Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/simek/yarn-lock-changes

Creates a comment inside Pull Request with the human-readable summary of changes to the Yarn lock file. Works with every Yarn version (classic and berry).
https://github.com/simek/yarn-lock-changes

action lock pull-request yarn

Last synced: about 24 hours ago
JSON representation

Creates a comment inside Pull Request with the human-readable summary of changes to the Yarn lock file. Works with every Yarn version (classic and berry).

Host: GitHub
URL: https://github.com/simek/yarn-lock-changes
Owner: Simek
License: mit
Created: 2021-04-12T08:24:07.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-11-23T22:33:12.000Z (about 1 month ago)
Last Synced: 2024-12-28T00:38:08.173Z (10 days ago)
Topics: action, lock, pull-request, yarn
Language: JavaScript
Homepage: https://github.com/marketplace/actions/yarn-lock-changes
Size: 902 KB
Stars: 133
Watchers: 4
Forks: 21
Open Issues: 6
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Yarn Lock Changes

[](#) [](#) [](#) [](#)

Creates a comment inside Pull Request with the human-readable summary of the changes to the `yarn.lock` file. Works in public and private repositories, offers a degree of customization.

## Usage

### ⚡️ Workflow Example

Example below shows the minimal workflow setup, required action input (`token`) and all the optional inputs (set to theirs default values). If you are happy with the output generated by the action, it's safe to remove all optional inputs.

```yml
name: Yarn Lock Changes
on: [pull_request]

jobs:
yarn_lock_changes:
runs-on: ubuntu-latest
# Permission overwrite is required for Dependabot PRs, see "Common issues" section below.
permissions:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Yarn Lock Changes
# Please use `main` as version before the stable release will be published as `v1`.
uses: Simek/yarn-lock-changes@main
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Optional inputs, can be deleted safely if you are happy with default values.
collapsibleThreshold: 25
failOnDowngrade: false
path: yarn.lock
updateComment: true
groupByType: false
```

> [!note]
> For Node <18 support, you can change the action version tag in your workflow to `v0.11`, instead of using `main`:
> ```yml
> - name: Yarn Lock Changes
> uses: Simek/[email protected]
> ```

### 🔌 Inputs

| Input | Required | Default | Description |
|------------------------|:------------------:|:-----------:|-------------------------------------------------------------------------------------------------------------------|
| `token` | **Yes** | – | Repository `GITHUB_TOKEN` which allows action to make calls to the GitHub API (Octokit). |
| `collapsibleThreshold` | No | `25` | Number of lock changes, which will result in collapsed comment content, and an addition of changes summary table. |
| `failOnDowngrade` | No | `false` | WFail the action when a dependency downgrade is detected. __Comment will still be posted.__ |
| `path` | No | `yarn.lock` | Path to the `yarn.lock` file in the repository. Default value points to the file at project root. |
| `updateComment` | No | `true` | Update the comment on each new commit. If value is set to `false`, bot will post a new comment on each change. |
| `groupByType` | No | `false` | Group the dependencies in the comment table by the change type. |

## 📸 Preview

### Basic comment appearance

basic

### Comment appearance when `collapsibleThreshold` has been reached

summary

## 📋 Common issues

### The action fails on the Dependabot pull requests

Due to the security reasons from March 1st, 2021 workflow runs that are triggered by Dependabot have permissions reduced by default:

* [GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions](https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/)

To ensure that sufficient permissions for this action are always granted, you will need to add `permissions` entry to the job which runs `yarn-lock-changes`:

```yml
jobs:
...:
runs-on: ...
#####
permissions:
pull-requests: write
#####
steps:
...
```

### The action fails in a private repository

After one of the GitHub Actions security breaches GitHub decided to trim down the default permission set for actions running in private repositories.

If you are trying to run action with default setup in the private repository, you will see the following error during `checkout` step:

```sh
remote: Repository not found.
Error: fatal: repository 'https://github.com///' not found
Error: The process '/usr/bin/git' failed with exit code 128
```

This means that you will need to add the following `permissions` entry to the job which runs `checkout`:

```yml
jobs:
...:
runs-on: ...
#####
permissions:
contents: read
#####
steps:
...
```

If you would like to learn a little bit more about this problem, you can visit this issue in the GitHub Checkout Action repository:
* https://github.com/actions/checkout/issues/254

## 🔍️ Debugging

To run action in the debug mode you need to add the `ACTIONS_STEP_DEBUG` repository secret and set it to `true`, as stated in the [GitHub documentation](https://docs.github.com/en/actions/managing-workflow-runs/enabling-debug-logging#enabling-step-debug-logging).

Then additional information which might be useful for the users when debugging the issues will be available in the action output, prefixed by `##[debug]`.