From 6b4bb6763c6ec52811958791d2a12bfa118c44c1 Mon Sep 17 00:00:00 2001 From: bford002 Date: Tue, 7 Nov 2023 08:41:03 -0600 Subject: [PATCH 1/5] monthly maintenance and project automations added --- .github/workflows/monthly_maintenance.yml | 183 ++++++++++++++++++++++ .github/workflows/project_automation.yml | 64 ++++++++ 2 files changed, 247 insertions(+) create mode 100644 .github/workflows/monthly_maintenance.yml create mode 100644 .github/workflows/project_automation.yml diff --git a/.github/workflows/monthly_maintenance.yml b/.github/workflows/monthly_maintenance.yml new file mode 100644 index 0000000..9caa07d --- /dev/null +++ b/.github/workflows/monthly_maintenance.yml @@ -0,0 +1,183 @@ +name: Monthly Maintenence +on: + schedule: + - cron: '0 0 1 * *' +jobs: + create_issue: + name: create_issue + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - name: Get current month and year + id: date + run: echo "::set-output name=date::$(date +'%B %Y')" + - name: Get previous month + id: prevdate + run: echo "::set-output name=prevdate::$(date -d 'last month' +'%Y-%m-%dT%H:%M:%SZ')" + - name: Get open alerts + id: open_alerts + uses: octokit/request-action@v2.1.9 + env: + GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} + with: + route: GET /repos/{owner}/{repo}/dependabot/alerts + owner: revelrylabs + repo: slax + state: "open" + sort: "updated" + per_page: 100 + - name: Set open input + id: open_input + run: | + if [ steps.open_alerts.outputs.data.length > 0 ]; then + echo 'alerts<> $GITHUB_OUTPUT + echo '[${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.updated_at) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.security_advisory.*.severity) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.html_url) }}]' >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT + else + echo "alerts=[]" >> $GITHUB_OUTPUT + fi + - name: Build objects for open alerts + id: open_objects + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.open_input.outputs.alerts }} + script: '[.[0] as $times | .[1] as $severities | .[2] as $urls | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i], "url": $urls[$i] } )]' + - name: Get new open alerts + id: new_open_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.open_objects.outputs.output }} + script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' + - name: Get urls + id: urls + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: '.[].url' + raw-output: "true" + - name: Get number of new alerts + id: total_open_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'length' + - name: Get number of critical alerts + id: open_critical_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "critical")) | length' + - name: Get number of high alerts + id: open_high_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "high")) | length' + - name: Get number of moderate alerts + id: open_moderate_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "medium")) | length' + - name: Get number of low alerts + id: open_low_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "low")) | length' + - name: Get fixed alerts + id: fixed_alerts + uses: octokit/request-action@v2.1.9 + env: + GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} + with: + route: GET /repos/{owner}/{repo}/dependabot/alerts + owner: revelrylabs + repo: slax + state: "fixed" + sort: "updated" + per_page: 100 + - name: Set fixed input + id: fixed_input + run: | + if [ steps.fixed_alerts.outputs.data.length > 0 ]; then + echo 'alerts<> $GITHUB_OUTPUT + echo '[${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.fixed_at) }}, ${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.security_advisory.*.severity) }}]' >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT + else + echo "alerts=[]" >> $GITHUB_OUTPUT + fi + - name: Build objects for fixed alerts + id: fixed_objects + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.fixed_input.outputs.alerts }} + script: '[.[0] as $times | .[1] as $severities | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i] } )]' + - name: Get new fixed alerts + id: new_fixed_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.fixed_objects.outputs.output }} + script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' + - name: Get number of new fixed alerts + id: total_fixed_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'length' + - name: Get number of critical alerts + id: fixed_critical_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "critical")) | length' + - name: Get number of high alerts + id: fixed_high_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "high")) | length' + - name: Get number of moderate alerts + id: fixed_moderate_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "medium")) | length' + - name: Get number of low alerts + id: fixed_low_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "low")) | length' + - name: Create monthly maintenence issue + uses: imjohnbo/issue-bot@v3 + with: + labels: "dependencies, maintenance" + title: 'Ambrosia - Maintenance - ${{ steps.date.outputs.date }}' + token: ${{ secrets.MONTHLY_AUTOMATION }} + body: |- + _requires [Slax dependabot alerts](https://github.com/revelrylabs/slax/security/dependabot)_ + + ## Background + Slax currently has ${{steps.total_open_alerts.outputs.output}} new security vulnerabilities (${{steps.open_critical_alerts.outputs.output}} critical, ${{steps.open_high_alerts.outputs.output}} high, ${{steps.open_moderate_alerts.outputs.output}} moderate, and ${{steps.open_low_alerts.outputs.output}} low). The purpose of this ticket is to address Slax's security vulnerabilities. + + ${{steps.urls.outputs.output}} + + Closed last month: ${{steps.total_fixed_alerts.outputs.output}} + Critical: ${{steps.fixed_critical_alerts.outputs.output}} + High: ${{steps.fixed_high_alerts.outputs.output}} + Moderate: ${{steps.fixed_moderate_alerts.outputs.output}} + Low: ${{steps.fixed_low_alerts.outputs.output}} + + ### Scenario: Update security vulnerabilities + Given I am an Engineer + - [ ] When I manually address dependency conflicts listed [here](https://github.com/revelrylabs/slax/security/dependabot) + - [ ] Then I test by running locally + - [ ] And I merge to develop and test in staging + - [ ] And I merge to main and test in production + + ### QA / UAT Note + Remember to add a comment when passing this forward with links to: + - [ ] the review app + - [ ] the pull request itself diff --git a/.github/workflows/project_automation.yml b/.github/workflows/project_automation.yml new file mode 100644 index 0000000..7263da1 --- /dev/null +++ b/.github/workflows/project_automation.yml @@ -0,0 +1,64 @@ +name: Project automations +on: + issues: + types: + - opened + - labeled + pull_request_target: + types: + - labeled +jobs: + issue_opened: + name: issue_opened + runs-on: ubuntu-latest + if: github.event_name == 'issues' && github.event.action == 'opened' + steps: + - name: Move new issues to Backlog + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Backlog # Target status + needs_investigation: + name: needs_investigation + runs-on: ubuntu-latest + if: github.event.action == 'labeled' && github.event.label.name == 'needs investigation' + steps: + - name: Move needs investigation labeled issues to Needs Investigation status + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Needs Investigation # Target status + ready_to_work: + name: ready_to_work + runs-on: ubuntu-latest + if: (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved') + steps: + - name: Move Dependabot PR or approved issues to Ready to work + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.pull_request.node_id }}${{ github.event.issue.node_id }} + status_value: Ready to Work # Target status + monthly_maintenance: + name: monthly_maintenance + runs-on: ubuntu-latest + needs: issue_opened + if: github.event.action == 'labeled' && contains(github.event.issue.title, 'Slax - Maintenance') + steps: + - name: Move monthly maintenance issues to Maintenance + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Maintenance # Target status From 5b9d073a8e11dfab6c3145f49e547148975c3692 Mon Sep 17 00:00:00 2001 From: bford002 Date: Tue, 7 Nov 2023 08:42:38 -0600 Subject: [PATCH 2/5] Revert "monthly maintenance and project automations added" This reverts commit 6b4bb6763c6ec52811958791d2a12bfa118c44c1. --- .github/workflows/monthly_maintenance.yml | 183 ---------------------- .github/workflows/project_automation.yml | 64 -------- 2 files changed, 247 deletions(-) delete mode 100644 .github/workflows/monthly_maintenance.yml delete mode 100644 .github/workflows/project_automation.yml diff --git a/.github/workflows/monthly_maintenance.yml b/.github/workflows/monthly_maintenance.yml deleted file mode 100644 index 9caa07d..0000000 --- a/.github/workflows/monthly_maintenance.yml +++ /dev/null @@ -1,183 +0,0 @@ -name: Monthly Maintenence -on: - schedule: - - cron: '0 0 1 * *' -jobs: - create_issue: - name: create_issue - runs-on: ubuntu-latest - permissions: - issues: write - steps: - - name: Get current month and year - id: date - run: echo "::set-output name=date::$(date +'%B %Y')" - - name: Get previous month - id: prevdate - run: echo "::set-output name=prevdate::$(date -d 'last month' +'%Y-%m-%dT%H:%M:%SZ')" - - name: Get open alerts - id: open_alerts - uses: octokit/request-action@v2.1.9 - env: - GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} - with: - route: GET /repos/{owner}/{repo}/dependabot/alerts - owner: revelrylabs - repo: slax - state: "open" - sort: "updated" - per_page: 100 - - name: Set open input - id: open_input - run: | - if [ steps.open_alerts.outputs.data.length > 0 ]; then - echo 'alerts<> $GITHUB_OUTPUT - echo '[${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.updated_at) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.security_advisory.