ActionsWorkflows
Caret Dependency Check
Blocks caret (^) dependency ranges across all package.json files for reproducible builds.
This workflow scans every package.json (excluding caches and build outputs) for dependencies using caret (^) ranges and fails if any are found.
Infrastructure
- Runner: Self-hosted
dokployrunner - Permissions:
contents: read,pull-requests: write,issues: write,checks: write
What it scans
dependencies,devDependencies,peerDependencies,optionalDependencies
Enhanced reporting system
The workflow generates two types of reports:
- Preview report (PR comment): Shows first 5 dependencies per file with truncation message
- Full report (artifact): Complete list of all caret dependencies
Output behavior
- PR comments: Automatically cleaned up (deletes previous comments before posting new ones)
- Artifacts: Both preview and full reports uploaded with 30-day retention
caret-dependency-report(preview)caret-dependency-report-full(complete list)
- Logs: Full dependency list printed to workflow logs for immediate visibility
Why it fails the build
Caret ranges create non-reproducible builds and can unexpectedly pull breaking updates. Pin exact versions instead.
Example fix
{
"dependencies": {
- "react": "^18.2.0",
+ "react": "18.2.0"
}
}Implementation notes
- Improved JSON processing: Uses
jq -cwith proper JSON array handling for more reliable parsing - Fallback handling: Gracefully handles
jqfailures with empty array fallbacks - Noise reduction: PR comments limited to first 5 per file, with "...and N more" indicators
- Comment cleanup: Automatically removes previous workflow comments to prevent spam
- Dual reporting: Full details available in logs and artifacts while keeping PR comments concise