Dependabot PRs issue #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot PRs issue | |
| on: | |
| # At 12:00 on day-of-month 1 in March, June, September, and December. | |
| schedule: | |
| - cron: '0 12 1 3,6,9,12 *' | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| js-prs-issue: | |
| name: Dependabot PRs issue | |
| # Only run cron on the silverstripe account | |
| if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| steps: | |
| - name: Get Alerts List | |
| id: get-alerts-list | |
| run: | | |
| ALERTS_LIST='' | |
| # Get list of supported modules | |
| curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json | |
| # If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file. | |
| MODULES=$(jq -e '.' __modules.json) || true | |
| if [[ $MODULES == "" ]]; then | |
| # If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format. | |
| echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:" | |
| cat __modules.json | |
| # Instead of exiting, output an error instead of the dependabot alert list. | |
| # We don't have any reporting indicating if this workflow fails, so this is a good way to track that. | |
| ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.' | |
| else | |
| # Create a list of markdown links for supported module dependabot stuff | |
| ALERTS_LIST=$(php -r ' | |
| $json = json_decode(file_get_contents("__modules.json"), true); | |
| foreach ($json["supportedModules"] as $module) { | |
| # Assumes CMS 5 is the most recent stable version | |
| if (!isset($module["majorVersionMapping"]["5"])) { | |
| continue; | |
| } | |
| $githubRef = $module["github"]; | |
| $branch = end($module["majorVersionMapping"]["5"]); | |
| $packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json"; | |
| $headers = get_headers($packageJsonURL); | |
| # $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found" | |
| $response = $headers[0]; | |
| # Skip modules which do not have a package.json file | |
| if (strpos($response, "404") !== false) { | |
| continue; | |
| } | |
| # If we have something other than 404 (above) or 200, output an error string for the list | |
| # and move on. | |
| if (strpos($response, "200") === false) { | |
| echo "- $githubRef: Unable to check package.json, response was $response.\\n"; | |
| continue; | |
| } | |
| # If we get here, we have a package.json file so we should add a dependabot alerts URL to the list | |
| echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n"; | |
| } | |
| ') | |
| fi | |
| echo 'ALERTS_LIST is:' | |
| echo $ALERTS_LIST | |
| echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT | |
| - name: Dependabot PRs issue | |
| uses: silverstripe/gha-issue@v1 | |
| env: | |
| ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }} | |
| with: | |
| title: Dependabot pull-requests | |
| description: | | |
| This is an automatically created issue used to list dependabot pull requests every 3 months.\n | |
| \n | |
| It was created by the `.github/workflows/dependabot-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n | |
| \n | |
| ### Triage instructions (Silverstripe Ltd CMS Squad)\n | |
| 1. Put on the following labels:\n | |
| - `type/bug`\n | |
| - `impact/low`\n | |
| 2. Move this issue to the "Ready" column on our internal zenhub board\n | |
| 3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts\n | |
| \n | |
| ### Dependabot pull-requests:\n | |
| See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n | |
| - Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n | |
| - You can check to see if the dependabot alert affects non-dev dependencies by running `yarn audit --groups dependencies` locally on default branch of the module.\n | |
| - Use `yarn audit --groups devDependencies` to see dev-only dependencies.\n | |
| - Merge these PRs if there are no merge-conflicts and CI is green\n | |
| - If there are conflicts or CI isn't green, get dependabot to recreate the PR\n | |
| - If there are still problems, manually resolve them and open your own PR\n | |
| - Backport anything that seems like it needs to be patched immediately\n | |
| \n | |
| ### Dependabot alerts:\n | |
| After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.\n | |
| - Make a quick determination as to whether any alerts warrant using our security process\n | |
| - Ignore or dismiss any alerts that aren't relevant\n | |
| - Try to resolve any relevant alerts which dependabot is unable to resolve automatically\n | |
| \n | |
| Respositories with alerts:\n | |
| ${{ env.ALERTS_LIST }} | |
| - name: Delete temporary files | |
| shell: bash | |
| if: always() | |
| run: | | |
| if [[ -f __modules.json ]]; then | |
| rm __modules.json | |
| fi |