Skip to content

package lock check #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Bojan131 wants to merge 1 commit into from
Closed

package lock check #147

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/check-package-lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Check Package Lock File

concurrency:
group: check-package-lock-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches:
- "**" # Run on push to any branch
pull_request:
branches:
- "**" # Run on PR to any branch

jobs:
verify-package-lock:
name: Verify package-lock.json exists
runs-on: ubuntu-latest
timeout-minutes: 5

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Check if package-lock.json exists
run: |
if [ ! -f "package-lock.json" ]; then
echo "ERROR: package-lock.json file is missing from the repository"
echo "This file is required to ensure consistent dependency versions across all environments"
echo "Please ensure package-lock.json is committed with your changes"
exit 1
fi
echo "SUCCESS: package-lock.json file is present"

- name: Verify package-lock.json is not empty
run: |
if [ ! -s "package-lock.json" ]; then
echo "ERROR: package-lock.json file exists but is empty"
echo "Please run 'npm install' to regenerate the lock file"
exit 1
fi
echo "SUCCESS: package-lock.json file is valid and not empty"
Comment on lines +17 to +42

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 1 month ago

To fix the problem, explicitly set the GITHUB_TOKEN permissions to the minimum required for this workflow. Since it only checks out the repository and reads package-lock.json, it only needs read access to repository contents.

The best fix without changing functionality is to add a permissions block with contents: read. You can add this at the workflow root (so it applies to all jobs) or under the specific job. Following the CodeQL recommendation and keeping the change minimal, add a top-level permissions block after the on: section. Concretely, in .github/workflows/check-package-lock.yml, insert:

permissions:
  contents: read

between the on: block (ending at line 13) and the jobs: key at line 15. No imports or other definitions are needed.

Suggested changeset 1
.github/workflows/check-package-lock.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-package-lock.yml b/.github/workflows/check-package-lock.yml
--- a/.github/workflows/check-package-lock.yml
+++ b/.github/workflows/check-package-lock.yml
@@ -12,6 +12,9 @@
     branches:
       - "**" # Run on PR to any branch
 
+permissions:
+  contents: read
+
 jobs:
   verify-package-lock:
     name: Verify package-lock.json exists
EOF
@@ -12,6 +12,9 @@
branches:
- "**" # Run on PR to any branch

permissions:
contents: read

jobs:
verify-package-lock:
name: Verify package-lock.json exists
Copilot is powered by AI and may make mistakes. Always verify output.
Loading