fix: replace third-party action with gh CLI for lockfile PR creation

Replace peter-evans/create-pull-request with plain gh CLI commands to avoid third-party supply chain risk. Uses only GitHub's own tooling (GITHUB_TOKEN + gh CLI) to create the lockfile refresh PR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:26:31 -05:00
parent ee7fddf8d5
commit f32b76f213
1 changed files with 27 additions and 11 deletions
--- a/.github/workflows/refresh-lockfile.yml
+++ b/.github/workflows/refresh-lockfile.yml
@@ -50,15 +50,31 @@ jobs:
            exit 1
          fi

-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
-          branch: chore/refresh-lockfile
-          delete-branch: true
-          title: "chore(lockfile): refresh pnpm-lock.yaml"
-          body: |
-            Auto-generated lockfile refresh after dependencies changed on `master`.
+      - name: Create or update pull request
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if git diff --quiet -- pnpm-lock.yaml; then
+            echo "Lockfile unchanged, nothing to do."
+            exit 0
+          fi

-            This PR only updates `pnpm-lock.yaml` — no source changes.
-          labels: lockfile-bot
+          BRANCH="chore/refresh-lockfile"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -B "$BRANCH"
+          git add pnpm-lock.yaml
+          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
+          git push -f origin "$BRANCH"
+
+          # Create PR if one doesn't already exist for this branch
+          existing=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number')
+          if [ -n "$existing" ]; then
+            echo "PR #$existing already exists for $BRANCH, updated branch."
+          else
+            gh pr create \
+              --head "$BRANCH" \
+              --title "chore(lockfile): refresh pnpm-lock.yaml" \
+              --body "Auto-generated lockfile refresh after dependencies changed on \`master\`.\n\nThis PR only updates \`pnpm-lock.yaml\` — no source changes."
+            echo "Created new PR."
+          fi