix successful with no build issues. + + --- + + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) + EOF + fi + + # Determine appropriate labels based on status + labels="dependency" + if [[ "$AUDIT_FIX_STATUS" == "failed-critical" ]]; then + labels="dependency,security,needs-manual-review" + elif [[ "$build_status" == *"fails"* ]]; then + labels="dependency,needs-manual-review" + fi + + # Create PR (without label since it may not exist) + gh pr create -B main -H "$branch_name" \ + --title "chore: npm audit fix for hashFiles dependencies" \ + --body-file pr_body.txt || \ + # Fallback: try with explicit label creation + (gh label create "dependency" --description "Dependency updates" --color "0366d6" 2>/dev/null || true && \ + gh label create "security" --description "Security-related changes" --color "D93F0B" 2>/dev/null || true && \ + gh label create "needs-manual-review" --description "Requires manual review" --color "B60205" 2>/dev/null || true && \ + gh pr create -B main -H "$branch_name" \ + --title "chore: npm audit fix for hashFiles dependencies" \ + --label "$labels" \ + --body-file pr_body.txt) + elif [[ "$AUDIT_NEEDED" == "true" && "$AUDIT_FIX_STATUS" == "failed-critical" ]]; then + echo "🚨 CRITICAL: npm audit fix failed with critical/high vulnerabilities but no file changes occurred!" + echo "This may indicate that the vulnerabilities could not be resolved automatically." + exit 1 + else + echo "No changes to commit" + fi From 7926eda3028f1bc2296fa18671f618f49ddb0a50 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:18:05 +0100 Subject: [PATCH 13/27] Improve npm audit handling and output reporting --- .github/workflows/dependency-check.yml | 51 +++++++++++++++++--------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 965af9e6be4..ae6e0d6a2b9 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -132,28 +132,43 @@ jobs: cd src/Misc/expressionFunc/hashFiles npm install --silent - AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || echo '{"metadata":{"vulnerabilities":{"total":0}}}') - VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0') - # Ensure VULN_COUNT is a number - VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1) - VULN_COUNT=${VULN_COUNT:-0} + AUDIT_OUTPUT="" + AUDIT_EXIT_CODE=0 + # Run npm audit and capture output and exit code + if ! AUDIT_OUTPUT=$(npm audit --json 2>&1); then + AUDIT_EXIT_CODE=$? + fi - NPM_STATUS="✅ no vulnerabilities" - if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then - NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found" - - # Get vulnerability details - HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0') - CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0') + # Check if output is valid JSON + if echo "$AUDIT_OUTPUT" | jq . >/dev/null 2>&1; then + VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0') + # Ensure VULN_COUNT is a number + VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1) + VULN_COUNT=${VULN_COUNT:-0} - echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY - echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY - echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY - echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY + NPM_STATUS="✅ no vulnerabilities" + if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then + NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found" + + # Get vulnerability details + HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0') + CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0') + + echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY + echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY + echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY + echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + else + echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + fi else - echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY + NPM_STATUS="❌ npm audit failed" + echo "npm audit failed to run or returned invalid JSON ❌" >> $GITHUB_STEP_SUMMARY + echo "Exit code: $AUDIT_EXIT_CODE" >> $GITHUB_STEP_SUMMARY + echo "Output: $AUDIT_OUTPUT" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY fi From 3f773c2e98bdc0921f7cdd369a4a72fa9a8e0062 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:20:06 +0100 Subject: [PATCH 14/27] lower versions for testing --- src/Misc/externals.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Misc/externals.sh b/src/Misc/externals.sh index 29e83c853ad..ca8f6c28ca2 100755 --- a/src/Misc/externals.sh +++ b/src/Misc/externals.sh @@ -6,8 +6,8 @@ NODE_URL=https://nodejs.org/dist NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download # When you update Node versions you must also create a new release of alpine_nodejs at that updated version. # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started -NODE20_VERSION="20.19.5" -NODE24_VERSION="24.7.0" +NODE20_VERSION="20.19.4" +NODE24_VERSION="24.5.0" get_abs_path() { # exploits the fact that pwd will print abs path when no args From e015312e5d5ef4c2798d2d7ede7011f725254697 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:24:52 +0100 Subject: [PATCH 15/27] test: downgrade packages to vulnerable versions for testing npm audit workflow --- src/Misc/expressionFunc/hashFiles/package.