From 9d610d88b95544254a89e264f45235a1f64b68ff Mon Sep 17 00:00:00 2001
From: Dave Lockhart <dlockhart@users.noreply.github.com>
Date: Fri, 14 Nov 2025 16:15:35 -0500
Subject: [PATCH 1/2] GAUD-9029: assume that a lock file is used

---
 .../templates/configured/_gitignore           |  1 -
 .../templates/static/.github/dependabot.yml   |  4 +++
 .../.github/workflows/update-package-lock.yml | 28 +++++++++++++++++++
 .../.github/workflows/ci-test-reporting.yml   |  3 +-
 .../templates/static/.github/workflows/ci.yml |  3 +-
 .../workflows/vdiff-test-reporting.yml        |  3 +-
 .../static/.github/workflows/vdiff.yml        |  3 +-
 7 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml

diff --git a/src/generators/default-content/templates/configured/_gitignore b/src/generators/default-content/templates/configured/_gitignore
index 504afef..c2658d7 100644
--- a/src/generators/default-content/templates/configured/_gitignore
+++ b/src/generators/default-content/templates/configured/_gitignore
@@ -1,2 +1 @@
 node_modules/
-package-lock.json
diff --git a/src/generators/default-content/templates/static/.github/dependabot.yml b/src/generators/default-content/templates/static/.github/dependabot.yml
index aff82a1..5f609d1 100644
--- a/src/generators/default-content/templates/static/.github/dependabot.yml
+++ b/src/generators/default-content/templates/static/.github/dependabot.yml
@@ -4,3 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      # update-package-lock workflow handles minor/patch updates - delay for a few weeks to give time to handle breaking change in those PRs
+      default-days: 25
+      semver-major-days: 5
\ No newline at end of file
diff --git a/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml b/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml
new file mode 100644
index 0000000..62572c8
--- /dev/null
+++ b/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml
@@ -0,0 +1,28 @@
+name: Update package-lock.json
+on:
+  schedule:
+    - cron: "30 12 * * 1-5" # Mon-Fri 8:30AM EDT. 7:30AM EST.
+  workflow_dispatch: # manual trigger
+jobs:
+  update:
+    name: Update
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+    steps:
+      - uses: Brightspace/third-party-actions@actions/checkout
+        with:
+          token: ${{ secrets.PR_GITHUB_TOKEN }}
+      - uses: Brightspace/third-party-actions@actions/setup-node
+        with:
+          node-version-file: .nvmrc
+          cache: 'npm'
+      - name: Update package-lock.json
+        uses: BrightspaceUI/actions/update-package-lock@main
+        with:
+          AUTO_MERGE_METHOD: squash
+          AUTO_MERGE_TOKEN: ${{ secrets.PR_GITHUB_TOKEN }}        
+          APPROVAL_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.PR_GITHUB_TOKEN }}
+          SLACK_CHANNEL_FAILURE: '#your-team-dev-alerts'
+          SLACK_CHANNEL_STALE_PR: '#your-team-dev-alerts'
+          SLACK_TOKEN: ${{ secrets.D2L_SLACK_TOKEN }}
diff --git a/src/generators/test-unit-axe/templates/static/.github/workflows/ci-test-reporting.yml b/src/generators/test-unit-axe/templates/static/.github/workflows/ci-test-reporting.yml
index b6d6337..fcb9b0f 100644
--- a/src/generators/test-unit-axe/templates/static/.github/workflows/ci-test-reporting.yml
+++ b/src/generators/test-unit-axe/templates/static/.github/workflows/ci-test-reporting.yml
@@ -12,8 +12,9 @@ jobs:
         uses: Brightspace/third-party-actions@actions/setup-node
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Lint (JavaScript)
         run: npm run lint:eslint
       - name: Lint (CSS)
diff --git a/src/generators/test-unit-axe/templates/static/.github/workflows/ci.yml b/src/generators/test-unit-axe/templates/static/.github/workflows/ci.yml
index 52559fd..2bd3661 100644
--- a/src/generators/test-unit-axe/templates/static/.github/workflows/ci.yml
+++ b/src/generators/test-unit-axe/templates/static/.github/workflows/ci.yml
@@ -10,8 +10,9 @@ jobs:
       - uses: Brightspace/third-party-actions@actions/setup-node
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Lint (JavaScript)
         run: npm run lint:eslint
       - name: Lint (CSS)
diff --git a/src/generators/test-vdiff/templates/static/.github/workflows/vdiff-test-reporting.yml b/src/generators/test-vdiff/templates/static/.github/workflows/vdiff-test-reporting.yml
index 91a9a76..50fb135 100644
--- a/src/generators/test-vdiff/templates/static/.github/workflows/vdiff-test-reporting.yml
+++ b/src/generators/test-vdiff/templates/static/.github/workflows/vdiff-test-reporting.yml
@@ -9,8 +9,9 @@ jobs:
       - uses: Brightspace/third-party-actions@actions/setup-node
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
       - name: Install Dependencies
-        run: npm install
+        run: npm ci
       - name: vdiff Tests
         uses: BrightspaceUI/actions/vdiff@main
         with:
diff --git a/src/generators/test-vdiff/templates/static/.github/workflows/vdiff.yml b/src/generators/test-vdiff/templates/static/.github/workflows/vdiff.yml
index 9d2836c..20e1648 100644
--- a/src/generators/test-vdiff/templates/static/.github/workflows/vdiff.yml
+++ b/src/generators/test-vdiff/templates/static/.github/workflows/vdiff.yml
@@ -9,8 +9,9 @@ jobs:
       - uses: Brightspace/third-party-actions@actions/setup-node
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
       - name: Install Dependencies
-        run: npm install
+        run: npm ci
       - name: vdiff Tests
         uses: BrightspaceUI/actions/vdiff@main
         with:

From 64001f3c01fd6a53de039ac2628dc71e7d82bd07 Mon Sep 17 00:00:00 2001
From: Dave Lockhart <dlockhart@users.noreply.github.com>
Date: Fri, 14 Nov 2025 16:43:10 -0500
Subject: [PATCH 2/2] add link to docs

---
 .../templates/static/.github/workflows/update-package-lock.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml b/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml
index 62572c8..fea766b 100644
--- a/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml
+++ b/src/generators/default-content/templates/static/.github/workflows/update-package-lock.yml
@@ -20,6 +20,7 @@ jobs:
         uses: BrightspaceUI/actions/update-package-lock@main
         with:
           AUTO_MERGE_METHOD: squash
+          # update-package-lock set up instructions: https://github.com/BrightspaceUI/create/tree/main?tab=readme-ov-file#additional-setup
           AUTO_MERGE_TOKEN: ${{ secrets.PR_GITHUB_TOKEN }}        
           APPROVAL_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.PR_GITHUB_TOKEN }}