New action request: github/ghas-jira-integration #223
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Get Dependabot alerts | |
on: | |
issues: | |
types: [labeled, unlabeled] | |
workflow_dispatch: | |
inputs: | |
issue: | |
description: 'Issue number to work with' | |
required: true | |
default: '11' | |
env: | |
fork-owner: rajbos-actions-test # where the forks are place | |
jobs: | |
find-action-name: | |
if: github.event.label.name == 'load-dependabot-alerts' | |
runs-on: ubuntu-latest | |
outputs: | |
action: ${{ steps.get-action.outputs.action }} | |
owner: ${{ steps.get-action.outputs.owner }} | |
name: ${{ steps.get-action.outputs.name }} | |
request_owner: ${{ steps.get-action.outputs.request_owner }} | |
request_repo: ${{ steps.get-action.outputs.request_repo }} | |
request_issue: ${{ steps.get-action.outputs.request_issue }} | |
steps: | |
- uses: actions/checkout@v2 | |
- id: dispatch_issue_find | |
name: Find action from issue | |
run: | | |
echo "Testing for dispatch event with issue number: ${{ github.event.inputs.issue }}" | |
issue_number=${{ github.event.inputs.issue }} | |
if [ "${{ github.event.inputs.issue }}" == "" ]; then | |
echo "issue number not found in workflow dispatch event" | |
echo 'Found the issue that triggered this event with number [${{ github.event.issue.number }}]' | |
echo 'Found the issue title [${{ github.event.issue.title }}]' | |
else | |
echo "issue number found: [$issue_number]" | |
# output a fixed variable | |
echo "::set-output name=issue_number::${issue_number}" | |
fi | |
- uses: actions/github-script@v5 | |
name: Find action from issue | |
id: get-action | |
with: | |
result-encoding: string | |
script: | | |
const script = require('./src/find-action-from-issue.js') | |
// note: owner is now the organization the FORK lives in: | |
const owner = context.repo.owner | |
const repo = context.repo.repo | |
let issue_number = context.issue.number | |
if (issue_number == null) { | |
// try to load issue number from other step: | |
console.log(`issue number not found in context, searching for it in workflow dispatch step`) | |
console.log(`issue number: [${{ steps.dispatch_issue_find.outputs.issue_number }}]`) | |
issue_number = `${{ steps.dispatch_issue_find.outputs.issue_number }}` | |
} | |
await script({github, owner, repo, issue_number}) | |
# find the results from security vulnerabilities in Dependabot | |
dependabot-results: | |
runs-on: ubuntu-latest | |
needs: find-action-name | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: actions/github-script@v5 | |
name: Get resuls from Dependabot scan | |
id: get-codeql-results | |
with: | |
github-token: ${{ secrets.GH_TOKEN }} | |
# todo: wait for the actual scans to have been completed | |
script: | | |
const script = require('./src/dependabot.js') | |
// note: owner is now the organization the FORK lives in: | |
let owner = "${{ env.fork-owner }}" | |
let repo = "${{ needs.find-action-name.outputs.name }}" | |
// check if dependabot security updates are enabled for the repo | |
const enabledResult = await github.request('GET /repos/{owner}/{repo}/vulnerability-alerts', { | |
owner, | |
repo | |
}) | |
let results | |
if (enabledResult && enabledResult.status === 204) { | |
console.log(`Dependabot security alerts has been enabled for the repo ${owner}/${repo}, loading the alerts`) | |
results = await script({github, owner, repo}) | |
console.log(`result: ${JSON.stringify(results)}`) | |
console.log(`::set-output name=dependabot_high::${results.high}`) | |
console.log(`::set-output name=dependabot_moderate::${results.moderate}`) | |
} | |
else { | |
console.log(`Dependabot security alerts have not been enabled for the repo ${owner}/${repo}, skipping the scan`) | |
console.log(`::set-output name=dependabot_high::999`) | |
console.log(`::set-output name=dependabot_moderate::999`) | |
results = {high: 999, moderate: 999} | |
} | |
const totalVulnerabilities = results.high + results.moderate | |
let status | |
if (totalVulnerabilities > 1) { | |
status = '⚠️' | |
} | |
else { | |
status = '✅' | |
} | |
let body = [ | |
`:robot: Check completed with result: ${status}`, | |
``, | |
`Found ${totalVulnerabilities} Dependabot security vulnerabilities: `, | |
`${results.high} where high and ${results.moderate} where moderate.`, | |
``, | |
`Use this [link](https://github.com/${owner}/${repo}/security/dependabot) to verify the alerts.` | |
] | |
issue_number = `${{ needs.find-action-name.outputs.request_issue }}` | |
console.log(`Commenting the information on issue with number: ${issue_number}`) | |
console.log(`Body: [${body}]`) | |
// comment in the right repository | |
owner = "${{ needs.find-action-name.outputs.request_owner }}" | |
repo = "${{ needs.find-action-name.outputs.request_repo }}" | |
console.log(`Posting the findings back into this repo: ${owner}/${repo} on issue ${issue_number}`) | |
github.rest.issues.createComment({ | |
owner, | |
repo, | |
issue_number, | |
body: body.join('\n') | |
}); | |