generated from giantswarm/template-app
-
Notifications
You must be signed in to change notification settings - Fork 1
130 lines (122 loc) · 4.59 KB
/
zz_generated.remediate_vulnerabilities.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# DO NOT EDIT. Generated with:
#
# devctl
#
# https://github.com/giantswarm/devctl/blob/00856517283b245af5fa81ca6a551f9411b12f71/pkg/gen/input/workflows/internal/file/fix_vulnerabilities.yaml.template
#
name: Remediate Nancy findings
on:
schedule:
- cron: '0 9 * * 3'
workflow_dispatch:
inputs:
branch:
description: "Branch on which to remediate Nancy findings"
required: true
type: string
workflow_call:
inputs:
branch:
required: true
type: string
jobs:
gather_facts:
name: Gather facts
runs-on: ubuntu-22.04
outputs:
branch: ${{ steps.gather_facts.outputs.branch }}
skip : ${{ steps.gather_facts.outputs.skip }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch || github.ref }}
- name: Gather facts
id: gather_facts
run: |
head="${{ inputs.branch || github.ref }}"
branch="${{ github.ref_name }}"
echo "branch=${branch}" >> $GITHUB_OUTPUT
head="${head#refs/heads/}" # Strip "refs/heads/" prefix.
echo "head=${head}" >> $GITHUB_OUTPUT
# Skip if there are no go mod files
if [[ ! -e go.mod ]] && [[ ! -e go.sum ]]; then
skip=true
echo "There are no go mod files in the repo, skipping"
else
skip=false
fi
echo "skip=${skip}" >> $GITHUB_OUTPUT
echo "head=\"$head\" branch=\"$branch\" skip=\"$skip\""
run_nancy_fixer:
name: Remediate vulnerabilities with nancy-fixer
runs-on: ubuntu-22.04
needs:
- gather_facts
if: ${{ needs.gather_facts.outputs.skip != 'true' }}
steps:
- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
with:
app-id: ${{ secrets.HERALD_APP_ID }}
private-key: ${{ secrets.HERALD_APP_KEY }}
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
ref: ${{ needs.gather_facts.outputs.branch }}
fetch-depth: 0
- name: Create new branch
id: create_branch
run: |
branch="remediate-vulnerabilities-${{ needs.gather_facts.outputs.branch }}"
echo "branch=${branch}" >> $GITHUB_OUTPUT
git fetch origin ${branch} || true
# Check if branch exists
if [ -z $(git rev-parse --verify origin/$branch 2>/dev/null) ]
then
# Branch doesn't exist, create it
git checkout -b $branch
else
# Branch exists, use existing
git checkout $branch
fi
- name: Run nancy-fixer fix
uses: giantswarm/nancy-fixer@ab1048c622259dafade05bbde1d20d831a9592aa
- name: Set up git identity
run: |
git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
git config --local user.name "HeraldBot[bot]"
- name: Commit new files
id: commit_changes
run: |
git add -A
if git diff-index --quiet HEAD; then
echo "No changes found"
skip=true
else
git commit -m "Remediate Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}"
skip=false
fi
echo "skip=${skip}" >> $GITHUB_OUTPUT
- name: Push changes
if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
env:
remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
run: |
git push "${remote_repo}" HEAD:"${{ steps.create_branch.outputs.branch }}"
- name: Create PR
env:
GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
run: |
body="## Description
* Remediate Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}
---
> [!NOTE]
> This PR was created by the **Remediate Vulnerabilities** workflow. Make sure all tests pass before approving.
"
gh pr create --title "Remediate Nancy findings on ${{ needs.gather_facts.outputs.branch }}" --body "${body}" --head "${{ steps.create_branch.outputs.branch }}" --base "${{ needs.gather_facts.outputs.branch }}"
gh pr merge --auto --squash