ci: dependabot fixes, lockfile linting #20344
Conversation
GirlBossRush
added
the
area:frontend
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #20344 +/- ##
=======================================
Coverage 93.30% 93.30%
=======================================
Files 981 981
Lines 55155 55155
=======================================
+ Hits 51460 51461 +1
+ Misses 3695 3694 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-51ea88b2dcd107917f2d283d27ade2cb1c00d070
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-51ea88b2dcd107917f2d283d27ade2cb1c00d070Afterwards, run the upgrade commands from the latest release notes. |
GirlBossRush
force-pushed
the
npm-dependabot-patches
branch
3 times, most recently
from
e47eeeb to
2bd54e9
Compare
| $(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml | ||
| $(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py | ||
| $(MAKE) gen-build gen-compose aws-cfn | ||
| $(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json | ||
| npm version --no-git-tag-version --allow-same-version $(version) | ||
| cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version) |
There was a problem hiding this comment.
Replacing the version string without npm version can break workspace packages which reference their parent or siblings.
| env: | ||
| NPM_VERSION: "11.10.0" |
There was a problem hiding this comment.
How do we plan on automating upgrading this when a new version is released?
| - name: build | ||
| working-directory: web/ | ||
| run: npm run build | ||
|
|
| - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1 | ||
| with: | ||
| jobs: ${{ toJSON(needs) }} | ||
|
|
| - name: Install NPM | ||
| run: npm install -g npm@${{ env.NPM_VERSION }} |
There was a problem hiding this comment.
There are plenty of places where we rely on npm packages being installed, not only in ci-web.yml. How do we plan on handling those?
| #region Setup | ||
|
|
| - name: Detect changed lockfiles | ||
| id: detect | ||
| run: | | ||
| changed=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD) | ||
|
|
||
| npm_matches=$(echo "$changed" | grep -E 'package(-lock)?\.json$' || true) | ||
| npm_dirs=$(echo "$npm_matches" | xargs -I{} dirname {} | sort -u) | ||
|
|
||
| echo "npm_dirs=$(echo "$npm_dirs" | tr '\n' ' ')" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
You can use tj-actions/changed-files like in packages-npm-publish.yml
| @@ -0,0 +1,289 @@ | |||
| #!/usr/bin/env node | |||
There was a problem hiding this comment.
Should this still live in web/scripts maybe?
There was a problem hiding this comment.
Leaving this in scripts allows the repo root, web, website, etc to invoke this without NPM workspace stuff causing trouble
rissson
changed the title
This reverts commit 68d4d6d.
GirlBossRush
force-pushed
the
npm-dependabot-patches
branch
from
2bd54e9 to
5acb401
Compare
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
2 participants
tl;dr Dependabot's NPM updates can corrupt lockfiles with inconsistent optional dependencies. This PR adds an automated linter + workflow to detect and fix these issues.
Details
Dependabot's NPM package updates sometimes result in a malformed
package-lock.json. Optional dependencies get erroneously inserted as direct dependencies, which seems to result in a lockfile that doesn't match the actualpackage.jsonconstraints. This causes a unexpected behavior innpm ciandnpm install. This seemingly appears fine but actually leaves the lockfile in a broken state, causing issues for downstream consumers and CI pipelines.The issue begins with Dependabot's approach of running of always
npm installregardless of dependency constraints:Despite the
optionalDependenciesconstraint, and the package-lock.json correctly only includingchromedriveras an optional dependency, Dependabot'snpm installadds it as a direct dependency in the lockfile:This bug actually originates in NPM itself, though a fix is in progress.
What this PR does
This PR includes two complementary fixes:
NPM lockfile linter
This script detects the inconsistency scenarios Dependabot creates, especially within NPM packages that make use of a Workspace. The script is also designed to work with our existing linters for web, docs, and other NPM packages.
Automated GitHub workflow
This workflow runs on every Dependabot PR to execute the linter in a permissive mode, automatically reconciling the lockfile if issues are detected. This is more or less what we've been doing manually, now automated and integrated into our CI pipeline.
All together, this keeps Dependabot PRs clean and consistent while we wait for NPM to resolve the underlying issue upstream.