diff --git a/.github/workflows/dependabot-prs-issue.yml b/.github/workflows/dependabot-prs-issue.yml new file mode 100644 index 0000000..950e9ac --- /dev/null +++ b/.github/workflows/dependabot-prs-issue.yml @@ -0,0 +1,114 @@ +name: Dependabot PRs issue + +on: + # At 12:00 on day-of-month 1 in March, June, September, and December. + schedule: + - cron: '0 12 1 3,6,9,12 *' + workflow_dispatch: + +permissions: {} + +jobs: + js-prs-issue: + name: Dependabot PRs issue + # Only run cron on the silverstripe account + if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule') + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - name: Get Alerts List + id: get-alerts-list + run: | + ALERTS_LIST='' + + # Get list of supported modules + curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json + # If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file. + MODULES=$(jq -e '.' __modules.json) || true + if [[ $MODULES == "" ]]; then + # If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format. + echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:" + cat __modules.json + # Instead of exiting, output an error instead of the dependabot alert list. + # We don't have any reporting indicating if this workflow fails, so this is a good way to track that. + ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.' + else + # Create a list of markdown links for supported module dependabot stuff + ALERTS_LIST=$(php -r ' + $json = json_decode(file_get_contents("__modules.json"), true); + foreach ($json["supportedModules"] as $module) { + # Assumes CMS 5 is the most recent stable version + if (!isset($module["majorVersionMapping"]["5"])) { + continue; + } + $githubRef = $module["github"]; + $branch = end($module["majorVersionMapping"]["5"]); + $packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json"; + $headers = get_headers($packageJsonURL); + # $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found" + $response = $headers[0]; + # Skip modules which do not have a package.json file + if (strpos($response, "404") !== false) { + continue; + } + # If we have something other than 404 (above) or 200, output an error string for the list + # and move on. + if (strpos($response, "200") === false) { + echo "- $githubRef: Unable to check package.json, response was $response.\\n"; + continue; + } + + # If we get here, we have a package.json file so we should add a dependabot alerts URL to the list + echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n"; + } + ') + fi + + echo 'ALERTS_LIST is:' + echo $ALERTS_LIST + echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT + + + - name: Dependabot PRs issue + uses: silverstripe/gha-issue@v1 + env: + ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }} + with: + title: Dependabot pull-requests + description: | + This is an automatically created issue used to list dependabot pull requests every 3 months.\n + \n + It was created by the `.github/workflows/dependabot-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n + \n + ### Triage instructions (Silverstripe Ltd CMS Squad)\n + 1. Put on the following labels:\n + - `type/bug`\n + - `impact/low`\n + 2. Move this issue to the "Ready" column on our internal zenhub board\n + 3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts\n + \n + ### Dependabot pull-requests:\n + See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n + - Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n + - Merge these PRs if there are no merge-conflicts and CI is green\n + - If there are conflicts or CI isn't green, get dependabot to recreate the PR\n + - If there are still problems, manually resolve them and open your own PR\n + - Backport anything that seems like it needs to be patched immediately\n + \n + ### Dependabot alerts:\n + After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.\n + - Make a quick determination as to whether any alerts warrant using our security process\n + - Ignore or dismiss any alerts that aren't relevant\n + - Try to resolve any relevant alerts which dependabot is unable to resolve automatically\n + \n + Respositories with alerts:\n + ${{ env.ALERTS_LIST }} + + - name: Delete temporary files + shell: bash + if: always() + run: | + if [[ -f __modules.json ]]; then + rm __modules.json + fi diff --git a/.github/workflows/js-prs-issue.yml b/.github/workflows/js-prs-issue.yml index 6639198..0e9bfbc 100644 --- a/.github/workflows/js-prs-issue.yml +++ b/.github/workflows/js-prs-issue.yml @@ -1,10 +1,10 @@ name: JS PRs issue on: - # At 12:00 on day-of-month 1 in every 3rd month. + # At 12:00 on day-of-month 1 in March and September. # This is 12 hours after update-js workflows run on repos such as silverstripe/asset-admin schedule: - - cron: '0 12 1 */3 *' + - cron: '0 12 1 3,9 *' workflow_dispatch: permissions: {} @@ -18,68 +18,13 @@ jobs: permissions: issues: write steps: - - name: Get Alerts List - id: get-alerts-list - run: | - ALERTS_LIST='' - - # Get list of supported modules - curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json - # If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file. - MODULES=$(jq -e '.' __modules.json) || true - if [[ $MODULES == "" ]]; then - # If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format. - echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:" - cat __modules.json - # Instead of exiting, output an error instead of the dependabot alert list. - # We don't have any reporting indicating if this workflow fails, so this is a good way to track that. - ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.' - else - # Create a list of markdown links for supported module dependabot stuff - ALERTS_LIST=$(php -r ' - $json = json_decode(file_get_contents("__modules.json"), true); - foreach ($json["supportedModules"] as $module) { - # Assumes CMS 5 is the most recent stable version - if (!isset($module["majorVersionMapping"]["5"])) { - continue; - } - $githubRef = $module["github"]; - $branch = end($module["majorVersionMapping"]["5"]); - $packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json"; - $headers = get_headers($packageJsonURL); - # $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found" - $response = $headers[0]; - # Skip modules which do not have a package.json file - if (strpos($response, "404") !== false) { - continue; - } - # If we have something other than 404 (above) or 200, output an error string for the list - # and move on. - if (strpos($response, "200") === false) { - echo "- $githubRef: Unable to check package.json, response was $response.\\n"; - continue; - } - - # If we get here, we have a package.json file so we should add a dependabot alerts URL to the list - echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n"; - } - ') - fi - - echo 'ALERTS_LIST is:' - echo $ALERTS_LIST - echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT - - - name: JS PRs issue uses: silverstripe/gha-issue@v1 - env: - ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }} with: title: JS pull-requests description: | This is an automatically created issue used to list automatically created - javascript pull requests every 3 months.\n + javascript pull requests every 6 months.\n \n It was created by the `.github/workflows/js-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n \n @@ -108,20 +53,3 @@ jobs: 7. Git commit, push the changes and create a pull-request\n 8. List the pull-request(s) on this issue\n 9. Move this issue to the peer review column on the CMS Squad internal zenhub board\n - \n - ### Dependabot pull-requests:\n - - [List of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22})\n - - Most of these should be automatically closed if the "Update JS pull-requests" above are merged\n - - You can make a judgement call as to whether to merge any easy ones that are left\n - \n - ### Dependabot alerts:\n - After all of the above have been completed and resolved, check for any outstanding dependabot alerts:\n - ${{ env.ALERTS_LIST }} - - - name: Delete temporary files - shell: bash - if: always() - run: | - if [[ -f __modules.json ]]; then - rm __modules.json - fi