Skip to content

Fix Vulnerabilities #132

Fix Vulnerabilities

Fix Vulnerabilities #132

# DO NOT EDIT. Generated with:
#
# devctl
#
# https://github.com/giantswarm/devctl/blob/00856517283b245af5fa81ca6a551f9411b12f71/pkg/gen/input/workflows/internal/file/fix_vulnerabilities.yaml.template
#
name: Remediate Nancy findings
on:
schedule:
- cron: '0 9 * * 3'
workflow_dispatch:
inputs:
branch:
description: "Branch on which to remediate Nancy findings"
required: true
type: string
workflow_call:
inputs:
branch:
required: true
type: string
jobs:
gather_facts:
name: Gather facts
runs-on: ubuntu-22.04
outputs:
branch: ${{ steps.gather_facts.outputs.branch }}
skip : ${{ steps.gather_facts.outputs.skip }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch || github.ref }}
- name: Gather facts
id: gather_facts
run: |
head="${{ inputs.branch || github.ref }}"
branch="${{ github.ref_name }}"
echo "branch=${branch}" >> $GITHUB_OUTPUT
head="${head#refs/heads/}" # Strip "refs/heads/" prefix.
echo "head=${head}" >> $GITHUB_OUTPUT
# Skip if there are no go mod files
if [[ ! -e go.mod ]] && [[ ! -e go.sum ]]; then
skip=true
echo "There are no go mod files in the repo, skipping"
else
skip=false
fi
echo "skip=${skip}" >> $GITHUB_OUTPUT
echo "head=\"$head\" branch=\"$branch\" skip=\"$skip\""
run_nancy_fixer:
name: Remediate vulnerabilities with nancy-fixer
runs-on: ubuntu-22.04
needs:
- gather_facts
if: ${{ needs.gather_facts.outputs.skip != 'true' }}
steps:
- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
with:
app-id: ${{ secrets.HERALD_APP_ID }}
private-key: ${{ secrets.HERALD_APP_KEY }}
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
ref: ${{ needs.gather_facts.outputs.branch }}
fetch-depth: 0
- name: Create new branch
id: create_branch
run: |
branch="remediate-vulnerabilities-${{ needs.gather_facts.outputs.branch }}"
echo "branch=${branch}" >> $GITHUB_OUTPUT
git fetch origin ${branch} || true
# Check if branch exists
if [ -z $(git rev-parse --verify origin/$branch 2>/dev/null) ]
then
# Branch doesn't exist, create it
git checkout -b $branch
else
# Branch exists, use existing
git checkout $branch
fi
- name: Run nancy-fixer fix
uses: docker://gsoci.azurecr.io/giantswarm/nancy-fixer@sha256:ee673c9bbdb6b4bba64ebd4e001b1033e7c6b7cb2907df92269a2ef0a87610f9 # v0.4.4
- name: Set up git identity
run: |
git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
git config --local user.name "HeraldBot[bot]"
- name: Commit new files
id: commit_changes
run: |
git add -A
if git diff-index --quiet HEAD; then
echo "No changes found"
skip=true
else
git commit -m "Remediate Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}"
skip=false
fi
echo "skip=${skip}" >> $GITHUB_OUTPUT
- name: Push changes
if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
env:
remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
run: |
git push "${remote_repo}" HEAD:"${{ steps.create_branch.outputs.branch }}"
- name: Create PR
env:
GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
run: |
body="## Description
* Remediate Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}
---
> [!NOTE]
> This PR was created by the **Remediate Vulnerabilities** workflow. Make sure all tests pass before approving.
"
gh pr create --title "Remediate Nancy findings on ${{ needs.gather_facts.outputs.branch }}" --body "${body}" --head "${{ steps.create_branch.outputs.branch }}" --base "${{ needs.gather_facts.outputs.branch }}"
gh pr merge --auto --squash