name: Dependency Updates on: schedule: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: # Manual trigger jobs: # Python dependency updates update-python: runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.11" - name: Install pip-tools run: pip install pip-tools - name: Check outdated packages run: | pip list --outdated --format=freeze | head -20 - name: Create pull request for updates uses: python-semantic-release/pypi-publish@v1 with: command: pip-compile continue-on-error: true - name: Create Dependabot PR uses: dependabot/fetch-metadata@v2 with: package-ecosystem: "pip" directory: "/backend" continue-on-error: true # Node.js dependency updates update-node: runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node uses: actions/setup-node@v4 with: node-version: '20' cache: 'npm' cache-dependency-path: frontend/package-lock.json - name: Install dependencies run: cd frontend && npm ci - name: Check outdated run: cd frontend && npm outdated --depth=0 - name: Create PR for npm updates uses: actions/github-script@v7 with: script: | // This would create a PR with npm updates console.log("Run 'npm update' to update packages") continue-on-error: true # Security alerts summary security-summary: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Run security audit on Python uses: snyk/actions@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --file=backend/requirements.txt --json | jq -r '.vulnerabilities[] | "- \(.title): \(..severity)"' || echo "No vulnerabilities found" - name: Run security audit on Node run: | cd frontend && npm audit --json > audit.json 2>/dev/null || true continue-on-error: true