From c12090174474ac991f475552656db0251c2cf801 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 12:47:17 +0530 Subject: [PATCH 01/12] Added workflow file for validating pnpm-lock file --- .github/workflows/validate-lockfile.yml | 41 +++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/validate-lockfile.yml diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml new file mode 100644 index 000000000..19c7e10fa --- /dev/null +++ b/.github/workflows/validate-lockfile.yml @@ -0,0 +1,41 @@ +name: Validate pnpm-lock.yaml + +on: + pull_request: + paths: + - 'pnpm-lock.yaml' + - '**/package.json' + - '**/*.js' + - '.github/workflows/validate-lockfile.yml' + +jobs: + validate-lockfile: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + + - name: Check pnpm-lock.yaml for tarball fields and unexpected paths + run: | + if grep -q 'tarball:' pnpm-lock.yaml; then + echo "❌ tarball field found in pnpm-lock.yaml" + exit 1 + fi + if grep -q 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then + echo "❌ Unexpected path found in pnpm-lock.yaml" + exit 1 + fi + + - name: Ensure pnpm-lock.yaml changes only with package.json + run: | + git fetch origin ${{ github.base_ref }} + git diff --name-only origin/${{ github.base_ref }}...HEAD > changed_files.txt + if grep -q '^pnpm-lock.yaml$' changed_files.txt && ! grep -q 'package.json' changed_files.txt; then + echo "❌ pnpm-lock.yaml was changed without any package.json" + exit 1 + fi From be13fb0391fc246a3c2cc5affb1984b35bb578a2 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 12:53:47 +0530 Subject: [PATCH 02/12] Updated origin to event.pull_request.base.ref --- .github/workflows/validate-lockfile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index 19c7e10fa..b9661a75b 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -33,8 +33,8 @@ jobs: - name: Ensure pnpm-lock.yaml changes only with package.json run: | - git fetch origin ${{ github.base_ref }} - git diff --name-only origin/${{ github.base_ref }}...HEAD > changed_files.txt + git fetch origin ${{ github.event.pull_request.base.ref }} + git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD > changed_files.txt if grep -q '^pnpm-lock.yaml$' changed_files.txt && ! grep -q 'package.json' changed_files.txt; then echo "❌ pnpm-lock.yaml was changed without any package.json" exit 1 From bdaa3f693aa7619543a8c4fda72f08a0abb43232 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 13:11:33 +0530 Subject: [PATCH 03/12] Added PR based sha --- .github/workflows/validate-lockfile.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index b9661a75b..3ac5b5314 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -31,11 +31,11 @@ jobs: exit 1 fi - - name: Ensure pnpm-lock.yaml changes only with package.json + - name: Ensure pnpm-lock.yaml changes only when package.json changes run: | - git fetch origin ${{ github.event.pull_request.base.ref }} - git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD > changed_files.txt - if grep -q '^pnpm-lock.yaml$' changed_files.txt && ! grep -q 'package.json' changed_files.txt; then + git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed_files.txt + if grep -q '^pnpm-lock.yaml$' changed_files.txt && \ + ! grep -q 'package.json' changed_files.txt; then echo "❌ pnpm-lock.yaml was changed without any package.json" exit 1 fi From 334c8c2962c26a6e95ad7c5bc6ea9b74f79f6008 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 13:12:56 +0530 Subject: [PATCH 04/12] use depth 0 --- .github/workflows/validate-lockfile.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index 3ac5b5314..3d978ef03 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -14,6 +14,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + # so we have both base and head SHAs to diff + fetch-depth: 0 - name: Set up Node.js uses: actions/setup-node@v4 From e1030b186e57e5b1b2ae5101fe3266bf2cc6d9cd Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 13:18:50 +0530 Subject: [PATCH 05/12] Added validation for packages/mermaid/src/vitepress path --- .github/workflows/validate-lockfile.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index 3d978ef03..90c76cfe2 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -15,7 +15,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - # so we have both base and head SHAs to diff fetch-depth: 0 - name: Set up Node.js @@ -23,18 +22,21 @@ jobs: with: node-version: 20 - - name: Check pnpm-lock.yaml for tarball fields and unexpected paths + - name: Validate pnpm-lock.yaml entries run: | - if grep -q 'tarball:' pnpm-lock.yaml; then - echo "❌ tarball field found in pnpm-lock.yaml" - exit 1 - fi - if grep -q 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then - echo "❌ Unexpected path found in pnpm-lock.yaml" - exit 1 - fi + forbidden=( + 'tarball:' # no tarball fields + 'packages/mermaid/src/vitepress' # no vitepress paths + ) - - name: Ensure pnpm-lock.yaml changes only when package.json changes + for pat in "${forbidden[@]}"; do + if grep -qF "$pat" pnpm-lock.yaml; then + echo "❌ Forbidden pattern \"$pat\" found in pnpm-lock.yaml" + exit 1 + fi + done + + - name: Ensure pnpm-lock.yaml only when package.json changes run: | git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed_files.txt if grep -q '^pnpm-lock.yaml$' changed_files.txt && \ From b45b1d7795ee2f0226598ab2c62ce836d5f0b7fe Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 13:54:18 +0530 Subject: [PATCH 06/12] Trigger Build From 3137cff4a5f0449a41d8900de00b0befa567555a Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 14:07:37 +0530 Subject: [PATCH 07/12] Added auto-comment --- .github/workflows/validate-lockfile.