-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for yarn #490
Conversation
36875c9
to
4db5bc4
Compare
@Ninerian Please provide an appropriate PR title and description you want (e.g., background or motivation etc.) |
@Ninerian Thank you. I'll review it later. |
The 2 features look nice. If you are busy, I can do it for you. |
@Ninerian Sorry for the late reply. I'm not familiar with Yarn, so I'm concerned about the yarn-audit-fix logic implemented in this PR. It seems there are some problems about yarn-audit-fix as below:
Therefore, I'm not confident to maintain this feature in the future. What do you think? |
@ybiquitous I know about the issue and also the package. I don't understand the reason of the missing fix feature and the explanation by the authors. But as the npm audit fix workaround does the job, I'm fine with that solution. The current change is in my opinion small enough to be manageable. It could be reworked to set the package manager with an variable, but that won't change too much on the maintaining side I guess. Also the documentation needs to be updated to make the flaws with yarn and npm more clear (mono-repo support). As it is your project I leave it up to you. I can also use the fork to have this feature. |
@Ninerian OK, I understand your idea and background. Let's try adding this new feature! First, can you please rebase the And, can you write a description on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The has-yarn
package just checks if yarn.lock
exists, so let's replace it with our custom logic, instead of adding a new dependency!
You mean by adding another input variable? |
No. I think it is possible to replace async function run() {
const hasYarn = fs.existsSync("yarn.lock");
// ...
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove dist/.DS_Store
which is ignored from Git:
npm-audit-fix-action/.gitignore
Line 126 in 0571656
.DS_Store |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[question] Is it possible to write a test for the Yarn feature?
I need a smoke test case for the new Yarn mode. Could you please add it to the CI like this? npm-audit-fix-action/.github/workflows/test.yml Lines 23 to 29 in e4d34f7
smoke-yarn:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: ./
with:
package_manager: yarn It's necessary to add also fixture files (e.g. I'm concerned about potential problems caused by introducing the new feature. Is it more reliable to use the |
Closing due to stale. |
What have I done
Added support for yarn managed projects
Why was this done
The action itself is capable enough to handle both package managers and creating different one only for yarn would be just a duplication. The existing yarn-audit-fix actions aren't good as this one.
Unsolved problems
The problem rooted in a misconfiguration of the checkout action.
The custom user is currently only used when creating the PR. When the action runs again and updates the existing PR withgit push --force
the Github Actions user is used again. This leads again to not running the checks.First push:
Force push: