codeql-action/.github/workflows/update-dependencies.yml

name: Update dependencies
on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, labeled]

jobs:
  check:
    name: Check for relevance
    runs-on: ubuntu-latest
    if: |
      contains(github.event.pull_request.labels.*.name, 'Update dependencies') &&
      (github.actor == 'dependabot[bot]' || github.actor == 'github-actions[bot]') &&
      github.repository == 'github/codeql-action' &&
      github.head.repo.full_name == 'github/codeql-action' &&
      github.base.repo.full_name == 'github/codeql-action'
    env:
      ACTOR: '${{ github.actor }}'

    steps:
      - name: Check Actor
        run: echo "This PR should run the Update Dependencies workflow because the actor is $ACTOR, there is no fork involved, and the 'Update dependencies' label exists."

  update:
    needs: check
    environment: Update dependencies
    name: Update dependencies
    runs-on: macos-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Remove PR label
      env:
        REPOSITORY: '${{ github.repository }}'
        PR_NUMBER: '${{ github.event.pull_request.number }}'
        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
      run: |
        gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE

    - name: Push updated dependencies
      env:
        BRANCH: '${{ github.head_ref }}'
      run: |
        git fetch
        git checkout $BRANCH
        sudo npm install --force -g npm@latest
        npm install
        npm ci
        npm run removeNPMAbsolutePaths
        if [ ! -z "$(git status --porcelain)" ]; then
          git config --global user.email "github-actions@github.com"
          git config --global user.name "github-actions[bot]"
          git add node_modules
          git commit -am "Update checked-in dependencies"
          git push origin "$BRANCH"
        fi