-
Notifications
You must be signed in to change notification settings - Fork 6
138 lines (117 loc) · 5.05 KB
/
nuget-reference-check.yml
File metadata and controls
138 lines (117 loc) · 5.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: "nuget package reference check"
on:
push:
pull_request:
schedule:
- cron: '0 8 * * *'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
- name: Setup .NET Environment
uses: actions/setup-dotnet@v5.1.0
with:
dotnet-version: '10.0.x'
- name: Check for outdated packages
id: outdated
run: |
set -e
# Packages to ignore (SDK/runtime-managed)
IGNORE_PACKAGES="Microsoft\.NETCore\.Platforms|Microsoft\.NETCore\.Targets"
dotnet list SysML2.NET.sln package --outdated --include-transitive > outdated-raw.log
# Filter out ignored core packages
grep -v -E "$IGNORE_PACKAGES" outdated-raw.log > outdated.log || true
# Print full outdated report (including test projects) to action log
echo "=== Full outdated packages report ==="
cat outdated.log
# Build issue log: exclude test project sections
# dotnet list output groups packages under project headers like:
# Project `ProjectName` has the following updates available:
# We remove sections for *.Tests projects
awk '
/^Project .*.Tests/ { skip=1; next }
/^Project / { skip=0 }
!skip { print }
' outdated.log > outdated-issue.log
# Check if non-test outdated packages exist (look for > lines indicating actual packages)
if grep -q ">" outdated-issue.log; then
echo "Outdated packages found (non-test)"
echo "outdated=true" >> $GITHUB_OUTPUT
else
echo "No outdated packages found in non-test projects"
echo "outdated=false" >> $GITHUB_OUTPUT
fi
- name: Check for deprecated packages
id: deprecated
run: |
set -e
dotnet list SysML2.NET.sln package --deprecated --include-transitive > deprecated.log
if [ -s deprecated.log ]; then
echo "Deprecated packages found"
echo "deprecated=true" >> $GITHUB_OUTPUT
else
echo "No deprecated packages found"
echo "deprecated=false" >> $GITHUB_OUTPUT
fi
- name: Check for vulnerable packages
id: vulnerable
run: |
set -e
dotnet list SysML2.NET.sln package --vulnerable --include-transitive > vulnerabilities.log
if grep -q -i "\bcritical\b\|\bhigh\b\|\bmoderate\b\|\blow\b" vulnerabilities.log; then
echo "Security Vulnerabilities found"
echo "vulnerable=true" >> $GITHUB_OUTPUT
else
echo "No Security Vulnerabilities found"
echo "vulnerable=false" >> $GITHUB_OUTPUT
fi
- name: Create GitHub Issue if issues found
if: steps.outdated.outputs.outdated == 'true' || steps.deprecated.outputs.deprecated == 'true' || steps.vulnerable.outputs.vulnerable == 'true'
uses: actions/github-script@v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
let issueBody = `### NuGet Package Issues Detected in [SysML2.NET](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY})\n\n`;
if ('${{ steps.outdated.outputs.outdated }}' === 'true') {
const outdatedLog = fs.readFileSync('outdated-issue.log', 'utf8');
issueBody += `#### Outdated Packages\n\`\`\`\n${outdatedLog}\n\`\`\`\n\n`;
}
if ('${{ steps.deprecated.outputs.deprecated }}' === 'true') {
const deprecatedLog = fs.readFileSync('deprecated.log', 'utf8');
issueBody += `#### Deprecated Packages\n\`\`\`\n${deprecatedLog}\n\`\`\`\n\n`;
}
if ('${{ steps.vulnerable.outputs.vulnerable }}' === 'true') {
const vulnerabilitiesLog = fs.readFileSync('vulnerabilities.log', 'utf8');
issueBody += `#### Vulnerable Packages\n\`\`\`\n${vulnerabilitiesLog}\n\`\`\`\n\n`;
}
issueBody += '**Action Required:** Please review and update the affected packages.';
const issueTitle = 'NuGet Package Issues Detected';
const { data: issues } = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
});
const existingIssue = issues.find(issue => issue.title === issueTitle);
if (existingIssue) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: existingIssue.number,
body: `New check results:\n${issueBody}`,
});
} else {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: issueTitle,
body: issueBody,
labels: ['dependencies', 'maintenance'],
});
}