feat!: postinstall for dependabot template-oss PR

BREAKING CHANGE: `validate-npm-package-name` is now compatible with the following semver range for node: `^14.17.0 || ^16.13.0 || >=18.0.0`

Author: lukekarrys

.github/dependabot.yml

@@ -4,7 +4,7 @@ version: 2
 
 updates:
   - package-ecosystem: npm
-    directory: "/"
+    directory: /
     schedule:
       interval: daily
     allow:

.github/workflows/audit.yml

@@ -5,23 +5,33 @@ name: Audit
 on:
   workflow_dispatch:
   schedule:
-    # "At 01:00 on Monday" https://crontab.guru/#0_1_*_*_1
-    - cron: "0 1 * * 1"
+    # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
+    - cron: "0 8 * * 1"
 
 jobs:
   audit:
+    name: Audit Dependencies
+    if: github.repository_owner == 'npm'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 18.x
+      - name: Install npm@latest
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund --package-lock
-      - run: npm audit
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund --package-lock
+      - name: Run Audit
+        run: npm audit

.github/workflows/ci.yml

@@ -5,66 +5,83 @@ name: CI
 on:
   workflow_dispatch:
   pull_request:
-    branches:
-      - '*'
   push:
     branches:
       - main
       - latest
   schedule:
-    # "At 02:00 on Monday" https://crontab.guru/#0_2_*_*_1
-    - cron: "0 2 * * 1"
+    # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
+    - cron: "0 9 * * 1"
 
 jobs:
   lint:
+    name: Lint
+    if: github.repository_owner == 'npm'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 18.x
+      - name: Install npm@latest
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund
-      - run: npm run lint
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Lint
+        run: npm run lint --ignore-scripts
+      - name: Post Lint
+        run: npm run postlint --ignore-scripts
 
   test:
+    name: Test - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
+    if: github.repository_owner == 'npm'
     strategy:
       fail-fast: false
       matrix:
-        node-version:
-          - 12.13.0
-          - 12.x
-          - 14.15.0
-          - 14.x
-          - 16.0.0
-          - 16.x
         platform:
-          - os: ubuntu-latest
+          - name: Linux
+            os: ubuntu-latest
             shell: bash
-          - os: macos-latest
+          - name: macOS
+            os: macos-latest
             shell: bash
-          - os: windows-latest
+          - name: Windows
+            os: windows-latest
             shell: cmd
+        node-version:
+          - 14.17.0
+          - 14.x
+          - 16.13.0
+          - 16.x
+          - 18.0.0
+          - 18.x
     runs-on: ${{ matrix.platform.os }}
     defaults:
       run:
         shell: ${{ matrix.platform.shell }}
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Update to workable npm (windows)
+      - name: Update Windows npm
         # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows
         if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.'))
         run: |
@@ -74,13 +91,17 @@ jobs:
           node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
           cd ..
           rmdir /s /q package
-      - name: Update npm to 7
-        # If we do test on npm 10 it needs npm7
+      - name: Install npm@7
         if: startsWith(matrix.node-version, '10.')
         run: npm i --prefer-online --no-fund --no-audit -g npm@7
-      - name: Update npm to latest
+      - name: Install npm@latest
         if: ${{ !startsWith(matrix.node-version, '10.') }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund
-      - run: npm test --ignore-scripts
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Add Problem Matcher
+        run: echo "::add-matcher::.github/matchers/tap.json"
+      - name: Test
+        run: npm test --ignore-scripts -iwr

.github/workflows/codeql-analysis.yml

@@ -1,20 +1,19 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
     branches:
       - main
       - latest
   pull_request:
-    # The branches below must be a subset of the branches above
     branches:
       - main
       - latest
   schedule:
-    # "At 03:00 on Monday" https://crontab.guru/#0_3_*_*_1
-    - cron: "0 3 * * 1"
+    # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
+    - cron: "0 10 * * 1"
 
 jobs:
   analyze:
@@ -24,21 +23,16 @@ jobs:
       actions: read
       contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ javascript ]
-
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
-          languages: ${{ matrix.language }}
+          languages: javascript
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

.github/workflows/post-dependabot.yml

@@ -1,43 +1,91 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-name: Post Dependabot Actions
+name: Post Dependabot
 
 on: pull_request
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: write
 
 jobs:
-  template-oss-apply:
+  template-oss:
+    name: template-oss
+    if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head_ref }}
+      - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 18.x
+      - name: Install npm@latest
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - name: Dependabot metadata
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Fetch Dependabot Metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v1
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: npm install and commit
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Dependabot can update multiple directories so we output which directory
+      # it is acting on so we can run the command for the correct root or workspace
+      - name: Get Dependabot Directory
         if: contains(steps.metadata.outputs.dependency-names, '@npmcli/template-oss')
+        id: flags
+        run: |
+          if [[ "${{ steps.metadata.outputs.directory }}" == "/" ]]; then
+            echo "::set-output name=workspace::-iwr"
+          else
+            echo "::set-output name=workspace::-w ${{ steps.metadata.outputs.directory }}"
+          fi
+
+      - name: Apply Changes
+        if: steps.flags.outputs.workspace
+        id: apply
+        run: |
+          npm run template-oss-apply ${{ steps.flags.outputs.workspace }}
+          if [[ `git status --porcelain` ]]; then
+            echo "::set-output name=changes::true"
+          fi
+
+      # This step will fail if template-oss has made any workflow updates. It is impossible
+      # for a workflow to update other workflows. In the case it does fail, we continue
+      # and then try to apply only a portion of the changes in the next step
+      - name: Push All Changes
+        if: steps.apply.outputs.changes
+        id: push
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git commit -am "chore: postinstall for dependabot template-oss PR"
+          git push
+
+      - name: Push All Changes Except Workflows
+        if: steps.push.outcome == 'failure'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr checkout ${{ github.event.pull_request.number }}
-          npm install --ignore-scripts --no-audit --no-fund
-          npm run template-oss-apply
-          git add .
+          git reset HEAD~
+          git checkout HEAD -- .github/workflows/
+          git clean -fd .github/workflows/
           git commit -am "chore: postinstall for dependabot template-oss PR"
           git push
-          npm run lint
+
+      - name: Check Changes
+        if: steps.apply.outputs.changes
+        run: |
+          npm exec --offline ${{ steps.flags.outputs.workspace }} -- template-oss-check