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/Misc/expressionFunc/hashFiles/package.json b/src/Misc/expressionFunc/hashFiles/package.json index d4468d6f316..ecbefbe6e72 100644 --- a/src/Misc/expressionFunc/hashFiles/package.json +++ b/src/Misc/expressionFunc/hashFiles/package.json @@ -32,14 +32,15 @@ "author": "GitHub Actions", "license": "MIT", "dependencies": { - "@actions/glob": "^0.4.0" + "@actions/glob": "^0.4.0", + "lodash": "^4.17.15" }, "devDependencies": { - "@types/node": "^20.6.2", + "@types/node": "^18.0.0", "@typescript-eslint/eslint-plugin": "^6.21.0", "@typescript-eslint/parser": "^6.7.2", "@vercel/ncc": "^0.38.3", - "eslint": "^8.47.0", + "eslint": "^7.32.0", "eslint-plugin-github": "^4.10.2", "eslint-plugin-prettier": "^5.0.0", "husky": "^9.1.7", From 50ae1987d4113971638d36021a993e5c68a2919b Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:27:40 +0100 Subject: [PATCH 16/27] test: add axios vulnerable version for npm audit testing --- src/Misc/expressionFunc/hashFiles/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Misc/expressionFunc/hashFiles/package.json b/src/Misc/expressionFunc/hashFiles/package.json index ecbefbe6e72..61a5c498611 100644 --- a/src/Misc/expressionFunc/hashFiles/package.json +++ b/src/Misc/expressionFunc/hashFiles/package.json @@ -33,7 +33,8 @@ "license": "MIT", "dependencies": { "@actions/glob": "^0.4.0", - "lodash": "^4.17.15" + "lodash": "^4.17.15", + "axios": "0.21.0" }, "devDependencies": { "@types/node": "^18.0.0", From ed5a65fcc7f1fb043f3a1b80e8bad60073f522b7 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:30:16 +0100 Subject: [PATCH 17/27] test: simplify to just axios vuln and old @types/node for testing --- src/Misc/expressionFunc/hashFiles/package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Misc/expressionFunc/hashFiles/package.json b/src/Misc/expressionFunc/hashFiles/package.json index 61a5c498611..6448dd48bd5 100644 --- a/src/Misc/expressionFunc/hashFiles/package.json +++ b/src/Misc/expressionFunc/hashFiles/package.json @@ -33,7 +33,6 @@ "license": "MIT", "dependencies": { "@actions/glob": "^0.4.0", - "lodash": "^4.17.15", "axios": "0.21.0" }, "devDependencies": { @@ -41,7 +40,7 @@ "@typescript-eslint/eslint-plugin": "^6.21.0", "@typescript-eslint/parser": "^6.7.2", "@vercel/ncc": "^0.38.3", - "eslint": "^7.32.0", + "eslint": "^8.47.0", "eslint-plugin-github": "^4.10.2", "eslint-plugin-prettier": "^5.0.0", "husky": "^9.1.7", From 493779b2c76000803b3b50076d4f6cd3a070627f Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:35:07 +0100 Subject: [PATCH 18/27] test: update @types/node to version 20.6.2 for compatibility --- src/Misc/expressionFunc/hashFiles/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Misc/expressionFunc/hashFiles/package.json b/src/Misc/expressionFunc/hashFiles/package.json index 6448dd48bd5..7a395959f51 100644 --- a/src/Misc/expressionFunc/hashFiles/package.json +++ b/src/Misc/expressionFunc/hashFiles/package.json @@ -36,7 +36,7 @@ "axios": "0.21.0" }, "devDependencies": { - "@types/node": "^18.0.0", + "@types/node": "^20.6.2", "@typescript-eslint/eslint-plugin": "^6.21.0", "@typescript-eslint/parser": "^6.7.2", "@vercel/ncc": "^0.38.3", From b3ecf4b4d96b4f16d8eafb3da79a52b2d7a809c2 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 22:38:24 +0100 Subject: [PATCH 19/27] revert: remove axios dependency from package.json --- src/Misc/expressionFunc/hashFiles/package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Misc/expressionFunc/hashFiles/package.json b/src/Misc/expressionFunc/hashFiles/package.json index 7a395959f51..d4468d6f316 100644 --- a/src/Misc/expressionFunc/hashFiles/package.json +++ b/src/Misc/expressionFunc/hashFiles/package.json @@ -32,8 +32,7 @@ "author": "GitHub Actions", "license": "MIT", "dependencies": { - "@actions/glob": "^0.4.0", - "axios": "0.21.0" + "@actions/glob": "^0.4.0" }, "devDependencies": { "@types/node": "^20.6.2", From 53d153baeabe66a143f933d9dae13b4bda5b23ad Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti Date: Mon, 8 Sep 2025 23:50:04 +0100 Subject: [PATCH 20/27] chore: remove NPM Audit Fix workflow from GitHub Actions --- .github/workflows/npm-upgrade.yml | 162 ------------------------------ 1 file changed, 162 deletions(-) delete mode 100644 .github/workflows/npm-upgrade.yml diff --git a/.github/workflows/npm-upgrade.yml b/.github/workflows/npm-upgrade.yml deleted file mode 100644 index 3ed48cbc7b1..00000000000 --- a/.github/workflows/npm-upgrade.yml +++ /dev/null @@ -1,162 +0,0 @@ -name: NPM Audit Fix - -on: - schedule: - - cron: "0 7 * * 1" # Weekly - workflow_dispatch: - -jobs: - npm-audit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - - name: NPM install and audit fix - working-directory: src/Misc/expressionFunc/hashFiles - run: | - npm install - - # Check for vulnerabilities first - echo "Checking for npm vulnerabilities..." - if npm audit --audit-level=moderate; then - echo "✅ No moderate or higher vulnerabilities found" - echo "AUDIT_NEEDED=false" >> $GITHUB_ENV - exit 0 - fi - - echo "⚠️ Vulnerabilities found, attempting npm audit fix..." - echo "AUDIT_NEEDED=true" >> $GITHUB_ENV - - # Attempt audit fix and capture the result - if npm audit fix; then - echo "✅ npm audit fix completed successfully" - echo "AUDIT_FIX_STATUS=success" >> $GITHUB_ENV - else - echo "⚠️ npm audit fix failed or had issues" - - # Check if critical/high vulnerabilities remain - if ! npm audit --audit-level=high; then - echo "🚨 Critical/high vulnerabilities remain - manual intervention required" - echo "AUDIT_FIX_STATUS=failed-critical" >> $GITHUB_ENV - else - echo "✅ Only moderate/low vulnerabilities remain after failed fix" - echo "AUDIT_FIX_STATUS=failed-minor" >> $GITHUB_ENV - fi - fi - - - name: Create PR if changes exist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HUSKY: 0 # Disable husky hooks for automated commits - run: | - # Check if there are any changes - if [ -n "$(git status --porcelain)" ]; then - # Configure git - git config --global user.name "github-actions[bot]" - git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" - - # Create branch and commit changes - branch_name="chore/npm-audit-fix" - git checkout -b "$branch_name" - - # Commit with --no-verify to skip husky hooks - git commit -a -m "chore: npm audit fix for hashFiles dependencies" --no-verify - git push --force origin "$branch_name" - - # Check if build passes after changes - build_status="✅ Build passes" - cd src/Misc/expressionFunc/hashFiles - if ! npm run build 2>/dev/null; then - build_status="⚠️ Build fails - TypeScript auto-fix workflow recommended" - fi - cd - > /dev/null - - # Determine audit status message - audit_status_msg="" - if [[ "$AUDIT_NEEDED" == "false" ]]; then - audit_status_msg="ℹ️ **Audit Status**: No vulnerabilities found" - else - case "$AUDIT_FIX_STATUS" in - "success") - audit_status_msg="✅ **Audit Fix**: Completed successfully" - ;; - "failed-minor") - audit_status_msg="⚠️ **Audit Fix**: Failed, but only minor vulnerabilities remain" - ;; - "failed-critical") - audit_status_msg="🚨 **Audit Fix**: Failed with critical/high vulnerabilities remaining" - ;; - *) - audit_status_msg="❓ **Audit Fix**: Status unknown" - ;; - esac - fi - - # Create PR body using here-doc for proper formatting - if [[ "$build_status" == *"fails"* ]]; then - cat > pr_body.txt << EOF - Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - - **Build Status**: ⚠️ Build fails - TypeScript auto-fix workflow recommended - $audit_status_msg - - This PR was automatically created to address npm security advisories. - - ⚠️ **Action Required**: The build is failing after the audit fix. - - **Next Steps**: - 1. Run the 'NPM Audit Fix with TypeScript Auto-Fix' workflow for automated fixes - 2. Or manually fix TypeScript compatibility issues - 3. Common issue: @types/node version incompatibility - try updating to Node 20 compatible version - - --- - - Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) - EOF - else - cat > pr_body.txt << EOF - Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - - **Build Status**: ✅ Build passes - $audit_status_msg - - This PR was automatically created to address npm security advisories. - - ✅ **Ready to Merge**: Audit fix successful with no build issues. - - --- - - Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-upgrade.yml) - EOF - fi - - # Determine appropriate labels based on status - labels="dependency" - if [[ "$AUDIT_FIX_STATUS" == "failed-critical" ]]; then - labels="dependency,security,needs-manual-review" - elif [[ "$build_status" == *"fails"* ]]; then - labels="dependency,needs-manual-review" - fi - - # Create PR (without label since it may not exist) - gh pr create -B main -H "$branch_name" \ - --title "chore: npm audit fix for hashFiles dependencies" \ - --body-file pr_body.txt || \ - # Fallback: try with explicit label creation - (gh label create "dependency" --description "Dependency updates" --color "0366d6" 2>/dev/null || true && \ - gh label create "security" --description "Security-related changes" --color "D93F0B" 2>/dev/null || true && \ - gh label create "needs-manual-review" --description "Requires manual review" --color "B60205" 2>/dev/null || true && \ - gh pr create -B main -H "$branch_name" \ - --title "chore: npm audit fix for hashFiles dependencies" \ - --label "$labels" \ - --body-file pr_body.txt) - elif [[ "$AUDIT_NEEDED" == "true" && "$AUDIT_FIX_STATUS" == "failed-critical" ]]; then - echo "🚨 CRITICAL: npm audit fix failed with critical/high vulnerabilities but no file changes occurred!" - echo "This may indicate that the vulnerabilities could not be resolved automatically." - exit 1 - else - echo "No changes to commit" - fi From 85391266867ad9f2a08531cbd34e6d41c1463bd6 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Tue, 9 Sep 2025 01:04:32 +0100 Subject: [PATCH 21/27] Update externals.sh --- src/Misc/externals.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Misc/externals.sh b/src/Misc/externals.sh index ca8f6c28ca2..29e83c853ad 100755 --- a/src/Misc/externals.sh +++ b/src/Misc/externals.sh @@ -6,8 +6,8 @@ NODE_URL=https://nodejs.org/dist NODE_ALPINE_URL=https://github.com/actions/alpine_nodejs/releases/download # When you update Node versions you must also create a new release of alpine_nodejs at that updated version. # Follow the instructions here: https://github.com/actions/alpine_nodejs?tab=readme-ov-file#getting-started -NODE20_VERSION="20.19.4" -NODE24_VERSION="24.5.0" +NODE20_VERSION="20.19.5" +NODE24_VERSION="24.7.0" get_abs_path() { # exploits the fact that pwd will print abs path when no args From 18d4e96076437cd0473d2bb120ec0af5a0d226d2 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Wed, 10 Sep 2025 12:47:10 +0100 Subject: [PATCH 22/27] Update npm-audit-ts-fix.yml --- .github/workflows/npm-audit-ts-fix.yml | 225 ++++--------------------- 1 file changed, 29 insertions(+), 196 deletions(-) diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index f43c846f513..56b6956bd9e 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -1,237 +1,70 @@ -name: NPM Audit Fix with TypeScript Auto-Fix +name: NPM Audit Fix on: schedule: - - cron: "0 7 * * 1" # Weekly + - cron: "0 7 * * 1" # Weekly on Monday at 7 AM UTC workflow_dispatch: jobs: - npm-audit-with-ts-fix: + npm-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: "20" - - name: NPM install and audit fix with TypeScript auto-repair + + - name: NPM install and audit fix working-directory: src/Misc/expressionFunc/hashFiles run: | npm install - - # Check for vulnerabilities first - echo "Checking for npm vulnerabilities..." - if npm audit --audit-level=moderate; then - echo "✅ No moderate or higher vulnerabilities found" - exit 0 - fi - - echo "⚠️ Vulnerabilities found, attempting npm audit fix..." - - # Attempt audit fix and capture the result - if npm audit fix; then - echo "✅ npm audit fix completed successfully" - AUDIT_FIX_STATUS="success" - else - echo "⚠️ npm audit fix failed or had issues" - AUDIT_FIX_STATUS="failed" - - # Try audit fix with --force as a last resort for critical/high vulns only - echo "Checking if critical/high vulnerabilities remain..." - if ! npm audit --audit-level=high; then - echo "🚨 Critical/high vulnerabilities remain, attempting --force fix..." - if npm audit fix --force; then - echo "⚠️ npm audit fix --force completed (may have breaking changes)" - AUDIT_FIX_STATUS="force-fixed" - else - echo "❌ npm audit fix --force also failed" - AUDIT_FIX_STATUS="force-failed" - fi - else - echo "✅ Only moderate/low vulnerabilities remain after failed fix" - AUDIT_FIX_STATUS="partial-success" - fi - fi - - echo "AUDIT_FIX_STATUS=$AUDIT_FIX_STATUS" >> $GITHUB_ENV - - # Try to fix TypeScript issues automatically - echo "Attempting to fix TypeScript compatibility issues..." - - # Check if build fails - if ! npm run build 2>/dev/null; then - echo "Build failed, attempting automated fixes..." - - # Common fix 1: Update @types/node to latest compatible version - echo "Trying to update @types/node to latest version..." - npm update @types/node - - # Common fix 2: If that doesn't work, try installing a specific known-good version - if ! npm run build 2>/dev/null; then - echo "Trying specific @types/node version..." - # Try Node 20 compatible version - npm install --save-dev @types/node@^20.0.0 - fi - - # Common fix 3: Clear node_modules and reinstall if still failing - if ! npm run build 2>/dev/null; then - echo "Clearing node_modules and reinstalling..." - rm -rf node_modules package-lock.json - npm install - - # Re-run audit fix after clean install if it was successful before - if [[ "$AUDIT_FIX_STATUS" == "success" || "$AUDIT_FIX_STATUS" == "force-fixed" ]]; then - echo "Re-running npm audit fix after clean install..." - npm audit fix || echo "Audit fix failed on second attempt" - fi - fi - - # Common fix 4: Try updating TypeScript itself - if ! npm run build 2>/dev/null; then - echo "Trying to update TypeScript..." - npm update typescript - fi - - # Final check - if npm run build 2>/dev/null; then - echo "✅ Successfully fixed TypeScript issues automatically" - else - echo "⚠️ Could not automatically fix TypeScript issues" - fi - else - echo "✅ Build passes after audit fix" - fi + npm audit fix --force + npm run all - name: Create PR if changes exist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HUSKY: 0 # Disable husky hooks for automated commits run: | # Check if there are any changes if [ -n "$(git status --porcelain)" ]; then # Configure git git config --global user.name "github-actions[bot]" - git config --global user.email "<41898282+github-actions[bot]@users.noreply.github.com>" - + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + # Create branch and commit changes - branch_name="chore/npm-audit-fix-with-ts-repair" + branch_name="chore/npm-audit-fix-$(date +%Y%m%d)" git checkout -b "$branch_name" + git add . + git commit -m "chore: npm audit fix for hashFiles dependencies" + git push origin "$branch_name" - # Commit with --no-verify to skip husky hooks - git commit -a -m "chore: npm audit fix with automated TypeScript compatibility fixes" --no-verify - git push --force origin "$branch_name" - - # Check final build status and gather info about what was changed - build_status="✅ Build passes" - fixes_applied="" - cd src/Misc/expressionFunc/hashFiles - - # Check what packages were updated - if git diff HEAD~1 package.json | grep -q "@types/node"; then - fixes_applied+="\n- Updated @types/node version for TypeScript compatibility" - fi - if git diff HEAD~1 package.json | grep -q "typescript"; then - fixes_applied+="\n- Updated TypeScript version" - fi - if git diff HEAD~1 package-lock.json | grep -q "resolved"; then - fixes_applied+="\n- Updated package dependencies via npm audit fix" - fi - - if ! npm run build 2>/dev/null; then - build_status="⚠️ Build fails - manual review required" - fi - cd - > /dev/null - - # Create enhanced PR body using here-doc for proper formatting - audit_status_msg="" - case "$AUDIT_FIX_STATUS" in - "success") - audit_status_msg="✅ **Audit Fix**: Completed successfully" - ;; - "partial-success") - audit_status_msg="⚠️ **Audit Fix**: Partial success (only moderate/low vulnerabilities remain)" - ;; - "force-fixed") - audit_status_msg="⚠️ **Audit Fix**: Completed with --force (may have breaking changes)" - ;; - "failed"|"force-failed") - audit_status_msg="❌ **Audit Fix**: Failed to resolve vulnerabilities" - ;; - *) - audit_status_msg="❓ **Audit Fix**: Status unknown" - ;; - esac - - if [[ "$build_status" == *"fails"* ]]; then - cat > pr_body.txt << EOF - Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. - - **Build Status**: ⚠️ Build fails - manual review required - $audit_status_msg - - This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. - - ⚠️ **Manual Review Required**: The build is currently failing after automated fixes were attempted. + # Create PR body using here-doc for proper formatting + cat > pr_body.txt << 'EOF' + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - Common issues and solutions: - - Check for TypeScript version compatibility with Node.js types - - Review breaking changes in updated dependencies - - Consider pinning problematic dependency versions temporarily - - Review tsconfig.json for compatibility settings + This update addresses npm security advisories and ensures dependencies are secure and up-to-date. - **Automated Fix Strategy**: - 1. Run npm audit fix with proper error handling - 2. Update @types/node to latest compatible version - 3. Try Node 20 specific @types/node version if needed - 4. Clean reinstall dependencies if conflicts persist - 5. Update TypeScript compiler if necessary + **Changes made:** + - Applied `npm audit fix --force` to resolve security vulnerabilities + - Updated package-lock.json with security patches - --- - - Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml) - EOF - else - cat > pr_body.txt << EOF - Automated npm audit fix with TypeScript auto-repair for hashFiles dependencies. - - **Build Status**: ✅ Build passes - $audit_status_msg - - This workflow attempts to automatically fix TypeScript compatibility issues that may arise from npm audit fixes. - - ✅ **Ready to Merge**: All automated fixes were successful and the build passes. - - **Automated Fix Strategy**: - 1. Run npm audit fix with proper error handling - 2. Update @types/node to latest compatible version - 3. Try Node 20 specific @types/node version if needed - 4. Clean reinstall dependencies if conflicts persist - 5. Update TypeScript compiler if necessary + **Next steps:** + - Review the dependency changes + - Verify the hashFiles functionality still works as expected + - Merge when ready --- - Autogenerated by [NPM Audit Fix with TypeScript Auto-Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit-ts-fix.yml) + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF - fi - - if [ -n "$fixes_applied" ]; then - # Add the fixes applied section to the file - sed -i "/This workflow attempts/a\\ - \\ - **Automated Fixes Applied**:$fixes_applied" pr_body.txt - fi - - # Create PR with appropriate labels - labels="dependency,typescript" - if [[ "$build_status" == *"fails"* ]]; then - labels="dependency,typescript,needs-manual-review" - fi # Create PR gh pr create -B main -H "$branch_name" \ - --title "chore: npm audit fix with TypeScript auto-repair" \ - --label "$labels" \ + --title "chore: npm audit fix for hashFiles dependencies" \ + --label "dependency" \ --body-file pr_body.txt else - echo "No changes to commit" + echo "No changes to commit - npm audit fix did not modify any files" fi From 5887c9e4ce3d998e74bf86c08d5a97af318f3447 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Wed, 10 Sep 2025 12:50:15 +0100 Subject: [PATCH 23/27] Update npm-audit-ts-fix.yml --- .github/workflows/npm-audit-ts-fix.yml | 48 ++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index 56b6956bd9e..3f075810d8c 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -20,8 +20,27 @@ jobs: working-directory: src/Misc/expressionFunc/hashFiles run: | npm install + + # Save original state + cp package-lock.json package-lock.json.backup + + # Try audit fix npm audit fix --force - npm run all + + # Test if build still works + if ! npm run all; then + echo "Build failed after audit fix, reverting to safer approach" + # Restore original package-lock.json + mv package-lock.json.backup package-lock.json + # Try non-force audit fix + npm audit fix || true + # Set flag for different PR message + echo "AUDIT_FIX_PARTIAL=true" >> $GITHUB_ENV + else + echo "Build successful after audit fix" + rm package-lock.json.backup + echo "AUDIT_FIX_PARTIAL=false" >> $GITHUB_ENV + fi - name: Create PR if changes exist env: @@ -41,7 +60,30 @@ jobs: git push origin "$branch_name" # Create PR body using here-doc for proper formatting - cat > pr_body.txt << 'EOF' + if [ "$AUDIT_FIX_PARTIAL" = "true" ]; then + cat > pr_body.txt << 'EOF' + Automated npm audit fix for security vulnerabilities in hashFiles dependencies. + + **⚠️ Partial Fix Applied** + This update addresses some npm security advisories, but a full `--force` fix caused build failures. + Applied conservative fixes only to maintain compatibility. + + **Changes made:** + - Applied `npm audit fix` (without --force) to resolve compatible security vulnerabilities + - Updated package-lock.json with security patches that don't break TypeScript compatibility + + **Next steps:** + - Review the dependency changes + - Verify the hashFiles functionality still works as expected + - Consider manual review of remaining vulnerabilities if any + - Merge when ready + + --- + + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) + EOF + else + cat > pr_body.txt << 'EOF' Automated npm audit fix for security vulnerabilities in hashFiles dependencies. This update addresses npm security advisories and ensures dependencies are secure and up-to-date. @@ -49,6 +91,7 @@ jobs: **Changes made:** - Applied `npm audit fix --force` to resolve security vulnerabilities - Updated package-lock.json with security patches + - Verified build compatibility with `npm run all` **Next steps:** - Review the dependency changes @@ -59,6 +102,7 @@ jobs: Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF + fi # Create PR gh pr create -B main -H "$branch_name" \ From 1424843122b9b5ca8870428d32616d49286420d4 Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Wed, 10 Sep 2025 13:39:03 +0100 Subject: [PATCH 24/27] Update npm-audit-ts-fix.yml --- .github/workflows/npm-audit-ts-fix.yml | 94 +++++++++++++++++++------- 1 file changed, 68 insertions(+), 26 deletions(-) diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index 3f075810d8c..8b3f12be3c6 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -23,23 +23,41 @@ jobs: # Save original state cp package-lock.json package-lock.json.backup + cp package.json package.json.backup - # Try audit fix + # Check what vulnerabilities exist + echo "=== Checking current vulnerabilities ===" + npm audit || true + + # Try audit fix --force first + echo "=== Attempting npm audit fix --force ===" npm audit fix --force # Test if build still works - if ! npm run all; then - echo "Build failed after audit fix, reverting to safer approach" - # Restore original package-lock.json + if npm run all; then + echo "✅ Build successful after --force audit fix" + rm package-lock.json.backup package.json.backup + echo "AUDIT_FIX_STATUS=success" >> $GITHUB_ENV + else + echo "❌ Build failed after --force audit fix, trying conservative approach" + # Restore original state mv package-lock.json.backup package-lock.json - # Try non-force audit fix + mv package.json.backup package.json + + # Try conservative audit fix (without --force) + echo "=== Attempting npm audit fix (conservative) ===" npm audit fix || true - # Set flag for different PR message - echo "AUDIT_FIX_PARTIAL=true" >> $GITHUB_ENV - else - echo "Build successful after audit fix" - rm package-lock.json.backup - echo "AUDIT_FIX_PARTIAL=false" >> $GITHUB_ENV + + # Test conservative fix + if npm run all; then + echo "✅ Build successful after conservative audit fix" + echo "AUDIT_FIX_STATUS=partial" >> $GITHUB_ENV + else + echo "❌ Even conservative audit fix breaks build, skipping audit" + # Restore to completely original state + git checkout -- package-lock.json package.json 2>/dev/null || true + echo "AUDIT_FIX_STATUS=skipped" >> $GITHUB_ENV + fi fi - name: Create PR if changes exist @@ -56,50 +74,70 @@ jobs: