-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
94 lines (92 loc) · 3.41 KB
/
audit_dependencies.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: "Audit dependencies"
on:
# Runs audit every monday
schedule:
- cron: '0 10 * * 1'
# Enable manual run
workflow_dispatch:
jobs:
audit:
# Do not run scheduled audit on tier repositories
if: github.repository == 'glpi-project/glpi' || github.event_name != 'schedule'
permissions:
issues: "write"
name: "Audit dependencies (${{ matrix.branch }})"
runs-on: "ubuntu-latest"
strategy:
fail-fast: false
matrix:
include:
- {branch: "9.5/bugfixes", php-version: "7.2"}
- {branch: "10.0/bugfixes", php-version: "7.4"}
env:
COMPOSE_FILE: ".github/actions/docker-compose-app.yml"
APPLICATION_ROOT: "${{ github.workspace }}"
PHP_IMAGE: "githubactions-php:${{ matrix.php-version }}"
UPDATE_FILES_ACL: true
steps:
- name: "Clean workspace"
run: |
echo "APP_CONTAINER_HOME=${{ runner.temp }}/app_home" >> $GITHUB_ENV
rm -rf "${{ env.APPLICATION_ROOT }}/*"
rm -rf "${{ env.APP_CONTAINER_HOME }}/*"
- name: "Checkout"
uses: "actions/checkout@v3"
with:
ref: ${{ matrix.branch }}
- name: "Restore dependencies cache"
uses: actions/cache@v3
with:
path: |
${{ env.APP_CONTAINER_HOME }}/.composer/cache/
${{ env.APP_CONTAINER_HOME }}/.npm/_cacache/
key: "app_home_deps-${{ matrix.php-version }}-${{ hashFiles('composer.lock', 'package-lock.json') }}"
restore-keys: |
app_home_deps-${{ matrix.php-version }}-
app_home_deps-
- name: "Initialize containers"
run: |
.github/actions/init_containers-start.sh
- name: "Show versions"
run: |
.github/actions/init_show-versions.sh
- name: "Audit npm dependencies"
continue-on-error: true
id: "npmaudit"
run: |
set -o pipefail
CODE=0
LOG=$( npm audit package-lock-only 2>&1 | tee /dev/stderr ) || CODE=$?
echo "CODE=$CODE" >> $GITHUB_OUTPUT
printf "LOG<<EOF\n$LOG\nEOF" >> $GITHUB_OUTPUT
- name: "Create issue if npm audit fails"
if: "${{ steps.npmaudit.outputs.CODE != '0' }}"
uses: "actions/github-script@v6"
with:
script: |
const result = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'npm audit failed (${{ matrix.branch }})',
body: '```\n' + ${{ toJSON(steps.npmaudit.outputs.LOG) }} + '\n```',
});
- name: "Audit composer dependencies"
continue-on-error: true
id: "composeraudit"
run: |
set -o pipefail
CODE=0
LOG=$( composer audit --locked 2>&1 | tee /dev/stderr ) || CODE=$?
echo "CODE=$CODE" >> $GITHUB_OUTPUT
printf "LOG<<EOF\n$LOG\nEOF" >> $GITHUB_OUTPUT
- name: "Create issue if composer audit fails"
if: "${{ steps.composeraudit.outputs.CODE != '0' }}"
uses: "actions/github-script@v6"
with:
script: |
const result = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'composer audit failed (${{ matrix.branch }})',
body: '```\n# composer audit report\n\n' + ${{ toJSON(steps.composeraudit.outputs.LOG) }} + '\n```',
});