{"id":31333382,"url":"https://github.com/temporalio/pack-dependency-actions","last_synced_at":"2026-03-12T00:03:54.715Z","repository":{"id":314926934,"uuid":"1052179749","full_name":"temporalio/pack-dependency-actions","owner":"temporalio","description":null,"archived":false,"fork":false,"pushed_at":"2025-09-15T16:32:41.000Z","size":116,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-15T18:22:40.120Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/temporalio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-07T15:14:24.000Z","updated_at":"2025-09-15T16:32:44.000Z","dependencies_parsed_at":"2025-09-15T18:22:44.801Z","dependency_job_id":"e9e499de-e337-45ba-91d7-acb254f00130","html_url":"https://github.com/temporalio/pack-dependency-actions","commit_stats":null,"previous_names":["temporalio/pack-dependency-actions"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/temporalio/pack-dependency-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fpack-dependency-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fpack-dependency-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fpack-dependency-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fpack-dependency-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/temporalio","download_url":"https://codeload.github.com/temporalio/pack-dependency-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/temporalio%2Fpack-dependency-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277009877,"owners_count":25744543,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-25T02:00:09.612Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-26T01:57:08.188Z","updated_at":"2025-09-26T01:57:12.667Z","avatar_url":"https://github.com/temporalio.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pack Dependency Actions\n\nA collection of modular GitHub Actions for managing packed dependencies from upstream repositories. These actions automate the process of building, packing, and updating dependencies from source, particularly useful for monorepos and projects that need to consume pre-release versions of dependencies.\n\n## Philosophy\n\nThis repository provides individual, focused actions rather than composite workflows. This design allows consuming repositories to:\n- Compose actions in ways specific to their needs\n- Add custom steps between actions\n- Use only the actions they need\n- Maintain full control over their workflow logic\n\n## Current Actions\n\nThis repository provides 11 specialized actions that can be composed together to create complete dependency management workflows:\n\n### Core Actions\n\n#### validate-sha\nValidates and resolves target SHA for a repository, preventing accidental rollbacks.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/validate-sha@v1\n  with:\n    repository: 'owner/repo'\n    target-sha: ${{ github.event.inputs.target-sha }}\n    file-path: '.registry-sha'\n    allow-rollback: false\n```\n\n#### download-source\nDownloads source code from a repository at a specific SHA.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/download-source@v1\n  with:\n    repository: 'owner/repo'\n    sha: ${{ steps.validate.outputs.resolved-sha }}\n    token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n#### build-and-pack\nBuilds and packs a project from source.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/build-and-pack@v1\n  with:\n    source-path: 'source'\n    build-command: 'pnpm build'\n    pack-command: 'pnpm pack'\n```\n\n#### move-pack\nMoves and renames packed tarballs with SHA for traceability.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/move-pack@v1\n  with:\n    source-path: 'source'\n    pack-destination: './packs'\n    package-name: 'my-package'\n    sha: ${{ steps.validate.outputs.resolved-sha }}\n    source-pattern: '*.tgz'\n```\n\n#### update-dependencies\nUpdates package.json dependencies to use packed tarballs.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/update-dependencies@v1\n  with:\n    package-names: '@org/package1,@org/package2'\n    pack-files: './packs/package1.tgz,./packs/package2.tgz'\n    package-manager: 'pnpm'\n```\n\n#### generate-changelog\nGenerates a changelog between two commits. [Full documentation →](./generate-changelog/README.md)\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/generate-changelog@v1\n  with:\n    repository: 'owner/repo'\n    from-sha: ${{ steps.validate.outputs.last-sha }}\n    to-sha: ${{ steps.validate.outputs.resolved-sha }}\n    format: 'markdown'\n```\n\n### Version Management Actions\n\n#### analyze-commits-for-bump\nAnalyzes commits to