feat: add comprehensive NPM security management workflow by salmanmkc · Pull Request #4027 · actions/runner (original) (raw)
NPM Audit Fix with TypeScript Auto-Repair
- Automated security vulnerability detection and fixes for hashFiles dependencies
- Intelligent TypeScript compatibility auto-repair after npm updates
- Graduated response strategy for different vulnerability severities
- Weekly schedule (Mondays at 7 AM) plus manual triggers
Key Features
- ✅ Security-focused: Only creates PRs when moderate+ vulnerabilities found
- ✅ TypeScript auto-repair: Fixes @types/node compatibility issues automatically
- ✅ Multi-step recovery: Clean reinstall, dependency resolution, build verification
- ✅ Graduated response: force-fix for critical/high vulnerabilities only
- ✅ Build validation: Ensures code compiles after automated fixes
- ✅ Enhanced PR details: Shows audit status, fixes applied, build status
Security Enhancements
- ✅ Proper error handling: No vulnerability masking with '|| true'
- ✅ Transparent reporting: Clear distinction between success/partial/failed states
- ✅ Audit level checking: moderate, high, critical severity handling
- ✅ Force-fix safety: Only for critical/high vulnerabilities
Dependencies
- Requires: Labels from actions#4024 (dependency, security, typescript, needs-manual-review)
- Integrates with: Monitoring from actions#4025
- Complements: Node version management from actions#4026
This workflow ensures npm dependencies stay secure while maintaining TypeScript compatibility and build stability.
AI review requested due to automatic review settings
salmanmkc added a commit to salmanmkc/runner that referenced this pull request
.NET Core/SDK Automated Upgrade Management
- Weekly automated checking for new .NET Core/SDK releases
- Intelligent global.json and project file updates with compatibility validation
- Multi-version support with build verification across all .NET projects
Key Features
- ✅ Multi-source monitoring: Official releases API + package manager updates
- ✅ Smart compatibility: Preserves project compatibility while upgrading dependencies
- ✅ Build validation: Full solution build verification after .NET updates
- ✅ Version pinning: Updates global.json SDK version with compatibility checks
- ✅ Package updates: NuGet package upgrades with conflict resolution
Update Strategy
- Weekly schedule: Mondays at 8 AM for consistent .NET maintenance
- Manual triggers: On-demand updates for critical security releases
- Graduated response: Different handling for LTS vs current releases
- Rollback safety: Build failures prevent PR creation
Integration Benefits
- Release compatibility: Ensures runner builds with latest .NET versions
- Security updates: Automated security patch integration
- Build stability: Validates compatibility before suggesting changes
- Development workflow: Reduces manual .NET maintenance overhead
Dependencies
- Requires: Labels from actions#4024 (dependency, needs-manual-review)
- Integrates with: Overall monitoring from actions#4025
- Complements: NPM security management from actions#4027
This workflow ensures .NET dependencies stay current and secure while maintaining build compatibility for the monthly runner release cycle.
This was referenced
Sep 9, 2025
[![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4)
[
fmartinez255 pushed a commit to TiVo/actions-runner that referenced this pull request
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})