Dependabot Check for Vulnerabilities #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Dependabot Check for Vulnerabilities' | ||
| on: | ||
| schedule: | ||
| - cron: '0 15 * * 1-5' #UTC todo: change once it's proven to work | ||
| workflow_dispatch: | ||
| jobs: | ||
| dependabot: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: check out current repositories | ||
| # to read maintainers.json | ||
| uses: actions/checkout@v4 | ||
| - name: check out cove-workflows | ||
| # this is necessary because this workflow gets synced to other repos | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: livelyhood/cove-workflows | ||
| ref: ${{ (github.repository == 'livelyhood/cove-workflows' && github.ref) || 'main' }} # IF the this workflow was called from this repo THEN checkout the current github.ref ELSE use main | ||
| path: ./cove-workflows | ||
| token: ${{ secrets.ADMIN_TOKEN_FOR_GITHUB_ACTIONS }} | ||
| - name: read maintainers.json | ||
| id: read-maintainers | ||
| # reads maintainers array and map them to their slack userIds "mentions" (see slack api https://api.slack.com/reference/surfaces/formatting#mentioning-users) | ||
| run: | | ||
| echo "maintainers=$(cat maintainers.json | jq '.[] | to_entries | .[].value' | jq --slurp -r '. | join(" ")')" >> "$GITHUB_OUTPUT" | ||
| - name: query open vulnerability alerts | ||
| id: list-vulnerabilities | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.ADMIN_TOKEN_FOR_GITHUB_ACTIONS }} | ||
| script: | | ||
| const script = require('./cove-workflows/src/scripts/dependabot-open-vulnerabilities.js'); | ||
| return await script({github, context, core}); | ||
| - name: count open vulnerability alerts | ||
| id: count-vulnerabilities | ||
| env: | ||
| VULNERABILITIES: ${{ steps.list-vulnerabilities.outputs.result }} | ||
| run: | | ||
| COUNT=$(echo "${VULNERABILITIES}" | jq '. | length') | ||
| echo "count=${COUNT}" >> "${GITHUB_OUTPUT}" | ||
| - name: 'Post PR to #alerts-vulnerabilities' | ||
| if: ${{ steps.count-vulnerabilities.outputs.count > 0 }} | ||
| uses: slackapi/slack-github-action@v1.25.0 | ||
| env: | ||
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | ||
| TITLE: ${{ format('Open vulnerabilities in {0}{1} {2}', github.event.repository.name, ':', steps.read-maintainers.outputs.maintainers) }} | ||
| TITLE_LINK: ${{ format('{0}/security/dependabot', github.event.repository.html_url) }} | ||
| VULNERABILITIES: ${{ steps.list-vulnerabilities.outputs.result }} | ||
| with: | ||
| channel-id: C06U7QP8VTN # alerts-vulnerabilities | ||
| payload: | | ||
| { | ||
| "attachments": [ | ||
| { | ||
| "mrkdwn_in": ["fields"], | ||
| "color": "#3679a6", | ||
| "author_name": "Dependabot 🤖", | ||
| "author_link": " ", | ||
| "author_icon": "https://manage.cove.is/imgs/favicon.png", | ||
| "title": "${{ env.TITLE }}", | ||
| "title_link": "${{ env.TITLE_LINK }}", | ||
| "fields": ${{ env.VULNERABILITIES }}, | ||
| "thumb_url": "https://manage.cove.is/imgs/favicon.png", | ||
| "footer": " ", | ||
| "footer_icon": "https://manage.cove.is/imgs/favicon.png", | ||
| "ts": 123456789 | ||
| } | ||
| ] | ||
| } | ||
| ############################################# | ||
| notify-all: | ||
| ############################################# | ||
| uses: livelyhood/cove-workflows/.github/workflows/notify.yml@main | ||
|
Check failure on line 74 in .github/workflows/dependabot-open-vulnerabilities.yml
|
||
| needs: | ||
| - dependabot | ||
| if: ${{ always() && contains(needs.*.result, 'failure') }} | ||
| secrets: inherit | ||
| with: | ||
| failure: true | ||