branch_name="chore/npm-audit-fix-$(date +%Y%m%d)" git checkout -b "$branch_name" git add . - git commit -m "chore: npm audit fix for hashFiles dependencies" + git commit -m "chore: npm audit fix for hashFiles dependencies" --no-verify git push origin "$branch_name" - # Create PR body using here-doc for proper formatting - if [ "$AUDIT_FIX_PARTIAL" = "true" ]; then + # Create PR body based on what actually happened + if [ "$AUDIT_FIX_STATUS" = "success" ]; then cat > pr_body.txt << 'EOF' Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - **⚠️ Partial Fix Applied** - This update addresses some npm security advisories, but a full `--force` fix caused build failures. - Applied conservative fixes only to maintain compatibility. + **✅ Full Fix Applied Successfully** + This update addresses npm security advisories and ensures dependencies are secure and up-to-date. **Changes made:** - - Applied `npm audit fix` (without --force) to resolve compatible security vulnerabilities - - Updated package-lock.json with security patches that don't break TypeScript compatibility + - Applied `npm audit fix --force` to resolve security vulnerabilities + - Updated package-lock.json with security patches + - Verified build compatibility with `npm run all` **Next steps:** - Review the dependency changes - Verify the hashFiles functionality still works as expected - - Consider manual review of remaining vulnerabilities if any - Merge when ready --- Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF - else + elif [ "$AUDIT_FIX_STATUS" = "partial" ]; then cat > pr_body.txt << 'EOF' Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - This update addresses npm security advisories and ensures dependencies are secure and up-to-date. + **⚠️ Partial Fix Applied** + This update addresses some npm security advisories, but a full `--force` fix caused build failures. + Applied conservative fixes only to maintain compatibility. **Changes made:** - - Applied `npm audit fix --force` to resolve security vulnerabilities - - Updated package-lock.json with security patches - - Verified build compatibility with `npm run all` + - Applied `npm audit fix` (without --force) to resolve compatible security vulnerabilities + - Updated package-lock.json with security patches that don't break TypeScript compatibility **Next steps:** - Review the dependency changes - Verify the hashFiles functionality still works as expected + - Consider manual review of remaining vulnerabilities if any - Merge when ready --- + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) + EOF + else + # This shouldn't happen since we only create PR if there are changes + # but including for completeness + cat > pr_body.txt << 'EOF' + Automated npm audit attempted for security vulnerabilities in hashFiles dependencies. + + **⚠️ Manual Review Required** + Both force and conservative audit fixes caused build compatibility issues. + No changes were applied to maintain build stability. + + **Recommended actions:** + - Manual review of npm audit output + - Selective dependency updates + - Consider TypeScript compatibility when updating @types/node + + --- + Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF fi @@ -110,5 +148,9 @@ jobs: --label "dependency" \ --body-file pr_body.txt else - echo "No changes to commit - npm audit fix did not modify any files" + if [ "$AUDIT_FIX_STATUS" = "skipped" ]; then + echo "⚠️ No changes created - audit fixes caused build failures, skipped to maintain stability" + else + echo "✅ No changes to commit - npm audit fix did not modify any files" + fi fi From a89271be8b801346cee098041dd3bea610a6941e Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Wed, 10 Sep 2025 13:42:17 +0100 Subject: [PATCH 25/27] Update npm-audit-ts-fix.yml --- .github/workflows/npm-audit-ts-fix.yml | 82 +++++++++----------------- 1 file changed, 29 insertions(+), 53 deletions(-) diff --git a/.github/workflows/npm-audit-ts-fix.yml b/.github/workflows/npm-audit-ts-fix.yml index 8b3f12be3c6..2372a07c6b3 100644 --- a/.github/workflows/npm-audit-ts-fix.yml +++ b/.github/workflows/npm-audit-ts-fix.yml @@ -21,43 +21,22 @@ jobs: run: | npm install - # Save original state - cp package-lock.json package-lock.json.backup - cp package.json package.json.backup - # Check what vulnerabilities exist echo "=== Checking current vulnerabilities ===" npm audit || true - # Try audit fix --force first - echo "=== Attempting npm audit fix --force ===" + # Apply audit fix --force to get security updates + echo "=== Applying npm audit fix --force ===" npm audit fix --force - # Test if build still works + # Test if build still works and set status + echo "=== Testing build compatibility ===" if npm run all; then - echo "✅ Build successful after --force audit fix" - rm package-lock.json.backup package.json.backup + echo "✅ Build successful after audit fix" echo "AUDIT_FIX_STATUS=success" >> $GITHUB_ENV else - echo "❌ Build failed after --force audit fix, trying conservative