|
| 1 | +name: Dependabot Alert Management |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + - cron: '0 */6 * * *' |
| 6 | + workflow_dispatch: |
| 7 | + |
| 8 | +permissions: |
| 9 | + contents: write |
| 10 | + pull-requests: write |
| 11 | + |
| 12 | +jobs: |
| 13 | + get-alerts: |
| 14 | + name: List High/Critical Alerts |
| 15 | + runs-on: self-hosted |
| 16 | + outputs: |
| 17 | + matrix: ${{ steps.alerts.outputs.matrix }} |
| 18 | + has_alerts: ${{ steps.alerts.outputs.has_alerts }} |
| 19 | + steps: |
| 20 | + - name: Fetch open high/critical Dependabot alerts |
| 21 | + id: alerts |
| 22 | + env: |
| 23 | + GH_TOKEN: ${{ github.token }} |
| 24 | + REPO: ${{ github.repository }} |
| 25 | + run: | |
| 26 | + ALERTS=$(gh api "/repos/${REPO}/dependabot/alerts" \ |
| 27 | + --jq '[.[] | select(.state == "open") | select(.security_vulnerability.severity | test("^(high|critical)$"))]') |
| 28 | +
|
| 29 | + COUNT=$(echo "$ALERTS" | jq 'length') |
| 30 | + echo "Found ${COUNT} high/critical open alert(s)" |
| 31 | +
|
| 32 | + if [ "$COUNT" -eq 0 ]; then |
| 33 | + echo "has_alerts=false" >> "$GITHUB_OUTPUT" |
| 34 | + echo "matrix={\"include\":[]}" >> "$GITHUB_OUTPUT" |
| 35 | + else |
| 36 | + echo "has_alerts=true" >> "$GITHUB_OUTPUT" |
| 37 | + MATRIX=$(echo "$ALERTS" | jq -c '{include: [.[] | { |
| 38 | + alert_number: (.number | tostring), |
| 39 | + package_name: .dependency.package.name, |
| 40 | + package_ecosystem: .dependency.package.ecosystem, |
| 41 | + severity: .security_vulnerability.severity, |
| 42 | + summary: .security_advisory.summary, |
| 43 | + cve_id: (.security_advisory.cve_id // ""), |
| 44 | + ghsa_id: .security_advisory.ghsa_id, |
| 45 | + vulnerable_version_range: .security_vulnerability.vulnerable_version_range, |
| 46 | + first_patched_version: (.security_vulnerability.first_patched_version.identifier // "") |
| 47 | + }]}') |
| 48 | + echo "matrix=${MATRIX}" >> "$GITHUB_OUTPUT" |
| 49 | + fi |
| 50 | +
|
| 51 | + manage: |
| 52 | + name: Process Alert |
| 53 | + needs: get-alerts |
| 54 | + if: needs.get-alerts.outputs.has_alerts == 'true' |
| 55 | + strategy: |
| 56 | + matrix: ${{ fromJSON(needs.get-alerts.outputs.matrix) }} |
| 57 | + fail-fast: false |
| 58 | + uses: pgmac-net/pg-actions/.github/workflows/dependabot-management.yml@main |
| 59 | + with: |
| 60 | + alert_number: ${{ matrix.alert_number }} |
| 61 | + package_name: ${{ matrix.package_name }} |
| 62 | + package_ecosystem: ${{ matrix.package_ecosystem }} |
| 63 | + severity: ${{ matrix.severity }} |
| 64 | + summary: ${{ matrix.summary }} |
| 65 | + cve_id: ${{ matrix.cve_id }} |
| 66 | + ghsa_id: ${{ matrix.ghsa_id }} |
| 67 | + vulnerable_version_range: ${{ matrix.vulnerable_version_range }} |
| 68 | + first_patched_version: ${{ matrix.first_patched_version }} |
| 69 | + secrets: inherit |
0 commit comments