UHF-9380: Npm audit action

.github/workflows/npm-audit.yml

@@ -0,0 +1,82 @@
+name: Npm audit
+
+on:
+  schedule:
+    - cron: '0 12 * * 0'  # Run every fortnight on Sunday at 12
+
+jobs:
+  npm_audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Use Node.js from .nvmrc in modules/custom
+        id: npm_audit_modules
+        run: |
+          find public/modules/custom -type f -name ".nvmrc" -exec sh -c '
+            dir=$(dirname "$1")
+            node_version=$(cat "$1")
+            echo "Using Node.js version $node_version in $dir"
+            cd "$dir"
+            curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+            export NVM_DIR="$HOME/.nvm"
+            [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+            nvm install $node_version
+            nvm use $node_version
+            npm install --silent
+            set +e
+            npm audit --package-lock-only --loglevel=error;
+            # The npm audit command will exit with a 0 exit code if no vulnerabilities were found.
+            if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi;
+            set -e
+          ' sh {} \;
+
+      - name: Use Node.js from .nvmrc in themes/custom
+        id: npm_audit_themes
+        run: |
+          find public/themes/custom -type f -name ".nvmrc" -exec sh -c '
+            dir=$(dirname "$1")
+            node_version=$(cat "$1")
+            echo "Using Node.js version $node_version in $dir"
+            cd "$dir"
+            curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+            export NVM_DIR="$HOME/.nvm"
+            [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+            nvm install $node_version
+            nvm use $node_version
+            npm install --silent
+            set +e
+            npm audit --package-lock-only --loglevel=error;
+            # The npm audit command will exit with a 0 exit code if no vulnerabilities were found.
+            if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi;
+            set -e
+          ' sh {} \;
+
+      - name: Create Pull Request
+        if: steps.npm_audit_modules.outputs.CREATE_PR == 'true' || steps.npm_audit_themes.outputs.CREATE_PR == 'true'
+        uses: peter-evans/create-pull-request@v4
+        with:
+          committer: GitHub <[email protected]>
+          author: actions-bot <[email protected]>
+          commit-message: Updated node modules based on npm audit fix
+          title: Automatic npm audit fix
+          labels: auto-update
+          body: |
+            # Npm audit
+            ## How to install
+
+            * Update the HDBT theme
+               * `git fetch --all`
+               * `git checkout automation/npm-audit`
+               * `git pull origin automation/npm-audit`
+            * In the custom module or custom theme folder, run `nvm use && npm i && npm run build`
+
+            ## How to test
+            Run `npm audit`
+
+            * [ ] Check that the `npm audit` prints `found 0 vulnerabilities`
+            * [ ] Check that the changes for distributed files are sensible
+
+          branch: automation/npm-audit