|
1 | 1 | name: Security Audit |
2 | 2 |
|
3 | 3 | on: |
4 | | - dependabot_alert: |
5 | | - types: [created, reintroduced] |
| 4 | + schedule: |
| 5 | + - cron: '0 9 * * 1-5' # Mon-Fri 9am UTC |
| 6 | + workflow_dispatch: |
6 | 7 |
|
7 | 8 | permissions: |
8 | 9 | contents: read |
9 | 10 |
|
10 | 11 | jobs: |
11 | | - notify-slack: |
| 12 | + dependabot-alerts: |
12 | 13 | runs-on: ubuntu-latest |
13 | | - timeout-minutes: 2 |
| 14 | + timeout-minutes: 5 |
14 | 15 | steps: |
15 | | - - name: Notify Slack |
| 16 | + - name: Generate scoped token |
| 17 | + id: app-token |
| 18 | + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 |
| 19 | + with: |
| 20 | + app-id: ${{ vars.SDK_SECURITY_AUDIT_APP_ID }} |
| 21 | + private-key: ${{ secrets.SDK_SECURITY_AUDIT_APP_PRIVATE_KEY }} |
| 22 | + repositories: braintrust-sdk-ruby |
| 23 | + |
| 24 | + - name: Check Dependabot alerts and notify Slack |
16 | 25 | env: |
| 26 | + GH_TOKEN: ${{ steps.app-token.outputs.token }} |
17 | 27 | SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |
18 | 28 | SLACK_CHANNEL: ${{ vars.SLACK_SDK_SECURITY_CHANNEL }} |
19 | | - ALERT_URL: ${{ github.event.alert.html_url }} |
20 | | - PACKAGE: ${{ github.event.alert.dependency.package.name }} |
21 | | - SEVERITY: ${{ github.event.alert.security_advisory.severity }} |
22 | | - SUMMARY: ${{ github.event.alert.security_advisory.summary }} |
23 | 29 | run: | |
24 | | - curl -s -X POST "https://slack.com/api/chat.postMessage" \ |
25 | | - -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ |
26 | | - -H "Content-Type: application/json" \ |
27 | | - -d "{ |
28 | | - \"channel\": \"$SLACK_CHANNEL\", |
29 | | - \"text\": \":warning: *braintrust-sdk-ruby* Dependabot alert ($SEVERITY): $PACKAGE — $SUMMARY <$ALERT_URL|View alert>\" |
30 | | - }" |
| 30 | + ALERTS=$(gh api "repos/$GITHUB_REPOSITORY/dependabot/alerts?state=open" --jq 'length') |
| 31 | +
|
| 32 | + if [ "$ALERTS" -gt 0 ]; then |
| 33 | + SECURITY_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/security/dependabot" |
| 34 | + curl -s -X POST "https://slack.com/api/chat.postMessage" \ |
| 35 | + -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ |
| 36 | + -H "Content-Type: application/json" \ |
| 37 | + -d "{ |
| 38 | + \"channel\": \"$SLACK_CHANNEL\", |
| 39 | + \"text\": \":warning: *braintrust-sdk-ruby* has $ALERTS open Dependabot alert(s). <$SECURITY_URL|View alerts>\" |
| 40 | + }" |
| 41 | + fi |
0 commit comments