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index 90c76cfe2..d1cf1eb13 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -44,3 +44,21 @@ jobs: echo "❌ pnpm-lock.yaml was changed without any package.json" exit 1 fi + + - name: Comment on PR if validation failed + if: failure() + uses: peter-evans/create-or-update-comment@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ## 🔍 Lockfile Validation Failed + + One or more issues were found in `pnpm-lock.yaml`: + - Tarball references are not allowed. + - `packages/mermaid/src/vitepress` path must not appear in the lockfile. + - `pnpm-lock.yaml` should only change when `package.json` changes. + + Please fix these issues and push an update. + + _Posted automatically by GitHub Actions_ From 222d7170f76bac83cd7cb0d4f57dbb6ac12df2e7 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 14:11:26 +0530 Subject: [PATCH 08/12] Added changeset --- .changeset/plain-hats-sniff.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/plain-hats-sniff.md diff --git a/.changeset/plain-hats-sniff.md b/.changeset/plain-hats-sniff.md new file mode 100644 index 000000000..ddf4050fc --- /dev/null +++ b/.changeset/plain-hats-sniff.md @@ -0,0 +1,5 @@ +--- +'mermaid': minor +--- + +chore:Added workflow file for validating pnpm-lock file From 7dd8ddc3ebcbe2b5f7e7de5ff44350af45823224 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 18:55:45 +0530 Subject: [PATCH 09/12] Added generic message. --- .changeset/plain-hats-sniff.md | 5 --- .github/workflows/validate-lockfile.yml | 49 ++++++++++++++----------- 2 files changed, 28 insertions(+), 26 deletions(-) delete mode 100644 .changeset/plain-hats-sniff.md diff --git a/.changeset/plain-hats-sniff.md b/.changeset/plain-hats-sniff.md deleted file mode 100644 index ddf4050fc..000000000 --- a/.changeset/plain-hats-sniff.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'mermaid': minor ---- - -chore:Added workflow file for validating pnpm-lock file diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index d1cf1eb13..1c88b3063 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -23,25 +23,34 @@ jobs: node-version: 20 - name: Validate pnpm-lock.yaml entries + id: validate # give this step an ID so we can reference its outputs run: | - forbidden=( - 'tarball:' # no tarball fields - 'packages/mermaid/src/vitepress' # no vitepress paths - ) + issues=() - for pat in "${forbidden[@]}"; do - if grep -qF "$pat" pnpm-lock.yaml; then - echo "❌ Forbidden pattern \"$pat\" found in pnpm-lock.yaml" - exit 1 - fi - done + # 1) No tarball references + if grep -qF 'tarball:' pnpm-lock.yaml; then + issues+=("• Tarball references found (forbidden)") + fi - - name: Ensure pnpm-lock.yaml only when package.json changes - run: | - git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed_files.txt - if grep -q '^pnpm-lock.yaml$' changed_files.txt && \ - ! grep -q 'package.json' changed_files.txt; then - echo "❌ pnpm-lock.yaml was changed without any package.json" + # 2) No unwanted vitepress paths + if grep -qF 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then + issues+=("• Disallowed path 'packages/mermaid/src/vitepress' present") + fi + + # 3) Lockfile only changes when package.json changes + git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed.txt + if grep -q '^pnpm-lock.yaml$' changed.txt && ! grep -q 'package.json' changed.txt; then + issues+=("• pnpm-lock.yaml changed without any package.json modification") + fi + + # If any issues, output them and fail + if [ ${#issues[@]} -gt 0 ]; then + # Use the new GITHUB_OUTPUT approach to set a multiline output + { + echo "errors<> $GITHUB_OUTPUT exit 1 fi @@ -54,11 +63,9 @@ jobs: body: | ## 🔍 Lockfile Validation Failed - One or more issues were found in `pnpm-lock.yaml`: - - Tarball references are not allowed. - - `packages/mermaid/src/vitepress` path must not appear in the lockfile. - - `pnpm-lock.yaml` should only change when `package.json` changes. + The following issue(s) were detected in `pnpm-lock.yaml`: + ${{ steps.validate.outputs.errors }} - Please fix these issues and push an update. + Please address these and push an update. _Posted automatically by GitHub Actions_ From 6f1e0e4d17edda7b45862672b9dbf051778493a1 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Fri, 20 Jun 2025 18:57:22 +0530 Subject: [PATCH 10/12] Updated message --- .github/workflows/validate-lockfile.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index 1c88b3063..c9370814a 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -61,9 +61,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} body: | - ## 🔍 Lockfile Validation Failed - - The following issue(s) were detected in `pnpm-lock.yaml`: + The following issue(s) were detected: ${{ steps.validate.outputs.errors }} Please address these and push an update. From c5f89eaa9a08670ddd4eae8fc30600c197ce9422 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Mon, 23 Jun 2025 12:41:21 +0530 Subject: [PATCH 11/12] Update .github/workflows/validate-lockfile.yml Co-authored-by: Sidharth Vinod --- .github/workflows/validate-lockfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index c9370814a..fd59b73b7 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -34,7 +34,7 @@ jobs: # 2) No unwanted vitepress paths if grep -qF 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then - issues+=("• Disallowed path 'packages/mermaid/src/vitepress' present") + issues+=("• Disallowed path 'packages/mermaid/src/vitepress' present. Run `rm -rf packages/mermaid/src/vitepress && pnpm install` to regenerate.") fi # 3) Lockfile only changes when package.json changes From 0623a87d70eaeccc7ae24b7a3a6ad6621c0dc8a8 Mon Sep 17 00:00:00 2001 From: shubham-mermaid Date: Mon, 23 Jun 2025 12:43:13 +0530 Subject: [PATCH 12/12] Removed js file check in paths --- .github/workflows/validate-lockfile.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml index fd59b73b7..38c71adaa 100644 --- a/.github/workflows/validate-lockfile.yml +++ b/.github/workflows/validate-lockfile.yml @@ -5,7 +5,6 @@ on: paths: - 'pnpm-lock.yaml' - '**/package.json' - - '**/*.js' - '.github/workflows/validate-lockfile.yml' jobs: