fix: convert lockfile refresh to PR-based flow for protected master

The refresh-lockfile workflow was pushing directly to master, which fails with branch protection rules. Convert to use peter-evans/create-pull-request to create a PR instead. Exempt the bot's branch from the lockfile policy check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:22:34 -05:00
parent 77e04407b9
commit ee7fddf8d5
2 changed files with 16 additions and 27 deletions
--- a/.github/workflows/refresh-lockfile.yml
+++ b/.github/workflows/refresh-lockfile.yml
@@ -11,11 +11,12 @@ concurrency:
  cancel-in-progress: false

 jobs:
-  refresh_and_verify:
+  refresh:
    runs-on: ubuntu-latest
-    timeout-minutes: 25
+    timeout-minutes: 10
    permissions:
      contents: write
+      pull-requests: write

    steps:
      - name: Checkout repository
@@ -40,6 +41,7 @@ jobs:
        run: |
          changed="$(git status --porcelain)"
          if [ -z "$changed" ]; then
+            echo "Lockfile is already up to date."
            exit 0
          fi
          if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
@@ -48,29 +50,15 @@ jobs:
            exit 1
          fi

-      - name: Commit refreshed lockfile
-        run: |
-          if git diff --quiet -- pnpm-lock.yaml; then
-            exit 0
-          fi
-          git config user.name "lockfile-bot"
-          git config user.email "lockfile-bot@users.noreply.github.com"
-          git add pnpm-lock.yaml
-          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
-          git push || {
-            echo "Push failed because master moved during lockfile refresh."
-            echo "A later refresh run should recompute the lockfile from the newer master state."
-            exit 1
-          }
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
+          branch: chore/refresh-lockfile
+          delete-branch: true
+          title: "chore(lockfile): refresh pnpm-lock.yaml"
+          body: |
+            Auto-generated lockfile refresh after dependencies changed on `master`.

-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Typecheck
-        run: pnpm -r typecheck
-
-      - name: Run tests
-        run: pnpm test:run
-
-      - name: Build
-        run: pnpm build
+            This PR only updates `pnpm-lock.yaml` — no source changes.
+          labels: lockfile-bot