build(deps): bump marocchino/sticky-pull-request-comment from 2.9.4 to 3.0.3 #216
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dependency-checks | |
| on: | |
| pull_request: | |
| workflow_call: | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| jobs: | |
| dependency-scan: | |
| name: Run dependencies analysis | |
| runs-on: ${{ (github.repository_visibility != 'public' && github.repository_owner == 'centreon') && 'centreon-security' || 'ubuntu-24.04' }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Check dependencies type and lockfiles version | |
| run: | | |
| # Check override | |
| if [ "${{ vars.OVERRIDE_DEPENDENCY_SCAN }}" == "true" ]; then | |
| echo "[INFO] - Scan override enabled" | |
| echo "fail_the_build=false" >> "$GITHUB_ENV" | |
| cat $GITHUB_ENV | |
| exit 0 # original return does not seems to be working in a pure GHA run statement | |
| fi | |
| # Check date | |
| current_timestamp=$(date +%s) | |
| DUE_DATE="${{ vars.OVERRIDE_DEPENDENCY_ENFORCEMENT_DATE }}" | |
| input_timestamp=$(date -d "$DUE_DATE" +%s) | |
| # Setup vars | |
| ERROR_LOG="error_log.txt" | |
| touch "$ERROR_LOG" | |
| FORCE_FAIL="false" | |
| ENFORCEMENT="false" | |
| SKIP="false" | |
| FAIL_THE_BUILD="false" | |
| if [ "$current_timestamp" -ge "$input_timestamp" ]; then | |
| echo "[INFO]: Deadline passed." | |
| ENFORCEMENT="true" | |
| fi | |
| ## | |
| # Scan manifests compliance | |
| ## | |
| function message_type() { | |
| MSG="$1" | |
| if [ "$ENFORCEMENT" == "true" ]; then | |
| echo "[ERROR] : $MSG" | |
| FORCE_FAIL="true" | |
| else | |
| echo "[WARNING] : $MSG" | |
| fi | |
| echo "$MSG" >> "$ERROR_LOG" | |
| } | |
| # Compare pnpm version used in lockfile | |
| function compare_version() { | |
| SKIP="false" | |
| MIN_LOCKFILE_VERSION="8.9.9" | |
| LOCKFILE_VERSION=$(grep -E '^lockfileVersion:' "$LOC_FILE" \ | |
| | awk '{print $2}' \ | |
| | tr -d "'\"") | |
| # Compare versions | |
| version_ge() { | |
| [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ] | |
| } | |
| echo "[DEBUG] - MIN_LOCKFILE_VERSION = $MIN_LOCKFILE_VERSION and LOCKFILE_VERSION = $LOCKFILE_VERSION" | |
| if version_ge "$MIN_LOCKFILE_VERSION" "$LOCKFILE_VERSION"; then | |
| message_type "PNPM lockfile update is required : lockfileVersion $LOCKFILE_VERSION < $MIN_LOCKFILE_VERSION found in **$LOC_FILE**" | |
| else | |
| SKIP="true" | |
| fi | |
| } | |
| # Scan manifests compliance | |
| echo "[INFO] - Scan manifests compliance" | |
| DEP_FILES=($(find ./ -type f -name "package.json")) | |
| for DEP_FILE in ${DEP_FILES[@]}; do | |
| DEP_DIR=$(dirname $DEP_FILE) | |
| echo "[INFO] - Scanning $DEP_FILE" | |
| LOC_FILES=($(find $DEP_DIR -maxdepth 1 -type f -name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock")) | |
| COUNT=0 | |
| for LOC_FILE in ${LOC_FILES[@]}; do | |
| COUNT=$((COUNT+1)) | |
| LOC_TYPE=$(basename $LOC_FILE) | |
| LOC_DIR=$(dirname $LOC_FILE) | |
| echo "[DEBUG] - COUNT = $COUNT / LocFile = $LOC_FILE" | |
| case $LOC_TYPE in | |
| "yarn.lock") | |
| message_type "YARN is no longer allowed. Kindly replace the lockfile using PNPM. Found in **$LOC_FILE**" | |
| ;; | |
| "package-lock.json") | |
| message_type "NPM is no longer allowed. Kindly replace the lockfile using PNPM. Found in **$LOC_FILE**" | |
| ;; | |
| "pnpm-lock.yaml") | |
| SKIP=$(compare_version) | |
| if [ "$SKIP" == "true" ] ; then continue; fi | |
| ;; | |
| "") | |
| message_type "A lockfile is required. No lockfile found in **$LOC_DIR**" | |
| ;; | |
| esac | |
| done | |
| if [[ $COUNT -gt 1 ]]; then | |
| message_type "$COUNT lockfiles were found. Kindly keep only the lockfile generated with PNPM. Found in **$LOC_DIR**" | |
| fi | |
| done | |
| ## | |
| # Scan manifests for blacklisted dependencies | |
| ## | |
| function checkPnpmLockfile() { | |
| # Find dependency formated as | |
| # "name@version:" | |
| if grep -qF "$NAME@$VERSION" "$LOCKFILE"; then | |
| echo "$NAME:$VERSION was found in $LOCKFILE" | |
| echo "[ERROR] - $NAME:$VERSION was found in $LOCKFILE" >> "$ERROR_LOG" | |
| else | |
| echo -n "." | |
| fi | |
| } | |
| function checkManifest() { | |
| COUNT=0 | |
| echo "[INFO] - Testing manifest $LOCKFILE" | |
| manifest_type=$(basename "$LOCKFILE") | |
| while IFS=':' read -r NAME VERSION; do | |
| # ignore empty and commented lines | |
| [[ -z "${NAME// }" ]] && continue | |
| [[ "$NAME" =~ ^# ]] && continue | |
| case "$manifest_type" in | |
| "pnpm-lock.yaml") | |
| checkPnpmLockfile | |
| ;; | |
| "*") | |
| message_type "Dependency manager not managed. Found in $LOCKFILE" >> "$ERROR_LOG" | |
| esac | |
| COUNT=$((COUNT+1)) | |
| done < "$DEP_LIST" | |
| echo "[INFO] - Scanned $COUNT IOC" | |
| } | |
| # Check blacklist | |
| echo "[INFO] - Scan manifests for blacklisted dependencies" | |
| DEP_LIST="compromised-packages.txt" | |
| wget https://raw.githubusercontent.com/centreon/security-tools/main/blacklist/"$DEP_LIST" | |
| LOCKFILES=($(find ./ -type f -name "pnpm-lock.yaml")) | |
| for LOCKFILE in "${LOCKFILES[@]}"; do | |
| checkManifest "$LOCKFILE" | |
| done | |
| # Quality gate | |
| if [ -s "$ERROR_LOG" ]; then | |
| if [ "$FORCE_FAIL" == "true" ]; then | |
| echo "[ERROR] - Breaking the run. Kindly, check the comment" | |
| FAIL_THE_BUILD="true" | |
| fi | |
| else | |
| echo "[OK] - Great, nothing found !" | |
| fi | |
| echo "fail_the_build=$FAIL_THE_BUILD" >> "$GITHUB_ENV" | |
| cat $GITHUB_ENV | |
| shell: bash | |
| - name: comment_PR | |
| continue-on-error: true | |
| uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3 | |
| with: | |
| recreate: true | |
| ignore_empty: true | |
| path: "error_log.txt" | |
| - name: Fail job if previous step failed | |
| if: env.fail_the_build == 'true' | |
| run: | | |
| echo "[ERROR] - Breaking the run. Kindly, check the comment and the dependency analysis log above" | |
| exit 1 |