determine semantic version bump type (major/minor/patch) based on conventional commit patterns. [Full documentation →](./analyze-commits-for-bump/README.md)\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/analyze-commits-for-bump@v1\n  with:\n    from-ref: 'v1.0.0'\n    to-ref: 'HEAD'\n    major-patterns: 'BREAKING CHANGE,BREAKING'\n    minor-patterns: 'feat,feature,add'\n```\n\n#### calculate-semantic-version\nCalculates new semantic version based on current version and bump type or specific version override. [Full documentation →](./calculate-semantic-version/README.md)\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/calculate-semantic-version@v1\n  with:\n    current-version: '1.2.3'\n    bump-type: 'minor'\n    # or specific-version: '2.0.0'\n```\n\n### PR Management Actions\n\n#### check-version\nChecks and compares dependency versions between main branch and PRs. Creates non-blocking review comments when versions differ, with smart deduplication and support for new files. [Full documentation →](./check-version/README.md)\n\n**Key Features:**\n- Non-blocking COMMENT reviews (not REQUEST_CHANGES)\n- Comment deduplication - updates existing comments instead of creating duplicates\n- Smart detection of version mismatches with detailed reasoning\n- Support for new version files that don't exist on main\n- Configurable branch patterns allowed to modify versions\n- Checks if PR actually modified the file vs just being outdated\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/check-version@v1\n  with:\n    file-path: '.ui-sha'\n    pr-number: ${{ github.event.pull_request.number }}\n    comment-title: 'UI Pack Version Mismatch'\n    allow-pattern: '^(update|generate|release)-ui-.*'\n    comment-body-template: |\n      ## {comment_title} 🔄\n      \n      The pack version in `{file_path}` differs from the main branch.\n      \n      **Main branch:** `{main_version}`\n      **This PR:** `{pr_version}`\n      \n      To update this PR with the latest version from main, run:\n      ```bash\n      {update_command}\n      ```\n      \n      **Reason:** {reason}\n    update-command: 'git fetch origin main \u0026\u0026 git merge origin/main'\n```\n\n**Outputs:**\n- `should-block`: Boolean indicating if PR should be blocked\n- `main-version`: Version from main branch\n- `pr-version`: Version from PR branch\n- `base-version`: Version from merge base\n- `pr-modified`: Boolean indicating if PR modified the file\n- `reason`: Human-readable reason for the decision\n\n#### version-sweep\nSweeps all open PRs to check version consistency across the repository.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/version-sweep@v1\n  with:\n    file-path: '.ui-sha'\n    base-branch: 'main'\n    labels-filter: 'needs-update'\n```\n\n### Automation Actions\n\n#### dispatch-workflow\nTriggers workflows in remote repositories with optional logging and commit notifications.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/dispatch-workflow@v1\n  with:\n    token: ${{ secrets.GITHUB_TOKEN }}\n    repository: 'owner/repo'\n    workflow: 'update-dependencies.yml'\n    inputs: '{\"target-sha\": \"${{ github.sha }}\"}'\n```\n\n**Key Features:**\n- Triggers workflows in other repositories\n- Pass custom inputs to the target workflow\n- Optional commit comments with customizable templates\n- Configurable logging with success/failure indicators\n- Simple and reliable - doesn't try to track the workflow run\n\n**Enhanced Usage with Notifications:**\n```yaml\n- uses: temporalio/pack-dependency-actions/dispatch-workflow@v1\n  with:\n    token: ${{ secrets.TOKEN }}\n    repository: 'org/downstream'\n    workflow: 'process.yml'\n    inputs: '{\"sha\": \"${{ github.sha }}\"}'\n    add-commit-comment: true\n    commit-comment-template: '🚀 Triggered `{workflow}` in {repository} on {ref}'\n    log-title: 'Downstream Process Triggered'\n```\n\n**Common Use Case:**\nTrigger dependency update workflows in downstream repositories when upstream changes are merged:\n```yaml\n# In frontend-workflow-runner repo, on push to main:\n- uses: temporalio/pack-dependency-actions/dispatch-workflow@v1\n  with:\n    token: ${{ secrets.TOKEN }}\n    repository: 'temporalio/frontend-shared-workflows'\n    workflow: 'update-temporal-workers.yml'\n    inputs: '{\"target-sha\": \"${{ github.sha }}\", \"mode\": \"release\"}'\n    add-commit-comment: true\n    log-title: 'Downstream Update Triggered'\n```\n\n**Note:** PR reuse is handled automatically by `peter-evans/create-pull-request` in the target workflow when using the same branch name. Consider implementing a \"mode\" parameter in your target workflow to control whether to create test PRs (with SHA in branch name) or release PRs (with fixed branch name for automatic updates).\n\n#### auto-delete\nAutomatically closes and deletes stale generated PRs to keep the repository clean.\n\n**Usage:**\n```yaml\n- uses: temporalio/pack-dependency-actions/auto-delete@v1\n  with:\n    days-old: 7\n    labels-filter: 'test-ui,automated'\n    dry-run: false\n```\n\n## Composing Actions in Your Workflow\n\nThese actions are designed to be composed together in your repository's workflows. Here's a complete example showing how to combine them:\n\n### Example: Complete Update Workflow\n\nThis real-world example from `frontend-shared-workflows` demonstrates composing multiple actions to update packed dependencies:\n\n```yaml\nname: Update Temporal Workers Packages\n\non:\n  workflow_dispatch:\n    inputs:\n      target-sha:\n        description: 'Target commit SHA or branch (leave blank for latest)'\n        required: false\n\njobs:\n  update-packs:\n    runs-on: ubuntu-latest\n    steps:\n      # 1. Validate the target SHA\n      - name: Validate SHA\n        id: validate\n        uses: temporalio/pack-dependency-actions/validate-sha@v1\n        with:\n          repository: temporalio/frontend-workflow-runner\n          target-sha: ${{ github.event.inputs.target-sha }}\n          file-path: .registry-sha\n          allow-rollback: true\n\n      # 2. Download the source code\n      - name: Download source\n        uses: temporalio/pack-dependency-actions/download-source@v1\n        with:\n          repository: temporalio/frontend-workflow-runner\n          sha: ${{ steps.validate.outputs.resolved-sha }}\n\n      # 3. Build and pack multiple packages\n      - name: Build and pack registry\n        uses: temporalio/pack-dependency-actions/build-and-pack@v1\n        with:\n          source-path: source\n          build-command: 'pnpm -r build'\n          pack-command: 'pnpm pack:registry'\n\n      # 4. Move packed files with SHA naming\n      - name: Move registry pack\n        uses: temporalio/pack-dependency-actions/move-pack@v1\n        with:\n          source-path: source\n          pack-destination: ./packs\n          package-name: 'temporal-workers-registry'\n          sha: ${{ steps.validate.outputs.resolved-sha }}\n\n      # 5. Update package.json dependencies\n      - name: Update dependencies\n        uses: temporalio/pack-dependency-actions/update-dependencies@v1\n        with:\n          package-names: '@temporal-workers/registry,@temporal-workers/ui'\n          pack-files: './packs/temporal-workers-registry-${{ steps.validate.outputs.short-sha }}.tgz,./packs/temporal-workers-ui-${{ steps.validate.outputs.short-sha }}.tgz'\n\n      # 6. Generate changelog\n      - name: Generate changelog\n        uses: temporalio/pack-dependency-actions/generate-changelog@v1\n        with:\n          repository: temporalio/frontend-workflow-runner\n          from-sha: ${{ steps.validate.outputs.last-sha }}\n          to-sha: ${{ steps.validate.outputs.resolved-sha }}\n\n      # 7. Create PR with all changes\n      - uses: peter-evans/create-pull-request@v7\n        with:\n          title: 'Update to ${{ steps.validate.outputs.short-sha }}'\n          body: ${{ steps.changelog.outputs.changelog }}\n```\n\n## Common Patterns\n\n### Building and Packing from Source\n\nA typical workflow for building and packing dependencies from source follows this pattern:\n\n1. **Validate** the target SHA to prevent rollbacks\n2. **Download** the source code\n3. **Build and pack** the project\n4. **Move** packed files with SHA naming\n5. **Update** package.json dependencies\n6. **Generate** a changelog\n7. **Create** a PR with the changes\n\n### Automated Dependency Updates Pattern\n\nFor automated dependency updates triggered from upstream repositories:\n\n1. **Upstream repo** (e.g., frontend-workflow-runner) merges to main\n2. **Dispatch action** triggers workflow in downstream repo\n3. **Downstream workflow** supports two modes:\n   - **Test mode**: Creates new PR with SHA in branch/title (for testing specific versions)\n   - **Release mode**: Updates single reusable PR (for automated continuous updates)\n4. **peter-evans/create-pull-request** automatically handles PR reuse when branch name is consistent\n\nExample implementation in target workflow:\n```yaml\ninputs:\n  mode:\n    type: choice\n    options: [test, release]\n    default: test\n\n# In PR creation step:\n- if: inputs.mode == 'release'\n  run: echo \"branch=update-dependencies\" \u003e\u003e $GITHUB_OUTPUT\n- if: inputs.mode == 'test'  \n  run: echo \"branch=test-dependencies-${{ sha }}\" \u003e\u003e $GITHUB_OUTPUT\n```\n\n### Versioning Strategy\n\nThe actions use SHA-based versioning for packed dependencies:\n- Pack files are named with the commit SHA: `package-name-{short-sha}.tgz`\n- Version files (`.ui-sha`, `.registry-sha`) track the current SHA\n- This provides complete traceability back to the source commit\n\n## Action Parameters\n\n### Common Input Parameters\n\nMost actions share these common parameters:\n\n| Parameter | Description | Used By |\n|-----------|-------------|---------|\n| `repository` | Source repository (owner/name) | validate-sha, download-source, generate-changelog |\n| `sha` / `target-sha` | Commit SHA or branch | validate-sha, download-source, move-pack |\n| `file-path` | Version tracking file | validate-sha, check-version |\n| `source-path` | Path to source code | build-and-pack, move-pack |\n| `pack-destination` | Output directory for packs | move-pack |\n| `package-name` | Package name for naming | move-pack |\n| `build-command` | Build command to run | build-and-pack |\n| `pack-command` | Pack command to run | build-and-pack |\n| `package-manager` | npm, pnpm, or yarn | update-dependencies |\n\n\n## Installation\n\n1. Reference the actions directly from this repository:\n   ```yaml\n   uses: temporalio/pack-dependency-actions/action-name@v1\n   ```\n\n2. Or fork to your organization for customization:\n   ```yaml\n   uses: your-org/pack-dependency-actions/action-name@v1\n   ```\n\n3. Add necessary secrets:\n   - `GITHUB_TOKEN` (usually available by default)\n   - App tokens for cross-repository access (if needed)\n\n## Use Cases\n\n### 1. Consuming Pre-Release Dependencies\nWhen you need to use the latest changes from an upstream repository before they're published to npm:\n- Build and pack dependencies directly from source\n- Version with commit SHA for traceability\n- Automatically update when upstream changes\n\n### 2. Monorepo Package Distribution\nFor distributing packages within a monorepo or across organizations:\n- Pack workspace packages for consumption\n- Maintain version consistency across projects\n- Automate dependency updates with PRs\n\n### 3. Testing Integration Changes\nWhen testing integration between multiple repositories:\n- Create test PRs with specific dependency versions\n- Validate changes before official releases\n- Clean up stale test PRs automatically\n\n## Key Features\n\n- **Modular Design**: Each action performs a specific task and can be used independently\n- **SHA Tracking**: All packed dependencies are versioned with commit SHAs for complete traceability\n- **Rollback Prevention**: Built-in validation prevents accidental downgrades\n- **Automated Workflows**: Combine actions to create fully automated dependency update pipelines\n- **Cross-Repository Support**: Works with any GitHub repository using appropriate tokens\n- **Package Manager Agnostic**: Supports npm, pnpm, and yarn\n\n## Action Outputs\n\nEach action provides specific outputs for chaining:\n\n### validate-sha\n- `resolved-sha`: Full SHA that was validated\n- `short-sha`: Short version (8 chars) of the SHA\n- `last-sha`: Previous SHA from the version file\n- `is-rollback`: Whether this is a rollback\n\n### build-and-pack\n- `pack-files`: List of generated pack files\n\n### generate-changelog\n- `changelog`: Formatted changelog content\n\n### dispatch-workflow\n- `workflow-id`: ID of the dispatched workflow run\n- `workflow-url`: URL of the dispatched workflow run\n- `status`: Final status if wait-for-completion is true\n- `conclusion`: Final conclusion if wait-for-completion is true\n\n## Requirements\n\n- GitHub Actions enabled in your repository\n- Appropriate permissions for the GitHub token:\n  - `contents: read` (minimum)\n  - `contents: write` (for PR creation)\n  - `pull-requests: write` (for PR operations)\n- Node.js and package manager (npm/pnpm/yarn) in workflow\n- Dependencies on external actions:\n  - `actions/checkout@v4`\n  - `actions/setup-node@v4`\n  - `pnpm/action-setup@v2` (if using pnpm)\n  - `peter-evans/create-pull-request@v7` (for PR creation)\n  - `peter-evans/find-comment@v3` (for PR comments)\n  - `peter-evans/create-or-update-comment@v4` (for PR comments)\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n## License\n\nMIT","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemporalio%2Fpack-dependency-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftemporalio%2Fpack-dependency-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemporalio%2Fpack-dependency-actions/lists"}