Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(build): automatically apply security updates for release branches #5758

Merged
merged 4 commits into from
Jan 19, 2023
Merged

feat(build): automatically apply security updates for release branches #5758

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6f4d9cb
feat(build): automatically apply security updates for dependencies on…
slonka Jan 19, 2023
64a40ad
feat(build): review update
slonka Jan 19, 2023
afd92c4
Update .github/workflows/update-insecure-dependencies.yaml
slonka Jan 19, 2023
24f2725
feat(build): review update
slonka Jan 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions .github/workflows/update-insecure-dependencies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: "Update insecure dependencies"

on:
workflow_dispatch: { }
schedule:
- cron: 0 8 * * *
jobs:
update-insecure-dependencies:
strategy:
matrix:
branch:
- "release-2.0"
- "release-1.8"
- "release-1.7"
- "release-1.6"
- "release-1.5"
lahabana marked this conversation as resolved.
Show resolved Hide resolved
- "master"
runs-on: ubuntu-latest
steps:
- name: Generate GitHub app token
id: github-app-token
uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # v1.7.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
slonka marked this conversation as resolved.
Show resolved Hide resolved
- name: "Clone Kuma"
uses: actions/checkout@v2
with:
ref: ${{ matrix.branch }}
- uses: actions/setup-go@v3
with:
go-version: "~1.18.9"
- name: "Install tools"
run: |
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
- name: "Prepare commit body - before"
id: prepare_commit_body_before
run: |
SCAN_OUTPUT_BEFORE=$(osv-scanner --lockfile=go.mod | tr "+" "|" | awk 'NR>3 {print last} {last=$0}' || true)
slonka marked this conversation as resolved.
Show resolved Hide resolved
echo "SCAN_OUTPUT_BEFORE<<EOF" >> $GITHUB_ENV
echo "$SCAN_OUTPUT_BEFORE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: "Update dependencies"
id: update
run: |
osv-scanner --lockfile=go.mod --json | jq '.results[].packages[].package.name' | xargs -I {} go get -u {}
slonka marked this conversation as resolved.
Show resolved Hide resolved
go mod tidy
- name: "Prepare commit body - after"
id: prepare_commit_body_after
run: |
SCAN_OUTPUT_AFTER=$(osv-scanner --lockfile=go.mod | tr "+" "|" | awk 'NR>3 {print last} {last=$0}' || true)
echo "SCAN_OUTPUT_AFTER<<EOF" >> $GITHUB_ENV
echo "$SCAN_OUTPUT_AFTER" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: "Create Pull Request"
uses: peter-evans/create-pull-request@v4
with:
commit-message: "chore(deps): security update"
signoff: true
branch: chore/security-updates-${{ matrix.branch }}
body: |
Scan output:

Before update:
${{ env.SCAN_OUTPUT_BEFORE }}

After update:
${{ env.SCAN_OUTPUT_AFTER }}
delete-branch: true
title: "chore(deps): security update"
draft: false
labels: dependencies
token: ${{ steps.github-app-token.outputs.token }}
committer: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com>
author: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com>
lahabana marked this conversation as resolved.
Show resolved Hide resolved