Reusable flow to check for vulns in dependencies of a Nsolid branch #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reusable flow to check for vulns in dependencies of a Nsolid branch | |
| on: | |
| workflow_call: | |
| inputs: | |
| nsolidStream: | |
| type: string | |
| default: 'main' | |
| secrets: | |
| NVD_API_KEY: | |
| required: true | |
| workflow_dispatch: | |
| inputs: | |
| nsolidStream: | |
| type: string | |
| default: 'main' | |
| permissions: | |
| contents: read | |
| issues: write | |
| jobs: | |
| check-vulns: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set_matrix.outputs.matrix }} | |
| steps: | |
| - name: Setup Python 3.11 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Verify Node.js and npm installation | |
| run: | | |
| echo "Node.js version:" | |
| node --version | |
| echo "npm version:" | |
| npm --version | |
| echo "Python version:" | |
| python3 --version | |
| - name: Checkout current repository | |
| uses: actions/checkout@v4 | |
| - name: Debug directory structure | |
| run: | | |
| echo "Current directory:" | |
| pwd | |
| echo "Directory contents:" | |
| ls -la | |
| echo "dep_checker directory exists:" | |
| ls -la dep_checker/ || echo "dep_checker directory not found" | |
| - name: Installing pre-reqs | |
| working-directory: ./dep_checker | |
| run: pip install -r requirements.txt | |
| - name: Checkout Nsolid repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nodesource/nsolid | |
| path: nsolid | |
| ref: ${{ inputs.nsolidStream }} | |
| - name: Run the check | |
| working-directory: ./dep_checker | |
| run: | | |
| ( | |
| set -o pipefail | |
| python3 main.py --json-output --include-npm --npm-timeout 600 --gh-token ${{ secrets.GITHUB_TOKEN }} --nvd-key=${{ secrets.NVD_API_KEY }} ../nsolid ${{ inputs.nsolidStream }} 2>&1 | tee result.log | |
| ) | |
| cat result.log | |
| - name: build matrix | |
| id: set_matrix | |
| if: ${{ failure() }} | |
| working-directory: ./dep_checker | |
| run: | | |
| matrix=$(grep -o '{.*}' result.log | jq -c .) | |
| echo "matrix=$matrix" | |
| echo "matrix=$matrix" >> $GITHUB_OUTPUT | |
| create-issues: | |
| needs: check-vulns | |
| if: ${{ always() }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{ fromJson(needs.check-vulns.outputs.matrix) }} | |
| max-parallel: 1 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set labels for issue | |
| id: set_labels | |
| run: | | |
| if [ "${{ matrix.vulnerabilities.source }}" = "npm" ]; then | |
| echo "ISSUE_LABELS=${{ inputs.nsolidStream }}, NPM" >> $GITHUB_ENV | |
| else | |
| echo "ISSUE_LABELS=${{ inputs.nsolidStream }}" >> $GITHUB_ENV | |
| fi | |
| - uses: dblock/create-a-github-issue@v3 | |
| with: | |
| update_existing: false | |
| search_existing: open | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VULN_ID: ${{ matrix.vulnerabilities.id }} | |
| VULN_URL: ${{ matrix.vulnerabilities.url }} | |
| VULN_DEP_NAME: ${{ matrix.vulnerabilities.dependency }} | |
| VULN_DEP_VERSION: ${{ matrix.vulnerabilities.version }} | |
| VULN_SOURCE: ${{ matrix.vulnerabilities.source }} | |
| VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }} | |
| VULN_MAIN_DEP_PATH: ${{ matrix.vulnerabilities.main_dep_path }} | |
| NODEJS_STREAM: ${{ inputs.nsolidStream }} | |
| ACTION_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" |