*.severity) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.html_url) }}]' >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT - else - echo "alerts=[]" >> $GITHUB_OUTPUT - fi - - name: Build objects for open alerts - id: open_objects - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.open_input.outputs.alerts }} - script: '[.[0] as $times | .[1] as $severities | .[2] as $urls | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i], "url": $urls[$i] } )]' - - name: Get new open alerts - id: new_open_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.open_objects.outputs.output }} - script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' - - name: Get urls - id: urls - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: '.[].url' - raw-output: "true" - - name: Get number of new alerts - id: total_open_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: 'length' - - name: Get number of critical alerts - id: open_critical_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: 'map(select(.severity == "critical")) | length' - - name: Get number of high alerts - id: open_high_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: 'map(select(.severity == "high")) | length' - - name: Get number of moderate alerts - id: open_moderate_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: 'map(select(.severity == "medium")) | length' - - name: Get number of low alerts - id: open_low_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_open_alerts.outputs.output }} - script: 'map(select(.severity == "low")) | length' - - name: Get fixed alerts - id: fixed_alerts - uses: octokit/request-action@v2.1.9 - env: - GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} - with: - route: GET /repos/{owner}/{repo}/dependabot/alerts - owner: revelrylabs - repo: slax - state: "fixed" - sort: "updated" - per_page: 100 - - name: Set fixed input - id: fixed_input - run: | - if [ steps.fixed_alerts.outputs.data.length > 0 ]; then - echo 'alerts<> $GITHUB_OUTPUT - echo '[${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.fixed_at) }}, ${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.security_advisory.*.severity) }}]' >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT - else - echo "alerts=[]" >> $GITHUB_OUTPUT - fi - - name: Build objects for fixed alerts - id: fixed_objects - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.fixed_input.outputs.alerts }} - script: '[.[0] as $times | .[1] as $severities | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i] } )]' - - name: Get new fixed alerts - id: new_fixed_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.fixed_objects.outputs.output }} - script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' - - name: Get number of new fixed alerts - id: total_fixed_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_fixed_alerts.outputs.output }} - script: 'length' - - name: Get number of critical alerts - id: fixed_critical_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_fixed_alerts.outputs.output }} - script: 'map(select(.severity == "critical")) | length' - - name: Get number of high alerts - id: fixed_high_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_fixed_alerts.outputs.output }} - script: 'map(select(.severity == "high")) | length' - - name: Get number of moderate alerts - id: fixed_moderate_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_fixed_alerts.outputs.output }} - script: 'map(select(.severity == "medium")) | length' - - name: Get number of low alerts - id: fixed_low_alerts - uses: edwardgeorge/jq-action@main - with: - input: ${{ steps.new_fixed_alerts.outputs.output }} - script: 'map(select(.severity == "low")) | length' - - name: Create monthly maintenence issue - uses: imjohnbo/issue-bot@v3 - with: - labels: "dependencies, maintenance" - title: 'Ambrosia - Maintenance - ${{ steps.date.outputs.date }}' - token: ${{ secrets.MONTHLY_AUTOMATION }} - body: |- - _requires [Slax dependabot alerts](https://github.com/revelrylabs/slax/security/dependabot)_ - - ## Background - Slax currently has ${{steps.total_open_alerts.outputs.output}} new security vulnerabilities (${{steps.open_critical_alerts.outputs.output}} critical, ${{steps.open_high_alerts.outputs.output}} high, ${{steps.open_moderate_alerts.outputs.output}} moderate, and ${{steps.open_low_alerts.outputs.output}} low). The purpose of this ticket is to address Slax's security vulnerabilities. - - ${{steps.urls.outputs.output}} - - Closed last month: ${{steps.total_fixed_alerts.outputs.output}} - Critical: ${{steps.fixed_critical_alerts.outputs.output}} - High: ${{steps.fixed_high_alerts.outputs.output}} - Moderate: ${{steps.fixed_moderate_alerts.outputs.output}} - Low: ${{steps.fixed_low_alerts.outputs.output}} - - ### Scenario: Update security vulnerabilities - Given I am an Engineer - - [ ] When I manually address dependency conflicts listed [here](https://github.com/revelrylabs/slax/security/dependabot) - - [ ] Then I test by running locally - - [ ] And I merge to develop and test in staging - - [ ] And I merge to main and test in production - - ### QA / UAT Note - Remember to add a comment when passing this forward with links to: - - [ ] the review app - - [ ] the pull request itself diff --git a/.github/workflows/project_automation.yml b/.github/workflows/project_automation.yml deleted file mode 100644 index 7263da1..0000000 --- a/.github/workflows/project_automation.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Project automations -on: - issues: - types: - - opened - - labeled - pull_request_target: - types: - - labeled -jobs: - issue_opened: - name: issue_opened - runs-on: ubuntu-latest - if: github.event_name == 'issues' && github.event.action == 'opened' - steps: - - name: Move new issues to Backlog - uses: leonsteinhaeuser/project-beta-automations@v2.1.0 - with: - gh_token: ${{ secrets.GH_TOKEN }} - organization: revelrylabs - project_id: 13 - resource_node_id: ${{ github.event.issue.node_id }} - status_value: Backlog # Target status - needs_investigation: - name: needs_investigation - runs-on: ubuntu-latest - if: github.event.action == 'labeled' && github.event.label.name == 'needs investigation' - steps: - - name: Move needs investigation labeled issues to Needs Investigation status - uses: leonsteinhaeuser/project-beta-automations@v2.1.0 - with: - gh_token: ${{ secrets.GH_TOKEN }} - organization: revelrylabs - project_id: 13 - resource_node_id: ${{ github.event.issue.node_id }} - status_value: Needs Investigation # Target status - ready_to_work: - name: ready_to_work - runs-on: ubuntu-latest - if: (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies')) || - (github.event.action == 'labeled' && github.event.label.name == 'approved') - steps: - - name: Move Dependabot PR or approved issues to Ready to work - uses: leonsteinhaeuser/project-beta-automations@v2.1.0 - with: - gh_token: ${{ secrets.GH_TOKEN }} - organization: revelrylabs - project_id: 13 - resource_node_id: ${{ github.event.pull_request.node_id }}${{ github.event.issue.node_id }} - status_value: Ready to Work # Target status - monthly_maintenance: - name: monthly_maintenance - runs-on: ubuntu-latest - needs: issue_opened - if: github.event.action == 'labeled' && contains(github.event.issue.title, 'Slax - Maintenance') - steps: - - name: Move monthly maintenance issues to Maintenance - uses: leonsteinhaeuser/project-beta-automations@v2.1.0 - with: - gh_token: ${{ secrets.GH_TOKEN }} - organization: revelrylabs - project_id: 13 - resource_node_id: ${{ github.event.issue.node_id }} - status_value: Maintenance # Target status From ddd5053b5272cc8afb3e9b23fc2c5925fe357243 Mon Sep 17 00:00:00 2001 From: bford002 Date: Tue, 7 Nov 2023 08:46:58 -0600 Subject: [PATCH 3/5] monthly maintenance and project automations --- .github/workflows/monthly_maintenance.yml | 183 ++++++++++++++++++++++ .github/workflows/project_automation.yml | 64 ++++++++ 2 files changed, 247 insertions(+) create mode 100644 .github/workflows/monthly_maintenance.yml create mode 100644 .github/workflows/project_automation.yml diff --git a/.github/workflows/monthly_maintenance.yml b/.github/workflows/monthly_maintenance.yml new file mode 100644 index 0000000..c350a82 --- /dev/null +++ b/.github/workflows/monthly_maintenance.yml @@ -0,0 +1,183 @@ +name: Monthly Maintenence +on: + schedule: + - cron: '0 0 1 * *' +jobs: + create_issue: + name: create_issue + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - name: Get current month and year + id: date + run: echo "::set-output name=date::$(date +'%B %Y')" + - name: Get previous month + id: prevdate + run: echo "::set-output name=prevdate::$(date -d 'last month' +'%Y-%m-%dT%H:%M:%SZ')" + - name: Get open alerts + id: open_alerts + uses: octokit/request-action@v2.1.9 + env: + GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} + with: + route: GET /repos/{owner}/{repo}/dependabot/alerts + owner: revelrylabs + repo: slax + state: "open" + sort: "updated" + per_page: 100 + - name: Set open input + id: open_input + run: | + if [ steps.open_alerts.outputs.data.length > 0 ]; then + echo 'alerts<> $GITHUB_OUTPUT + echo '[${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.updated_at) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.security_advisory.*.severity) }}, ${{ toJSON(fromJSON(steps.open_alerts.outputs.data).*.html_url) }}]' >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT + else + echo "alerts=[]" >> $GITHUB_OUTPUT + fi + - name: Build objects for open alerts + id: open_objects + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.open_input.outputs.alerts }} + script: '[.[0] as $times | .[1] as $severities | .[2] as $urls | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i], "url": $urls[$i] } )]' + - name: Get new open alerts + id: new_open_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.open_objects.outputs.output }} + script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' + - name: Get urls + id: urls + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: '.[].url' + raw-output: "true" + - name: Get number of new alerts + id: total_open_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'length' + - name: Get number of critical alerts + id: open_critical_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "critical")) | length' + - name: Get number of high alerts + id: open_high_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "high")) | length' + - name: Get number of moderate alerts + id: open_moderate_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "medium")) | length' + - name: Get number of low alerts + id: open_low_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_open_alerts.outputs.output }} + script: 'map(select(.severity == "low")) | length' + - name: Get fixed alerts + id: fixed_alerts + uses: octokit/request-action@v2.1.9 + env: + GITHUB_TOKEN: ${{ secrets.MONTHLY_AUTOMATION }} + with: + route: GET /repos/{owner}/{repo}/dependabot/alerts + owner: revelrylabs + repo: slax + state: "fixed" + sort: "updated" + per_page: 100 + - name: Set fixed input + id: fixed_input + run: | + if [ steps.fixed_alerts.outputs.data.length > 0 ]; then + echo 'alerts<> $GITHUB_OUTPUT + echo '[${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.fixed_at) }}, ${{ toJSON(fromJSON(steps.fixed_alerts.outputs.data).*.security_advisory.*.severity) }}]' >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT + else + echo "alerts=[]" >> $GITHUB_OUTPUT + fi + - name: Build objects for fixed alerts + id: fixed_objects + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.fixed_input.outputs.alerts }} + script: '[.[0] as $times | .[1] as $severities | foreach range(0; $times|length) as $i ( {}; . = { "time": $times[$i], "severity": $severities[$i] } )]' + - name: Get new fixed alerts + id: new_fixed_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.fixed_objects.outputs.output }} + script: 'map(select(.time >= "${{ steps.prevdate.outputs.prevdate }}"))' + - name: Get number of new fixed alerts + id: total_fixed_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'length' + - name: Get number of critical alerts + id: fixed_critical_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "critical")) | length' + - name: Get number of high alerts + id: fixed_high_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "high")) | length' + - name: Get number of moderate alerts + id: fixed_moderate_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "medium")) | length' + - name: Get number of low alerts + id: fixed_low_alerts + uses: edwardgeorge/jq-action@main + with: + input: ${{ steps.new_fixed_alerts.outputs.output }} + script: 'map(select(.severity == "low")) | length' + - name: Create monthly maintenence issue + uses: imjohnbo/issue-bot@v3 + with: + labels: "dependencies, maintenance" + title: 'Rev Time - Maintenance - ${{ steps.date.outputs.date }}' + token: ${{ secrets.MONTHLY_AUTOMATION }} + body: |- + _requires [Slax dependabot alerts](https://github.com/revelrylabs/slax/security/dependabot)_ + + ## Background + Slax currently has ${{steps.total_open_alerts.outputs.output}} new security vulnerabilities (${{steps.open_critical_alerts.outputs.output}} critical, ${{steps.open_high_alerts.outputs.output}} high, ${{steps.open_moderate_alerts.outputs.output}} moderate, and ${{steps.open_low_alerts.outputs.output}} low). The purpose of this ticket is to address Slax's security vulnerabilities. + + ${{steps.urls.outputs.output}} + + Closed last month: ${{steps.total_fixed_alerts.outputs.output}} + Critical: ${{steps.fixed_critical_alerts.outputs.output}} + High: ${{steps.fixed_high_alerts.outputs.output}} + Moderate: ${{steps.fixed_moderate_alerts.outputs.output}} + Low: ${{steps.fixed_low_alerts.outputs.output}} + + ### Scenario: Update security vulnerabilities + Given I am an Engineer + - [ ] When I manually address dependency conflicts listed [here](https://github.com/revelrylabs/slax/security/dependabot) + - [ ] Then I test by running locally + - [ ] And I merge to develop and test in staging + - [ ] And I merge to main and test in production + + ### QA / UAT Note + Remember to add a comment when passing this forward with links to: + - [ ] the review app + - [ ] the pull request itself diff --git a/.github/workflows/project_automation.yml b/.github/workflows/project_automation.yml new file mode 100644 index 0000000..7263da1 --- /dev/null +++ b/.github/workflows/project_automation.yml @@ -0,0 +1,64 @@ +name: Project automations +on: + issues: + types: + - opened + - labeled + pull_request_target: + types: + - labeled +jobs: + issue_opened: + name: issue_opened + runs-on: ubuntu-latest + if: github.event_name == 'issues' && github.event.action == 'opened' + steps: + - name: Move new issues to Backlog + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Backlog # Target status + needs_investigation: + name: needs_investigation + runs-on: ubuntu-latest + if: github.event.action == 'labeled' && github.event.label.name == 'needs investigation' + steps: + - name: Move needs investigation labeled issues to Needs Investigation status + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Needs Investigation # Target status + ready_to_work: + name: ready_to_work + runs-on: ubuntu-latest + if: (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved') + steps: + - name: Move Dependabot PR or approved issues to Ready to work + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.pull_request.node_id }}${{ github.event.issue.node_id }} + status_value: Ready to Work # Target status + monthly_maintenance: + name: monthly_maintenance + runs-on: ubuntu-latest + needs: issue_opened + if: github.event.action == 'labeled' && contains(github.event.issue.title, 'Slax - Maintenance') + steps: + - name: Move monthly maintenance issues to Maintenance + uses: leonsteinhaeuser/project-beta-automations@v2.1.0 + with: + gh_token: ${{ secrets.GH_TOKEN }} + organization: revelrylabs + project_id: 13 + resource_node_id: ${{ github.event.issue.node_id }} + status_value: Maintenance # Target status From 0a5cd09a48f81be9f6f3b325901cd6eaf081f26b Mon Sep 17 00:00:00 2001 From: bford002 Date: Tue, 7 Nov 2023 08:53:27 -0600 Subject: [PATCH 4/5] title --- .github/workflows/monthly_maintenance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/monthly_maintenance.yml b/.github/workflows/monthly_maintenance.yml index c350a82..6091fca 100644 --- a/.github/workflows/monthly_maintenance.yml +++ b/.github/workflows/monthly_maintenance.yml @@ -154,7 +154,7 @@ jobs: uses: imjohnbo/issue-bot@v3 with: labels: "dependencies, maintenance" - title: 'Rev Time - Maintenance - ${{ steps.date.outputs.date }}' + title: 'Slax - Maintenance - ${{ steps.date.outputs.date }}' token: ${{ secrets.MONTHLY_AUTOMATION }} body: |- _requires [Slax dependabot alerts](https://github.com/revelrylabs/slax/security/dependabot)_ From 9985dc68eeda085e6bc48e73def88f5dd6184388 Mon Sep 17 00:00:00 2001 From: bford002 Date: Tue, 7 Nov 2023 14:20:29 -0600 Subject: [PATCH 5/5] updated project automation --- .github/workflows/project_automation.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/project_automation.yml b/.github/workflows/project_automation.yml index 7263da1..d69d27a 100644 --- a/.github/workflows/project_automation.yml +++ b/.github/workflows/project_automation.yml @@ -11,7 +11,7 @@ jobs: issue_opened: name: issue_opened runs-on: ubuntu-latest - if: github.event_name == 'issues' && github.event.action == 'opened' + if: github.event_name == 'issues' && github.event.action == 'opened' && join(github.event.issue.labels) == '' steps: - name: Move new issues to Backlog uses: leonsteinhaeuser/project-beta-automations@v2.1.0 @@ -48,13 +48,12 @@ jobs: project_id: 13 resource_node_id: ${{ github.event.pull_request.node_id }}${{ github.event.issue.node_id }} status_value: Ready to Work # Target status - monthly_maintenance: - name: monthly_maintenance + maintenance: + name: maintenance runs-on: ubuntu-latest - needs: issue_opened - if: github.event.action == 'labeled' && contains(github.event.issue.title, 'Slax - Maintenance') + if: github.event.action == 'labeled' && github.event.label.name == 'maintenance' steps: - - name: Move monthly maintenance issues to Maintenance + - name: Move maintenance labeled issues to Maintenance status uses: leonsteinhaeuser/project-beta-automations@v2.1.0 with: gh_token: ${{ secrets.GH_TOKEN }}