dev-deps: update dependency renovate to v39.28.0 #1660
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a Github Workflow that runs some security check for external users. | |
name: Security | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
YARN_ENABLE_HARDENED_MODE: true | |
jobs: | |
security: | |
name: Checking Yarn cache's integrity | |
runs-on: ubuntu-latest | |
steps: | |
- if: github.actor == 'snowball-tech-bot' || github.actor == 'renovate[bot]' | |
name: Checking if user is a trusted bot | |
run: | | |
echo "User is a trusted bot user." | |
echo "IS_BOT_USER=1" >> $GITHUB_ENV | |
- if: env.IS_BOT_USER != 1 | |
uses: tspascoal/get-user-teams-membership@v3 | |
id: checkIsSnowballEngineeringTeamMember | |
with: | |
username: ${{ github.actor }} | |
team: engineering | |
GITHUB_TOKEN: ${{ secrets.MACHINE_GITHUB_TOKEN }} | |
- if: env.IS_BOT_USER || steps.checkIsSnowballEngineeringTeamMember.outputs.isTeamMember == 'true' | |
name: No need to check Yarn cache's integrity | |
run: | | |
echo "The author is a member of the Snowball engineering team or a trusted bot user." | |
echo "SKIP_INTEGRITY_CHECK=1" >> $GITHUB_ENV | |
- if: env.SKIP_INTEGRITY_CHECK != 1 | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- if: env.SKIP_INTEGRITY_CHECK != 1 | |
name: Get updated dependencies or lockfile | |
id: changed-files-specific | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: | | |
.yarn/** | |
yarn.lock | |
- if: env.SKIP_INTEGRITY_CHECK != 1 && steps.changed-files-specific.outputs.any_changed != 'true' | |
name: No need to check Yarn cache's integrity | |
run: | | |
echo "There are no updates of dependencies or lockfile." | |
echo "SKIP_INTEGRITY_CHECK=1" >> $GITHUB_ENV | |
- if: env.SKIP_INTEGRITY_CHECK != 1 | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20.x | |
cache: yarn | |
- if: env.SKIP_INTEGRITY_CHECK != 1 | |
name: Checking Yarn cache's integrity | |
run: yarn install --check-cache --immutable --immutable-cache |