-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MNT Retime JS deps issue and spin off separate dependabot issue (#254)
- Loading branch information
1 parent
715b81d
commit cde9e9b
Showing
2 changed files
with
117 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
name: Dependabot PRs issue | ||
|
||
on: | ||
# At 12:00 on day-of-month 1 in March, June, September, and December. | ||
schedule: | ||
- cron: '0 12 1 3,6,9,12 *' | ||
workflow_dispatch: | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
js-prs-issue: | ||
name: Dependabot PRs issue | ||
# Only run cron on the silverstripe account | ||
if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule') | ||
runs-on: ubuntu-latest | ||
permissions: | ||
issues: write | ||
steps: | ||
- name: Get Alerts List | ||
id: get-alerts-list | ||
run: | | ||
ALERTS_LIST='' | ||
# Get list of supported modules | ||
curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json | ||
# If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file. | ||
MODULES=$(jq -e '.' __modules.json) || true | ||
if [[ $MODULES == "" ]]; then | ||
# If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format. | ||
echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:" | ||
cat __modules.json | ||
# Instead of exiting, output an error instead of the dependabot alert list. | ||
# We don't have any reporting indicating if this workflow fails, so this is a good way to track that. | ||
ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.' | ||
else | ||
# Create a list of markdown links for supported module dependabot stuff | ||
ALERTS_LIST=$(php -r ' | ||
$json = json_decode(file_get_contents("__modules.json"), true); | ||
foreach ($json["supportedModules"] as $module) { | ||
# Assumes CMS 5 is the most recent stable version | ||
if (!isset($module["majorVersionMapping"]["5"])) { | ||
continue; | ||
} | ||
$githubRef = $module["github"]; | ||
$branch = end($module["majorVersionMapping"]["5"]); | ||
$packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json"; | ||
$headers = get_headers($packageJsonURL); | ||
# $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found" | ||
$response = $headers[0]; | ||
# Skip modules which do not have a package.json file | ||
if (strpos($response, "404") !== false) { | ||
continue; | ||
} | ||
# If we have something other than 404 (above) or 200, output an error string for the list | ||
# and move on. | ||
if (strpos($response, "200") === false) { | ||
echo "- $githubRef: Unable to check package.json, response was $response.\\n"; | ||
continue; | ||
} | ||
# If we get here, we have a package.json file so we should add a dependabot alerts URL to the list | ||
echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n"; | ||
} | ||
') | ||
fi | ||
echo 'ALERTS_LIST is:' | ||
echo $ALERTS_LIST | ||
echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT | ||
- name: Dependabot PRs issue | ||
uses: silverstripe/gha-issue@v1 | ||
env: | ||
ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }} | ||
with: | ||
title: Dependabot pull-requests | ||
description: | | ||
This is an automatically created issue used to list dependabot pull requests every 3 months.\n | ||
\n | ||
It was created by the `.github/workflows/dependabot-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n | ||
\n | ||
### Triage instructions (Silverstripe Ltd CMS Squad)\n | ||
1. Put on the following labels:\n | ||
- `type/bug`\n | ||
- `impact/low`\n | ||
2. Move this issue to the "Ready" column on our internal zenhub board\n | ||
3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts\n | ||
\n | ||
### Dependabot pull-requests:\n | ||
See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n | ||
- Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n | ||
- Merge these PRs if there are no merge-conflicts and CI is green\n | ||
- If there are conflicts or CI isn't green, get dependabot to recreate the PR\n | ||
- If there are still problems, manually resolve them and open your own PR\n | ||
- Backport anything that seems like it needs to be patched immediately\n | ||
\n | ||
### Dependabot alerts:\n | ||
After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.\n | ||
- Make a quick determination as to whether any alerts warrant using our security process\n | ||
- Ignore or dismiss any alerts that aren't relevant\n | ||
- Try to resolve any relevant alerts which dependabot is unable to resolve automatically\n | ||
\n | ||
Respositories with alerts:\n | ||
${{ env.ALERTS_LIST }} | ||
- name: Delete temporary files | ||
shell: bash | ||
if: always() | ||
run: | | ||
if [[ -f __modules.json ]]; then | ||
rm __modules.json | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters