CI/CD 集成
将 PCU 集成到您的持续集成和部署流水线中。PCU 可以无缝集成到现有的 CI/CD 工作流中,支持GitHub Actions、GitLab CI、Jenkins、Azure DevOps等平台。
GitHub Actions 集成
基础依赖检查工作流
name: PCU Dependency Check
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
check-dependencies:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v2
with:
version: latest
- uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'pnpm'
- name: 安装依赖
run: pnpm install
- name: 安装 PCU
run: pnpm add -g pnpm-catalog-updates
- name: 检查更新
run: pcu -c --format table
- name: 安全扫描
run: pcu security --severity high
GitLab CI 集成
GitLab CI流水线用于PCU依赖管理:
stages:
- check
- security
- update
variables:
PNPM_CACHE_FOLDER: .pnpm-store
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- .pnpm-store
before_script:
- corepack enable
- pnpm config set store-dir $PNPM_CACHE_FOLDER
- pnpm install
- pnpm add -g pnpm-catalog-updates
dependency-check:
stage: check
script:
- pcu -c --format table
- pcu workspace --validate
artifacts:
reports:
junit: dependency-report.xml
only:
- merge_requests
- main
security-scan:
stage: security
script:
- pcu security --format json --severity moderate > security.json
- |
if [ -s security.json ] && [ "$(cat security.json | jq length)" -gt 0 ]; then
echo "发现安全漏洞:"
cat security.json | jq '.'
exit 1
fi
artifacts:
reports:
security: security.json
only:
- merge_requests
- main
weekly-update:
stage: update
script:
- git config user.name "PCU Bot"
- git config user.email "pcu@gitlab.com"
- pcu -c --format json > updates.json
- |
if [ -s updates.json ]; then
pcu -u --target minor --create-backup
git add .
git commit -m "chore: 每周依赖更新"
git push origin HEAD:pcu/weekly-updates
fi
only:
- schedules
variables:
GIT_STRATEGY: clone
Jenkins Pipeline 集成
企业级依赖管理的Jenkins流水线:
pipeline {
agent any
tools {
nodejs '18'
}
environment {
PNPM_HOME = "${env.WORKSPACE}/.pnpm"
PATH = "${env.PNPM_HOME}:${env.PATH}"
}
stages {
stage('设置环境') {
steps {
sh 'corepack enable'
sh 'pnpm install'
sh 'pnpm add -g pnpm-catalog-updates'
}
}
stage('依赖检查') {
steps {
sh 'pcu -c --format json > dependency-check.json'
script {
def updates = readJSON file: 'dependency-check.json'
if (updates.size() > 0) {
env.HAS_UPDATES = 'true'
echo "发现 ${updates.size()} 个包需要更新"
} else {
env.HAS_UPDATES = 'false'
echo "没有可用更新"
}
}
}
post {
always {
archiveArtifacts artifacts: 'dependency-check.json'
}
}
}
stage('安全扫描') {
when {
environment name: 'HAS_UPDATES', value: 'true'
}
steps {
sh 'pcu security --format json --severity high > security-report.json'
script {
def securityReport = readJSON file: 'security-report.json'
if (securityReport.vulnerabilities && securityReport.vulnerabilities.size() > 0) {
error "发现严重安全漏洞:${securityReport.vulnerabilities.size()}"
}
}
}
post {
always {
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'security-report.json',
reportName: 'Security Report'
])
}
}
}
stage('更新依赖') {
when {
allOf {
environment name: 'HAS_UPDATES', value: 'true'
branch 'main'
}
}
steps {
sh 'pcu -u --target minor --create-backup'
sh 'pnpm test'
script {
sh '''
git config user.name "Jenkins PCU"
git config user.email "jenkins@company.com"
git add .
git commit -m "chore: 自动依赖更新 [skip ci]"
'''
// 创建合并请求(GitLab)或拉取请求(GitHub)
sh '''
git push origin HEAD:pcu/automated-updates-${BUILD_NUMBER}
'''
}
}
}
}
post {
always {
cleanWs()
}
success {
echo 'PCU依赖检查成功完成'
}
failure {
emailext (
subject: "PCU依赖检查失败 - ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "依赖检查失败。请查看控制台输出。",
to: "${env.CHANGE_AUTHOR_EMAIL}"
)
}
}
}
Azure DevOps Pipeline
Azure DevOps流水线用于PCU集成:
trigger:
branches:
include:
- main
- develop
schedules:
- cron: '0 8 * * 1'
displayName: 每周依赖检查
branches:
include:
- main
always: true
pool:
vmImage: 'ubuntu-latest'
variables:
PNPM_CACHE_FOLDER: $(Pipeline.Workspace)/.pnpm-store
stages:
- stage: DependencyCheck
displayName: '依赖检查'
jobs:
- job: CheckUpdates
displayName: '检查更新'
steps:
- task: Cache@2
inputs:
key: 'pnpm | "$(Agent.OS)" | pnpm-lock.yaml'
restoreKeys: |
pnpm | "$(Agent.OS)"
path: $(PNPM_CACHE_FOLDER)
displayName: 缓存pnpm
- script: |
corepack enable
pnpm config set store-dir $(PNPM_CACHE_FOLDER)
pnpm install
pnpm add -g pnpm-catalog-updates
displayName: '设置PNPM和PCU'
- script: |
pcu -c --format json > $(Agent.TempDirectory)/updates.json
pcu workspace --validate
displayName: '检查依赖'
- script: |
pcu security --format json --severity moderate > $(Agent.TempDirectory)/security.json
displayName: '安全扫描'
- task: PublishTestResults@2
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: '**/*-results.xml'
failTaskOnFailedTests: true
displayName: '发布安全结果'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Agent.TempDirectory)'
artifactName: 'dependency-reports'
displayName: '发布构件'
- stage: UpdateDependencies
displayName: '更新依赖'
condition: and(succeeded(), or(eq(variables['Build.Reason'], 'Schedule'), eq(variables['Build.Reason'], 'Manual')))
jobs:
- job: UpdateCatalog
displayName: '更新目录依赖'
steps:
- checkout: self
persistCredentials: true
- script: |
corepack enable
pnpm install
pnpm add -g pnpm-catalog-updates
displayName: '设置环境'
- script: |
pcu -u --target minor --create-backup
pnpm test
displayName: '更新并测试'
- script: |
git config user.name "Azure DevOps PCU"
git config user.email "azuredevops@company.com"
git add .
git commit -m "chore: Azure DevOps自动依赖更新"
git push origin HEAD:refs/heads/pcu/azure-updates-$(Build.BuildNumber)
displayName: '提交更改'
通用CI/CD最佳实践
环境变量配置
在所有CI/CD平台中配置这些环境变量以优化PCU行为:
# 核心配置
PCU_NO_COLOR=true # 禁用彩色输出
PCU_CHECK_UPDATES=false # 在CI中禁用PCU更新检查
PCU_VERBOSE=true # 启用详细日志
PCU_OUTPUT_FORMAT=json # 使用JSON输出便于解析
# 缓存配置
PCU_CACHE_ENABLED=true # 启用缓存以提高性能
PCU_CACHE_TTL=1800000 # 30分钟缓存TTL
# 安全配置
PCU_SECURITY_SEVERITY=high # 检查高严重程度漏洞
PCU_AUTO_FIX=false # 在CI中手动控制修复
# 性能配置
PCU_TIMEOUT=120000 # 2分钟超时
PCU_RETRIES=3 # 网络请求重试次数
PCU_CONCURRENCY=5 # 并发请求限制
安全考虑
访问令牌管理
确保在CI/CD环境中安全管理访问令牌:
# GitHub Actions
- name: 配置Git
run: |
git config user.name "PCU Bot"
git config user.email "bot@company.com"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GitLab CI
script:
- git remote set-url origin https://oauth2:${CI_PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git
分支保护策略
配置分支保护以防止直接推送到主分支:
- 要求拉取请求审查
- 要求状态检查通过
- 限制推送到受保护分支
- 要求签名提交
故障排除
常见CI/CD问题
权限错误
# 修复npm权限问题
npm config set prefix ~/.npm-global
export PATH=~/.npm-global/bin:$PATH
# 或使用pnpm(推荐)
pnpm add -g pnpm-catalog-updates
缓存问题
# 清除CI缓存
rm -rf node_modules pnpm-lock.yaml
pnpm install
# 清除PCU缓存
PCU_CACHE_ENABLED=false pcu check
网络超时
# 增加超时时间
PCU_TIMEOUT=300000 pcu check
# 减少并发请求
PCU_CONCURRENCY=2 pcu update
监控和报告
创建仪表板
使用CI/CD平台的原生功能创建依赖管理仪表板:
- GitHub Actions: 使用Action insights和依赖图
- GitLab CI: 利用Security Dashboard和依赖扫描
- Jenkins: 配置HTML Publisher插件
- Azure DevOps: 使用Dashboards和Analytics
通知配置
设置适当的通知以保持团队知情:
# Slack通知示例(GitHub Actions)
- name: Slack通知
if: failure()
uses: 8398a7/action-slack@v3
with:
status: failure
text: PCU依赖检查失败
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
Docker集成
容器化PCU工作流
FROM node:18-alpine
# 安装pnpm和PCU
RUN corepack enable
RUN pnpm add -g pnpm-catalog-updates
# 设置工作目录
WORKDIR /workspace
# 复制package文件
COPY package.json pnpm-lock.yaml ./
COPY pnpm-workspace.yaml .pcurc.json ./
# 安装依赖
RUN pnpm install --frozen-lockfile
# 设置环境变量
ENV PCU_NO_COLOR=true
ENV PCU_VERBOSE=true
# 默认命令
CMD ["pcu", "--help"]
这些CI/CD集成示例提供了全面的自动化依赖管理解决方案,确保您的项目始终保持最新和安全的依赖。