From f32b76f21343ef415a6389351d6189f8d7d395e6 Mon Sep 17 00:00:00 2001
From: Dotta <bippadotta@protonmail.com>
Date: Mon, 9 Mar 2026 07:26:31 -0500
Subject: [PATCH] fix: replace third-party action with gh CLI for lockfile PR
 creation

Replace peter-evans/create-pull-request with plain gh CLI commands to
avoid third-party supply chain risk. Uses only GitHub's own tooling
(GITHUB_TOKEN + gh CLI) to create the lockfile refresh PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/refresh-lockfile.yml | 38 ++++++++++++++++++--------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/refresh-lockfile.yml b/.github/workflows/refresh-lockfile.yml
index b0cfb78a..604f394f 100644
--- a/.github/workflows/refresh-lockfile.yml
+++ b/.github/workflows/refresh-lockfile.yml
@@ -50,15 +50,31 @@ jobs:
             exit 1
           fi
 
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
-          branch: chore/refresh-lockfile
-          delete-branch: true
-          title: "chore(lockfile): refresh pnpm-lock.yaml"
-          body: |
-            Auto-generated lockfile refresh after dependencies changed on `master`.
+      - name: Create or update pull request
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if git diff --quiet -- pnpm-lock.yaml; then
+            echo "Lockfile unchanged, nothing to do."
+            exit 0
+          fi
 
-            This PR only updates `pnpm-lock.yaml` — no source changes.
-          labels: lockfile-bot
+          BRANCH="chore/refresh-lockfile"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -B "$BRANCH"
+          git add pnpm-lock.yaml
+          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
+          git push -f origin "$BRANCH"
+
+          # Create PR if one doesn't already exist for this branch
+          existing=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number')
+          if [ -n "$existing" ]; then
+            echo "PR #$existing already exists for $BRANCH, updated branch."
+          else
+            gh pr create \
+              --head "$BRANCH" \
+              --title "chore(lockfile): refresh pnpm-lock.yaml" \
+              --body "Auto-generated lockfile refresh after dependencies changed on \`master\`.\n\nThis PR only updates \`pnpm-lock.yaml\` — no source changes."
+            echo "Created new PR."
+          fi