approach" - # Restore original state - mv package-lock.json.backup package-lock.json - mv package.json.backup package.json - - # Try conservative audit fix (without --force) - echo "=== Attempting npm audit fix (conservative) ===" - npm audit fix || true - - # Test conservative fix - if npm run all; then - echo "✅ Build successful after conservative audit fix" - echo "AUDIT_FIX_STATUS=partial" >> $GITHUB_ENV - else - echo "❌ Even conservative audit fix breaks build, skipping audit" - # Restore to completely original state - git checkout -- package-lock.json package.json 2>/dev/null || true - echo "AUDIT_FIX_STATUS=skipped" >> $GITHUB_ENV - fi + echo "❌ Build failed after audit fix - will create PR with fix instructions" + echo "AUDIT_FIX_STATUS=build_failed" >> $GITHUB_ENV fi - name: Create PR if changes exist @@ -99,42 +78,43 @@ jobs: Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF - elif [ "$AUDIT_FIX_STATUS" = "partial" ]; then + elif [ "$AUDIT_FIX_STATUS" = "build_failed" ]; then cat > pr_body.txt << 'EOF' Automated npm audit fix for security vulnerabilities in hashFiles dependencies. - **⚠️ Partial Fix Applied** - This update addresses some npm security advisories, but a full `--force` fix caused build failures. - Applied conservative fixes only to maintain compatibility. + **⚠️ Security Fixes Applied - Build Issues Need Manual Resolution** + This update applies important security patches but causes build failures that require manual fixes. **Changes made:** - - Applied `npm audit fix` (without --force) to resolve compatible security vulnerabilities - - Updated package-lock.json with security patches that don't break TypeScript compatibility + - Applied `npm audit fix --force` to resolve security vulnerabilities + - Updated package-lock.json with security patches + + **⚠️ Build Issues Detected:** + The build fails after applying security fixes, likely due to TypeScript compatibility issues with updated `@types/node`. + + **Required Manual Fixes:** + 1. Review TypeScript compilation errors in the build output + 2. Update TypeScript configuration if needed + 3. Consider pinning `@types/node` to a compatible version + 4. Run `npm run all` locally to verify fixes **Next steps:** - - Review the dependency changes - - Verify the hashFiles functionality still works as expected - - Consider manual review of remaining vulnerabilities if any - - Merge when ready + - **DO NOT merge until build issues are resolved** + - Apply manual fixes for TypeScript compatibility + - Test the hashFiles functionality still works as expected + - Merge when build passes --- Autogenerated by [NPM Audit Fix Workflow](https://github.com/actions/runner/blob/main/.github/workflows/npm-audit.yml) EOF else - # This shouldn't happen since we only create PR if there are changes - # but including for completeness + # Fallback case cat > pr_body.txt << 'EOF' Automated npm audit attempted for security vulnerabilities in hashFiles dependencies. - **⚠️ Manual Review Required** - Both force and conservative audit fixes caused build compatibility issues. - No changes were applied to maintain build stability. - - **Recommended actions:** - - Manual review of npm audit output - - Selective dependency updates - - Consider TypeScript compatibility when updating @types/node + **ℹ️ No Changes Applied** + No security vulnerabilities were found or no changes were needed. --- @@ -148,9 +128,5 @@ jobs: --label "dependency" \ --body-file pr_body.txt else - if [ "$AUDIT_FIX_STATUS" = "skipped" ]; then - echo "⚠️ No changes created - audit fixes caused build failures, skipped to maintain stability" - else - echo "✅ No changes to commit - npm audit fix did not modify any files" - fi + echo "✅ No changes to commit - npm audit fix did not modify any files" fi From 5d6ba2102ca8f26cd6eed1e510e996594f4190ec Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 22 Sep 2025 22:50:00 +0100 Subject: [PATCH 26/27] Change runner from ubuntu-latest to path-test --- .github/workflows/dependency-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index ae6e0d6a2b9..51de41f7f70 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -19,7 +19,7 @@ on: jobs: dependency-status: - runs-on: ubuntu-latest + runs-on: path-test outputs: node20-status: ${{ steps.check-versions.outputs.node20-status }} node24-status: ${{ steps.check-versions.outputs.node24-status }} From 6b3806aef3c258d1aaa0289dda9de4a6aa37866a Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Mon, 22 Sep 2025 23:03:43 +0100 Subject: [PATCH 27/27] Change runner from path-test to path-test-2 --- .github/workflows/dependency-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 51de41f7f70..5bdacc4584c 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -19,7 +19,7 @@ on: jobs: dependency-status: - runs-on: path-test + runs-on: path-test-2 outputs: node20-status: ${{ steps.check-versions.outputs.node20-status }} node24-status: ${{ steps.check-versions.outputs.node24-status }}