[pull] main from TryGhost:main

.github/scripts/dependency-inspector.js

@@ -12,7 +12,10 @@ const { execSync } = require('child_process');
  * [packageName, current, wanted, latest, dependencyType] tuples.
  *
  * pnpm's JSON output is an object keyed by package name:
- *   { "pkg": { "current": "1.0.0", "wanted": "1.0.1", "latest": "2.0.0", "dependencyType": "dependencies" } }
+ *   { "pkg": { "wanted": "1.0.1", "latest": "2.0.0", "dependencyType": "dependencies" } }
+ *
+ * pnpm's JSON output does not include a "current" field — "wanted"
+ * represents the lockfile-resolved version, so we use it as current.
  */
 function parsePnpmOutdatedOutput(stdout) {
   if (!stdout || !stdout.trim()) {
@@ -22,7 +25,7 @@ function parsePnpmOutdatedOutput(stdout) {
   const data = JSON.parse(stdout);
   return Object.entries(data).map(([name, info]) => [
     name,
-    info.current,
+    info.wanted,
     info.wanted,
     info.latest,
     info.dependencyType
@@ -632,48 +635,44 @@ With a severity flag, shows all packages with that update type.
   }
 
   /**
-   * Run yarn audit and display a vulnerability summary
+   * Run pnpm audit and display a vulnerability summary
    */
   displayAuditSummary() {
     console.log('🔒 SECURITY AUDIT:\n');
 
     try {
       let stdout = '';
       try {
-        stdout = execSync('yarn audit --json 2>/dev/null', {
+        stdout = execSync('pnpm audit --json', {
           encoding: 'utf8',
           maxBuffer: 10 * 1024 * 1024
         });
       } catch (error) {
-        // yarn audit exits with non-zero when vulnerabilities are found
+        // pnpm audit exits with non-zero when vulnerabilities are found
         stdout = error.stdout || '';
       }
 
-      // Find the auditSummary line
-      const lines = stdout.trim().split('\n');
-      for (const line of lines) {
-        try {
-          const data = JSON.parse(line);
-          if (data.type === 'auditSummary' && data.data && data.data.vulnerabilities) {
-            const v = data.data.vulnerabilities;
-            const total = v.info + v.low + v.moderate + v.high + v.critical;
-            console.log(`   Total vulnerabilities: ${total}`);
-            console.log(`   🔴 Critical: ${v.critical}`);
-            console.log(`   🟠 High:     ${v.high}`);
-            console.log(`   🟡 Moderate: ${v.moderate}`);
-            console.log(`   🟢 Low:      ${v.low}`);
-            if (v.info > 0) {
-              console.log(`   ℹ️  Info:     ${v.info}`);
-            }
-            console.log(`   Total dependencies scanned: ${data.data.totalDependencies}\n`);
-            return;
-          }
-        } catch (e) {
-          // Skip non-JSON lines
-        }
+      if (!stdout || !stdout.trim()) {
+        console.log('   ⚠️  Could not parse audit summary\n');
+        return;
       }
 
-      console.log('   ⚠️  Could not parse audit summary\n');
+      const data = JSON.parse(stdout);
+      if (data.metadata && data.metadata.vulnerabilities) {
+        const v = data.metadata.vulnerabilities;
+        const total = v.info + v.low + v.moderate + v.high + v.critical;
+        console.log(`   Total vulnerabilities: ${total}`);
+        console.log(`   🔴 Critical: ${v.critical}`);
+        console.log(`   🟠 High:     ${v.high}`);
+        console.log(`   🟡 Moderate: ${v.moderate}`);
+        console.log(`   🟢 Low:      ${v.low}`);
+        if (v.info > 0) {
+          console.log(`   ℹ️  Info:     ${v.info}`);
+        }
+        console.log(`   Total dependencies scanned: ${data.metadata.totalDependencies}\n`);
+      } else {
+        console.log('   ⚠️  Could not parse audit summary\n');
+      }
     } catch (error) {
       console.log(`   ⚠️  Audit failed: ${error.message}\n`);
     }

.github/workflows/ci.yml

@@ -452,9 +452,6 @@ jobs:
         env:
           DEPENDENCY_CACHE_KEY: ${{ needs.job_setup.outputs.dependency_cache_key }}
 
-      - name: Build TS packages
-        run: pnpm nx run-many -t build --exclude=ghost-admin
-
       - name: Set timezone (non-UTC)
         uses: szenius/set-timezone@1f9716b0f7120e344f0c62bb7b1ee98819aefd42 # v2.0
         with:
@@ -472,12 +469,10 @@ jobs:
           echo "database__connection__password=root" >> $GITHUB_ENV
 
       - name: E2E tests
-        working-directory: ghost/core
-        run: pnpm test:ci:e2e
+        run: pnpm nx run ghost:test:ci:e2e
 
       - name: Integration tests
-        working-directory: ghost/core
-        run: pnpm test:ci:integration
+        run: pnpm nx run ghost:test:ci:integration
 
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         if: matrix.node == env.NODE_VERSION && contains(matrix.env.DB, 'mysql')
@@ -543,9 +538,6 @@ jobs:
         env:
           DEPENDENCY_CACHE_KEY: ${{ needs.job_setup.outputs.dependency_cache_key }}
 
-      - name: Build TS packages
-        run: pnpm nx run-many -t build --exclude=ghost-admin
-
       - name: Set env vars (SQLite)
         if: contains(matrix.env.DB, 'sqlite')
         run: echo "database__connection__filename=/dev/shm/ghost-test.db" >> $GITHUB_ENV
@@ -558,8 +550,7 @@ jobs:
           echo "database__connection__password=root" >> $GITHUB_ENV
 
       - name: Legacy tests
-        working-directory: ghost/core
-        run: pnpm test:ci:legacy
+        run: pnpm nx run ghost:test:ci:legacy
 
       - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main
         if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -754,7 +745,7 @@ jobs:
       - name: Test project
         run: tb test run
       - name: Trigger and watch traffic analytics infra Tinybird workflow
-        if: github.repository == 'TryGhost/Ghost'
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         env:
           GH_TOKEN: ${{ secrets.TRAFFIC_ANALYTICS_GITHUB_TOKEN }}
         uses: ./.github/actions/dispatch-workflow