Skip to content

Update GitHub Actions to use deterministic npm installs and local-only npx execution#8522

Open
Copilot wants to merge 3 commits into
masterfrom
copilot/fix-deterministic-package-installation-issues
Open

Update GitHub Actions to use deterministic npm installs and local-only npx execution#8522
Copilot wants to merge 3 commits into
masterfrom
copilot/fix-deterministic-package-installation-issues

Conversation

Copy link
Copy Markdown

Copilot AI commented May 11, 2026
edited
Loading

This updates the workflows flagged in the deterministic-install audit to avoid non-reproducible package installation patterns and implicit npx downloads. The changes are limited to workflow command lines and keep the existing job flow intact.

  • Deterministic dependency installation

    • Replaced safe workflow uses of npm i / npm install with npm ci
    • Applied this in artifact build, publish, license-check, and shared functional/server test workflows

  • Local-only npx execution

    • Replaced workflow npx gulp ... invocations with npx --no-install gulp ...
    • Updated all affected caller workflows so CI uses the checked-in dependency graph rather than downloading packages implicitly

  • Edge-case command handling

    • test-dependencies.yml: replaced lockfile mutation flow with direct lockfile audit via npm audit --package-lock-only --production
    • license-check.yml: preserved the local packed-tarball install flow by generating a lockfile for the packed artifact first, then installing via npm ci

  • Representative command changes

    - run: npm ci
- run: npx --no-install gulp build

- run: npm audit --package-lock-only --production

- run: mkdir temp && cd temp && npm init -y && npm install --package-lock-only ../*.tgz && npm ci && npx --no-install gulp check-licenses

This addresses the workflow command patterns called out for this repository in the deterministic package installation cleanup.

Original prompt

Fix the deterministic package installation command issues described in DevExpress/dxvcs#32108 for the repository DevExpress/testcafe.

Goal:

  • Update invalid package installation and npx invocation commands to comply with policy.
  • Prefer deterministic installs and prevent implicit package downloads from the registry.

Required changes:

  • Replace npm i and npm install with npm ci where appropriate and safe.
  • Replace npx <cmd> with npx --no-install <cmd> where appropriate.
  • Carefully review any flagged commands that may not be safely transformed mechanically, such as:
    • npm i --package-lock-only
    • npm i <package> ../local-path --save
    • npm init -y && npm install ../*.tgz
  • For these edge cases, make the minimal safe change that satisfies the deterministic-install policy without breaking the workflow; if direct substitution with npm ci is not valid, adjust the workflow/command sequence appropriately.

Flagged files from the issue for DevExpress/testcafe:

  • .github/workflows/deploy-to-artifacts.yml
  • .github/workflows/license-check.yml
  • .github/workflows/publish.yml
  • .github/workflows/test-client-desktop.yml
  • .github/workflows/test-client-mobile.yml
  • .github/workflows/test-dependencies.yml
  • .github/workflows/test-functional-docker.yml
  • .github/workflows/test-functional-local-chrome.yml
  • .github/workflows/test-functional-local-edge.yml
  • .github/workflows/test-functional-local-esm.yml
  • .github/workflows/test-functional-local-firefox.yml
  • .github/workflows/test-functional-local-headed-browsers.yml
  • .github/workflows/test-functional-local-legacy.yml
  • .github/workflows/test-functional-local-multiple-windows-na.yml
  • .github/workflows/test-functional-local-multiple-windows.yml
  • .github/workflows/test-functional-local-native-automation.yml
  • .github/workflows/test-functional-local-safari.yml
  • .github/workflows/test-functional-remote-mobile.yml
  • .github/workflows/test-functional.yml
  • .github/workflows/test-server-docker.yml
  • .github/workflows/test-server-latest.yml
  • .github/workflows/test-server-minimal.yml
  • .github/workflows/test-server.yml

Acceptance criteria:

  • All issue-listed invalid commands in this repository are fixed.
  • Changes are minimal and scoped only to the commands required by the issue.
  • CI/workflows/scripts remain functionally equivalent.
  • Open a pull request with a concise summary of the changes and mention that it addresses DevExpress/dxvcs#32108 for this repository.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Help fix the following issue: @DevExpress/dxvcs/issues/32108

Assistant: I can help, but I can’t directly “fix” this issue across repos unless you want me to create PRs, and PR creation requires an explicit target repository.

Issue DevExpress/dxvcs#32108 spans many repositories, including:

  • DevExpress/testcafe
  • DevExpress/testcafe-studio
  • DevExpress/testcafe-hammerhead
  • DevExpress/testcafe.io
  • DevExpress/generator-testcafe-reporter
  • DevExpress/testcafe-examples
  • DevExpress/testcafe-browser-tools
  • DevExpress/angular-testcafe
  • DevExpress/log-update-async-hook
  • DevExpress/testcafe-selector-generator
  • DevExpress/testcafe-browser-provider-electron
  • DevExpress/testcafe-legacy-api
  • DevExpress/testcafe-browser-provider-browserstack

Recommended fixes from the issue are:

  • replace npm i / npm install with npm ci where appropriate
  • replace npx ... with npx --no-install ...

Important caveat:

  • some flagged cases may need manual handling rather than blind replacement, especially commands like:
    • npm i --package-lock-only
    • npm i <package> ../local-path --save
    • npm init -y && npm install ../*.tgz
  • those are not always safely convertible to npm ci

If you want, I can do one of these next:

  1. Create a PR for a specific repository, for example DevExpress/testcafe
  2. Investigate and summarize the exact safe changes needed for one repository
  3. Draft issue comments/checklists grouped by repository

If you want a PR, send:

  • the repository name in owner/repo format
  • optionally the base branch if not default

Example:

  • “Create a PR for DevExpress/testcafe
  • “Create a PR for DevExpress/testcafe-hammerhead targeting master

User: Create a PR for each of the following repositories: DevExpress/testcafe
DevExpress/testcafe-studio
DevExpress/testcafe-hammerhead
DevExpress/testcafe.io
DevExpress/generator-testcafe-reporter
DevExpress/testcafe-examples
DevExpress/testcafe-browser-tools
DevExpress/angular-testcafe
DevExpress/log-update-async-hook
DevExpress/testcafe-selector-generator
DevExpress/testcafe-browser-provider-electron
DevExpress/testcafe-legacy-api
DevExpress/testcafe-browser-provider-browserstack targeting master

Assistant: I’m waiting for your response to the approval prompt before I can continue creating the PRs for those repositories.

This pull request was created from Copilot chat.

Copilot AI and others added 2 commits May 11, 2026 17:10
Copilot AI changed the title [WIP] Fix deterministic package installation command issues for DevExpress/testcafe Update GitHub Actions to use deterministic npm installs and local-only npx execution May 11, 2026
Copilot AI requested a review from aleks-pro May 11, 2026 17:14
@aleks-pro aleks-pro marked this pull request as ready for review May 11, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aleks-pro aleks-pro Awaiting requested review from aleks-pro

At least 1 approving review is required to merge this pull request.

Assignees

@aleks-pro aleks-pro

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aleks-pro