Non-reproducible builds in mono-repo setups

[0xmichalis]

The action as it is currently set up, is not suitable for a mono-repo where the dependency lock file exists at the top-level of the repo and the target directory where the contracts live is nested because of

slither-action/entrypoint.sh

Lines 113 to 126 in 68ad243

	pushd "$TARGET" >/dev/null
	# JS dependencies
	if [[ -f package-lock.json ]]; then
	echo "[-] Installing dependencies from package-lock.json"
	npm ci
	elif [[ -f yarn.lock ]]; then
	echo "[-] Installing dependencies from yarn.lock"
	npm install -g yarn
	yarn install --frozen-lockfile
	elif [[ -f package.json ]]; then
	echo "[-] Did not detect a package-lock.json or yarn.lock in $TARGET, consider locking your dependencies!"
	echo "[-] Proceeding with 'npm i' to install dependencies"
	npm i

.

[elopez]

Hi, thanks for the report! Do you have an example repository you can share to make the structure more clear?

Note that if you have a complex or unsupported build procedure, you can always roll your own build steps as part of the actions workflow and then run the slither action with ignore-compile. You can check the dapp example on the repo readme for general guidance.

[0xmichalis]

Hi @elopez thanks for the prompt response, appreciate it! Ignoring compilation is a helpful feature, thanks for pointing it out! I'll try to get a minimal repo setup to reproduce this issue.