Update the GitHub advisories CSV #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Update the GitHub advisories CSV | |
on: | |
workflow_dispatch: {} | |
schedule: | |
- cron: 0 11 * * MON | |
jobs: | |
update-advisories: | |
if: github.event_name != 'schedule' || github.repository_owner == 'openrewrite' | |
runs-on: ubuntu-latest | |
steps: | |
# Checkout and build parser | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-java@v4 | |
with: | |
cache: 'gradle' | |
distribution: 'temurin' | |
java-version: '17' | |
# Update advisories | |
- name: Checkout advisory-database | |
uses: actions/checkout@v4 | |
with: | |
repository: github/advisory-database | |
path: advisory-database | |
# Commit and push Maven advisories here | |
- name: configure-git-user | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "team-moderne[bot]" | |
- name: Create commit message | |
run: | | |
echo "MSG=[Auto] GitHub advisories as of $(date +'%Y-%m-%dT%H%M')" >> $GITHUB_ENV | |
- name: Commit and push Maven dependency vulnerabilities to rewrite-java-dependencies | |
run: | | |
./gradlew parseGithubAdvisoryDatabase --args="./advisory-database Maven src/main/resources/advisories-maven.csv" | |
sort --output=src/main/resources/advisories-maven.csv src/main/resources/advisories-maven.csv | |
git diff-index --quiet HEAD src/main/resources/advisories-maven.csv || (git commit --message "${{ env.MSG }} for Maven" src/main/resources/advisories-maven.csv && git push origin main) | |
- name: Commit and push Nuget dependency vulnerabilities to rewrite-java-dependencies | |
run: | | |
./gradlew parseGithubAdvisoryDatabase --args="./advisory-database Nuget src/main/resources/advisories-nuget.csv" | |
sort --output=src/main/resources/advisories-nuget.csv src/main/resources/advisories-nuget.csv | |
git diff-index --quiet HEAD src/main/resources/advisories-nuget.csv || (git commit --message "${{ env.MSG }} for NuGet" src/main/resources/advisories-nuget.csv && git push origin main) | |
# Load SSH deploy-key | |
- uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.REWRITE_NODEJS_DEPLOY_KEY }} | |
# Commit and push NPM advisories to rewrite-nodejs | |
- name: Commit and push Npm dependency vulnerabilities to rewrite-nodejs | |
run: | | |
git clone --depth 1 [email protected]:openrewrite/rewrite-nodejs.git | |
./gradlew parseGithubAdvisoryDatabase --args="./advisory-database NPM rewrite-nodejs/src/main/resources/advisories-npm.csv" | |
cd rewrite-nodejs/ | |
sort --output=src/main/resources/advisories-npm.csv src/main/resources/advisories-npm.csv | |
git diff-index --quiet HEAD src/main/resources/advisories-npm.csv || (git commit --message "${{ env.MSG }} for NPM" src/main/resources/advisories-npm.csv && git push origin main) | |