ci: auto-rebuild dist on dependabot PRs

Adds a workflow that, on Dependabot PRs, rebuilds the ncc-bundled dist/ and pushes it back onto the PR branch, so a dependency bump and its matching dist/ land in a single PR and the validate workflow stays green. Pushing the dist commit uses GH_PAT (the default GITHUB_TOKEN is read-only on Dependabot runs and its pushes do not re-trigger checks). The job is a no-op until GH_PAT is available as a Dependabot secret. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
2026-06-29 09:40:47 +00:00 · 2026-06-24 11:33:04 -03:00 · 2026-06-24 11:33:04 -03:00 · 37e172e007
commit 37e172e007
parent d13def3a6e
1 changed files with 70 additions and 0 deletions
--- a/.github/workflows/rebuild-dist.yml
+++ b/.github/workflows/rebuild-dist.yml
@ -0,0 +1,70 @@
+name: rebuild-dist
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  pull_request:
+
+jobs:
+  # Rebuilds the bundled dist/ on Dependabot PRs and pushes it back to the PR
+  # branch, so a dependency bump and its matching dist/ land in a single PR and
+  # the validate workflow stays green.
+  #
+  # Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do
+  # not re-trigger checks. Pushing the dist commit therefore uses GH_PAT, which
+  # can re-run workflows. Note: Dependabot runs only expose Dependabot secrets,
+  # so GH_PAT must exist as a Dependabot secret (org or repo) with contents:write
+  # on this repo. Until it does this job is a no-op.
+  rebuild-dist:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check token
+        id: token
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+        run: |
+          if [ -n "$GH_PAT" ]; then
+            echo "available=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "available=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::GH_PAT Dependabot secret is not set; skipping automatic dist rebuild."
+          fi
+      - name: Checkout
+        if: steps.token.outputs.available == 'true'
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GH_PAT }}
+      - name: Setup Node.js
+        if: steps.token.outputs.available == 'true'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version-file: '.node-version'
+          cache: npm
+      - name: Install dependencies
+        if: steps.token.outputs.available == 'true'
+        run: npm ci --ignore-scripts
+      - name: Rebuild dist
+        if: steps.token.outputs.available == 'true'
+        run: npm run build
+      - name: Commit and push dist if changed
+        if: steps.token.outputs.available == 'true'
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          if [ -z "$(git status --porcelain -- dist)" ]; then
+            echo "dist is already up to date."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add dist
+          git commit -m "build: rebuild dist"
+          git push origin "HEAD:${HEAD_REF}"