Creates a comment inside Pull Request with the human-readable summary of the changes to the yarn.lock file. Works in public and private repositories, offers a degree of customization.

Example below shows the minimal workflow setup and all the optional inputs for the action (set to theirs default values). If you are happy with the output generated by the action, it's safe to remove all optional inputs.

name: Yarn Lock Changes
on: [pull_request]

jobs:
  yarn_lock_changes:
    runs-on: ubuntu-latest
    # Permission overwrite is required for Dependabot PRs, see "Common issues" below
    permissions:
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      # Please use `main` as version before the stable release will be published as `v1`
      - name: Yarn Lock Changes
        uses: Simek/yarn-lock-changes@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # Optional inputs, can be deleted safely if you are happy with default values
          collapsibleThreshold: 25
          failOnDowngrade: false
          path: yarn.lock
          updateComment: true

Due to the security reasons from March 1st, 2021 workflow runs that are triggered by Dependabot have permissions reduced by default:

• GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions

To ensure that sufficient permissions for this action are always granted, you will need to add permissions entry to the job which runs yarn-lock-changes:

jobs:
  ...:
    runs-on: ...
    #####
    permissions:
      pull-requests: write
    #####
    steps:
      ...

To run action in the debug mode you need to add the ACTIONS_STEP_DEBUG repository secret and set it to true, as stated in the GitHub documentation.

Then additional information which might be useful for the users when debugging the issues will be available in the action output, prefixed by ##[debug].