From a9ac3f55fcb2bc735db0d251eda89897a5dbaaaa Mon Sep 17 00:00:00 2001 From: Will Hickey Date: Tue, 3 Sep 2024 14:00:12 -0500 Subject: [PATCH] Add workflow and script to add security-incident-response to GHSAs (#2764) * Add workflow and script to add security-incident-response to GHSAs that don't already have it * Remove echos to minimize the risk of leaking sensitive information * Remove whitespace * Switch ref to master and remove fetch-depth: 0 * Redirect gh api output to /dev/null * shellcheck * Disable SC2086 in gh call * Update workflow with runs-on: ubuntu-24.04 in order to get jq 1.7 --- .github/scripts/add-team-to-ghsa.sh | 36 ++++++++++++++++++++++++++ .github/workflows/add-team-to-ghsa.yml | 21 +++++++++++++++ 2 files changed, 57 insertions(+) create mode 100755 .github/scripts/add-team-to-ghsa.sh create mode 100644 .github/workflows/add-team-to-ghsa.yml diff --git a/.github/scripts/add-team-to-ghsa.sh b/.github/scripts/add-team-to-ghsa.sh new file mode 100755 index 00000000000000..41c1a787e85044 --- /dev/null +++ b/.github/scripts/add-team-to-ghsa.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -euof pipefail + +team_to_add_slug="security-incident-response" +github_org="anza-xyz" +github_repo="agave" + +# Note: This will get all the GHSAs even if there are more than the per_page value +# from gh api --help +# --paginate Make additional HTTP requests to fetch all pages of results +ghsa_json=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/$github_org/$github_repo/security-advisories?per_page=100 --paginate ) + +# Get a list of GHSAs that don't have the $team_to_add_slug in collaborating_teams +ghsa_without_team=$( jq -r '[ .[] | select(all(.collaborating_teams.[]; .slug != "'"$team_to_add_slug"'")) | .ghsa_id ] | sort | .[] ' <<< "$ghsa_json" ) + +# Iterate through the teams +while IFS= read -r ghsa_id; do + # PATCH updates the value. If we just set -f "collaborating_teams[]=$team_to_add_slug" it + # will overwrite any existing collaborating_teams. So we get the list of teams that are already + # added to this GHSA and format them as parameters for gh api like: + # -f collaborating_teams[]=ghsa-testing-1 + original_collaborating_team_slugs=$( jq -r '[ .[] | select(.ghsa_id == "'"$ghsa_id"'") | .collaborating_teams ] | "-f collaborating_teams[]=" + .[][].slug ' <<< "$ghsa_json" ) + + # Update the team list + # shellcheck disable=SC2086 + gh api \ + --method PATCH \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/$github_org/$github_repo/security-advisories/$ghsa_id" \ + -f "collaborating_teams[]=$team_to_add_slug" $original_collaborating_team_slugs \ + > /dev/null 2>&1 +done <<< "$ghsa_without_team" diff --git a/.github/workflows/add-team-to-ghsa.yml b/.github/workflows/add-team-to-ghsa.yml new file mode 100644 index 00000000000000..ea70d5870bf582 --- /dev/null +++ b/.github/workflows/add-team-to-ghsa.yml @@ -0,0 +1,21 @@ +name: Add Security Team to GHSAs + +on: + workflow_dispatch: + schedule: + - cron: "0 * * * *" + +jobs: + add-team-to-ghsa: + runs-on: ubuntu-24.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: master + - name: Run script + shell: bash + env: + GH_TOKEN: ${{ secrets.GHSA_ADD_SECURITY_INCIDENT_RESPONSE }} + run: | + .github/scripts/add-team-to-ghsa.sh