Monthly Maintenence #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Monthly Maintenence | |
| on: | |
| schedule: | |
| - cron: '0 0 1 * *' | |
| jobs: | |
| create_issue: | |
| name: create_issue | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| pull-requests: read | |
| steps: | |
| - name: Get current month and year | |
| id: date | |
| run: echo "::set-output name=date::$(date +'%B %Y')" | |
| - name: Get previous month | |
| id: prevdate | |
| run: echo "::set-output name=prevdate::$(date -d 'last month' +'%Y-%m-%dT%H:%M:%SZ')" | |
| - name: Get Open Dependabot Pull Requests | |
| id: pull_requests | |
| run: | | |
| { | |
| echo 'pull_requests<<EOF' | |
| curl -X GET \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/revelrylabs/slax/pulls?state=open" \ | |
| | jq --raw-output 'map(select(.user.login == "dependabot[bot]")) | .[] | "[\(.title)](\(.html_url))"' | |
| echo EOF | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Get open alerts | |
| id: open_alerts | |
| uses: octokit/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} | |
| with: | |
| route: GET /repos/{owner}/{repo}/dependabot/alerts | |
| owner: revelrylabs | |
| repo: slax | |
| state: "open" | |
| sort: "updated" | |
| per_page: 100 | |
| - name: Set open input | |
| id: open_input | |
| run: | | |
| if [ steps.open_alerts.outputs.data.length > 0 ]; then | |
| echo 'alerts<<EOF' >> $GITHUB_OUTPUT | |
| echo '[${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.updated_at) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.security_advisory.severity) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.html_url) }}]' >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| else | |
| echo "alerts=[]" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build objects for open alerts | |
| id: open_objects | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.open_input.outputs.alerts }} | |
| script: '[.[0] as $times | .[1] as $severities | .[2] as $urls | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i], "url": $urls[$i] } )]' | |
| - name: Get new open alerts | |
| id: new_open_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.open_objects.outputs.output }} | |
| script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' | |
| - name: Get urls | |
| id: urls | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: '.[].url' | |
| raw-output: "true" | |
| - name: Get number of new alerts | |
| id: total_open_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: 'length' | |
| - name: Get number of critical alerts | |
| id: open_critical_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: 'map(select(.severity == "critical")) | length' | |
| - name: Get number of high alerts | |
| id: open_high_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: 'map(select(.severity == "high")) | length' | |
| - name: Get number of moderate alerts | |
| id: open_moderate_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: 'map(select(.severity == "medium")) | length' | |
| - name: Get number of low alerts | |
| id: open_low_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_open_alerts.outputs.output }} | |
| script: 'map(select(.severity == "low")) | length' | |
| - name: Get fixed alerts | |
| id: fixed_alerts | |
| uses: octokit/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} | |
| with: | |
| route: GET /repos/{owner}/{repo}/dependabot/alerts | |
| owner: revelrylabs | |
| repo: slax | |
| state: "fixed" | |
| sort: "updated" | |
| per_page: 100 | |
| - name: Set fixed input | |
| id: fixed_input | |
| run: | | |
| if [ steps.fixed_alerts.outputs.data.length > 0 ]; then | |
| echo 'alerts<<EOF' >> $GITHUB_OUTPUT | |
| echo '[${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.fixed_at) }}, ${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.security_advisory.severity) }}]' >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| else | |
| echo "alerts=[]" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build objects for fixed alerts | |
| id: fixed_objects | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.fixed_input.outputs.alerts }} | |
| script: '[.[0] as $times | .[1] as $severities | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i] } )]' | |
| - name: Get new fixed alerts | |
| id: new_fixed_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.fixed_objects.outputs.output }} | |
| script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' | |
| - name: Get number of new fixed alerts | |
| id: total_fixed_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_fixed_alerts.outputs.output }} | |
| script: 'length' | |
| - name: Get number of critical alerts | |
| id: fixed_critical_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_fixed_alerts.outputs.output }} | |
| script: 'map(select(.severity == "critical")) | length' | |
| - name: Get number of high alerts | |
| id: fixed_high_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_fixed_alerts.outputs.output }} | |
| script: 'map(select(.severity == "high")) | length' | |
| - name: Get number of moderate alerts | |
| id: fixed_moderate_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_fixed_alerts.outputs.output }} | |
| script: 'map(select(.severity == "medium")) | length' | |
| - name: Get number of low alerts | |
| id: fixed_low_alerts | |
| uses: edwardgeorge/jq-action@main | |
| with: | |
| input: ${{ steps.new_fixed_alerts.outputs.output }} | |
| script: 'map(select(.severity == "low")) | length' | |
| - name: Create monthly maintenence issue | |
| uses: imjohnbo/issue-bot@v3 | |
| with: | |
| labels: "dependencies, maintenance" | |
| title: 'Slax - Maintenance - ${{ steps.date.outputs.date }}' | |
| token: ${{ secrets.MONTHLY_AUTOMATION }} | |
| body: |- | |
| _requires [Slax dependabot alerts](https://github.com/revelrylabs/slax/security/dependabot)_ <!-- Link to project's dependabot alerts --> | |
| ## Background | |
| Slax currently has ${{steps.total_open_alerts.outputs.output}} new security vulnerabilities (${{steps.open_critical_alerts.outputs.output}} critical, ${{steps.open_high_alerts.outputs.output}} high, ${{steps.open_moderate_alerts.outputs.output}} moderate, and ${{steps.open_low_alerts.outputs.output}} low). The purpose of this ticket is to address Slax's security vulnerabilities. | |
| ${{steps.urls.outputs.output}} | |
| Closed last month: ${{steps.total_fixed_alerts.outputs.output}} | |
| Critical: ${{steps.fixed_critical_alerts.outputs.output}} | |
| High: ${{steps.fixed_high_alerts.outputs.output}} | |
| Moderate: ${{steps.fixed_moderate_alerts.outputs.output}} | |
| Low: ${{steps.fixed_low_alerts.outputs.output}} | |
| Open Dependabot pull requests: | |
| ${{steps.pull_requests.outputs.pull_requests}} | |
| ### Scenario: Update security vulnerabilities | |
| Given I am an Engineer | |
| - [ ] When I manually address dependency conflicts listed [here](https://github.com/revelrylabs/slax/security/dependabot)<!-- Link to project's dependabot alerts --> | |
| - [ ] Then I test by running locally | |
| - [ ] And I merge to master and test in production | |
| ### QA / UAT Note | |
| Remember to add a comment when passing this forward with links to: | |
| - [ ] the review app | |
| - [ ] the pull request itself |