feat: Setup Dependabot workflow #15
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create Issues from High Severity Dependabot Alerts | |
on: | |
push: | |
branches: | |
- 30-setup-dependabot-workflow | |
jobs: | |
create_issues_from_alerts: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Fetch Dependabot alerts | |
id: fetch_alerts | |
uses: actions/github-script@v5 | |
with: | |
github-token: ${{ secrets.DEPENDABOT_PAT }} | |
script: | | |
const alerts = await github.request('GET /repos/' + context.repo.owner + '/' + context.repo.repo + '/dependabot/alerts', { | |
per_page: 100 | |
}); | |
if (!alerts.data || alerts.data.length === 0) { | |
core.notice('No Dependabot alerts found.'); | |
return; | |
} | |
core.setOutput('alerts', JSON.stringify(alerts.data.map(alert => ({ | |
number: alert.number, | |
package_name: alert.security_advisory?.identifiers[0]?.value || 'dependabot issues', | |
severity: alert.security_advisory.severity, | |
summary: alert.security_advisory.summary, | |
url: alert.html_url | |
})))); | |
- name: Check for existing issues and create new ones | |
uses: actions/github-script@v5 | |
with: | |
github-token: ${{ secrets.DEPENDABOT_PAT }} | |
script: | | |
const alerts = JSON.parse(process.env.ALERTS); | |
if (!alerts || alerts.length === 0) { | |
console.log('No alerts to create issues for.'); | |
return; | |
} | |
const existingIssues = await github.rest.issues.listForRepo({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
state: 'open' | |
}); | |
for (const alert of alerts) { | |
if (alert.severity.toLowerCase() !== 'high') { | |
console.log(`Skipping non-high severity alert: ${alert.package_name} - ${alert.severity}`); | |
continue; | |
} | |
const alertNumber = alert.url.split('/').pop(); | |
const issueTitle = `Security Alert: Dependabot issue (${alertNumber}) - ${alert.severity}`; | |
const issueExists = existingIssues.data.some(issue => issue.title === issueTitle); | |
if (issueExists) { | |
console.log(`Issue already exists for alert ${alertNumber}. Skipping creation.`); | |
continue; | |
} | |
const issueBody = ` | |
A security vulnerability has been detected in the **${alert.package_name}** package. | |
**Severity**: ${alert.severity} | |
**Summary**: ${alert.summary} | |
**Details**: [View alert](${alert.url}) | |
Please review and address this issue accordingly. | |
`; | |
console.log('Creating issue with title:', issueTitle); | |
console.log('Creating issue with body:', issueBody); | |
await github.rest.issues.create({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
title: issueTitle, | |
body: issueBody | |
}); | |
// Add a delay to avoid rate limit issues | |
await new Promise(resolve => setTimeout(resolve, 2000)); | |
} | |
env: | |
ALERTS: ${{ steps.fetch_alerts.outputs.alerts }} |