ci: dependabot fixes, lockfile linting

.github/workflows/ci-web.yml

@@ -12,6 +12,9 @@ on:
       - main
       - version-*
 
+env:
+  NPM_VERSION: "11.10.0"
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -37,9 +40,10 @@ jobs:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - name: Install NPM
+        run: npm install -g npm@${{ env.NPM_VERSION }}
       - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
+        run: npm ci
       - name: Generate API
         run: make gen-client-ts
       - name: Lint
@@ -54,13 +58,16 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
+      - name: Install npm
+        run: npm install -g npm@${{ env.NPM_VERSION }}
       - working-directory: web/
         run: npm ci
       - name: Generate API
         run: make gen-client-ts
       - name: build
         working-directory: web/
         run: npm run build
+
   ci-web-mark:
     if: always()
     needs:
@@ -71,6 +78,7 @@ jobs:
       - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
+
   test:
     needs:
       - ci-web-mark
@@ -82,6 +90,8 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
+      - name: Install NPM
+        run: npm install -g npm@${{ env.NPM_VERSION }}
       - working-directory: web/
         run: npm ci
       - name: Generate API

.github/workflows/dependabot-lockfile-reconciliation.yml

@@ -0,0 +1,72 @@
+---
+name: Dependabot - Lockfile Reconciliation
+
+on:
+  pull_request:
+    branches:
+      - main
+      - version-*
+
+permissions:
+  contents: write
+
+env:
+  NPM_VERSION: "11.10.0"
+
+jobs:
+  fix-lockfile:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Detect changed lockfiles
+        id: detect
+        run: |
+          changed=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD)
+
+          npm_matches=$(echo "$changed" | grep -E 'package(-lock)?\.json$' || true)
+          npm_dirs=$(echo "$npm_matches" | xargs -I{} dirname {} | sort -u)
+
+          echo "npm_dirs=$(echo "$npm_dirs" | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        if: steps.detect.outputs.npm_dirs != ''
+        with:
+          node-version-file: package.json
+
+      - name: Install NPM
+        if: steps.detect.outputs.npm_dirs != ''
+        run: npm install -g npm@${{ env.NPM_VERSION }}
+
+      - name: Fix npm lockfiles
+        if: steps.detect.outputs.npm_dirs != ''
+        run: |
+          for dir in ${{ steps.detect.outputs.npm_dirs }}; do
+            echo "::group::npm - $dir"
+            node scripts/lint-lockfile.mjs --warn "$dir/" || true
+            echo "::endgroup::"
+          done
+      - name: Commit fixes
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git add -A
+          git diff --staged --quiet || git commit -m "fix: regenerate lockfiles [dependabot skip]"
+          git push

Makefile

@@ -148,11 +148,11 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
-	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
+	npm version --no-git-tag-version --allow-same-version $(version)
+	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 
 #########################