Skip to content

Dependabot PRs issue #3

Dependabot PRs issue

Dependabot PRs issue #3

name: Dependabot PRs issue
on:
# At 12:00 on day-of-month 1 in March, June, September, and December.
schedule:
- cron: '0 12 1 3,6,9,12 *'
workflow_dispatch:
permissions: {}
jobs:
js-prs-issue:
name: Dependabot PRs issue
# Only run cron on the silverstripe account
if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Get Alerts List
id: get-alerts-list
run: |
ALERTS_LIST=''
# Get list of supported modules
curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json
# If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file.
MODULES=$(jq -e '.' __modules.json) || true
if [[ $MODULES == "" ]]; then
# If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format.
echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:"
cat __modules.json
# Instead of exiting, output an error instead of the dependabot alert list.
# We don't have any reporting indicating if this workflow fails, so this is a good way to track that.
ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.'
else
# Create a list of markdown links for supported module dependabot stuff
ALERTS_LIST=$(php -r '
$json = json_decode(file_get_contents("__modules.json"), true);
foreach ($json["supportedModules"] as $module) {
# Assumes CMS 5 is the most recent stable version
if (!isset($module["majorVersionMapping"]["5"])) {
continue;
}
$githubRef = $module["github"];
$branch = end($module["majorVersionMapping"]["5"]);
$packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json";
$headers = get_headers($packageJsonURL);
# $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found"
$response = $headers[0];
# Skip modules which do not have a package.json file
if (strpos($response, "404") !== false) {
continue;
}
# If we have something other than 404 (above) or 200, output an error string for the list
# and move on.
if (strpos($response, "200") === false) {
echo "- $githubRef: Unable to check package.json, response was $response.\\n";
continue;
}
# If we get here, we have a package.json file so we should add a dependabot alerts URL to the list
echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n";
}
')
fi
echo 'ALERTS_LIST is:'
echo $ALERTS_LIST
echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT
- name: Dependabot PRs issue
uses: silverstripe/gha-issue@v1
env:
ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }}
with:
title: Dependabot pull-requests
description: |
This is an automatically created issue used to list dependabot pull requests every 3 months.\n
\n
It was created by the `.github/workflows/dependabot-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n
\n
### Triage instructions (Silverstripe Ltd CMS Squad)\n
1. Put on the following labels:\n
- `type/bug`\n
- `impact/low`\n
2. Move this issue to the "Ready" column on our internal zenhub board\n
3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts\n
\n
### Dependabot pull-requests:\n
See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n
- Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n
- You can check to see if the dependabot alert affects non-dev dependencies by running `yarn audit --groups dependencies` locally on default branch of the module.\n
- Use `yarn audit --groups devDependencies` to see dev-only dependencies.\n
- Merge these PRs if there are no merge-conflicts and CI is green\n
- If there are conflicts or CI isn't green, get dependabot to recreate the PR\n
- If there are still problems, manually resolve them and open your own PR\n
- Backport anything that seems like it needs to be patched immediately\n
\n
### Dependabot alerts:\n
After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.\n
- Make a quick determination as to whether any alerts warrant using our security process\n
- Ignore or dismiss any alerts that aren't relevant\n
- Try to resolve any relevant alerts which dependabot is unable to resolve automatically\n
\n
Respositories with alerts:\n
${{ env.ALERTS_LIST }}
- name: Delete temporary files
shell: bash
if: always()
run: |
if [[ -f __modules.json ]]; then
rm __modules.json
fi