Update changed files action #955
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Audit Dependencies 🕵️♀️ | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| workflow_call: | |
| inputs: | |
| package-subdirectory: | |
| description: Subdirectory in the repository, where the R package is located. | |
| required: false | |
| type: string | |
| default: "." | |
| allow-failure: | |
| description: Allow workflow to fail if one or more vulnerabilities are found. | |
| required: false | |
| type: boolean | |
| default: false | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/insightsengineering/rstudio_4.3.1_bioc_3.17:latest | |
| name: oysteR scan 🦪 | |
| if: > | |
| !contains(github.event.commits[0].message, '[skip audit]') | |
| && github.event.pull_request.draft == false | |
| steps: | |
| - name: Checkout repo 🛎 | |
| uses: actions/checkout@v3 | |
| - name: Normalize inputs 🛠️ | |
| id: normalizer | |
| run: | | |
| ALLOW_FAILURE="${{ inputs.allow-failure }}" | |
| if [ "$ALLOW_FAILURE" == "" ] | |
| then { | |
| ALLOW_FAILURE=false | |
| } | |
| fi | |
| echo "allow-failure=$ALLOW_FAILURE" >> "$GITHUB_ENV" | |
| shell: bash | |
| - name: Run oysteR scan on dependencies 🔍 | |
| run: | | |
| tryCatch( | |
| expr = { | |
| dependencies_scan = oysteR::audit_description( | |
| dir = ".", | |
| fields = c("Depends", "Imports", "Suggests"), | |
| verbose = TRUE | |
| ) | |
| print(as.data.frame( | |
| dependencies_scan[c( | |
| "package", | |
| "version", | |
| "vulnerabilities", | |
| "no_of_vulnerabilities" | |
| )] | |
| )) | |
| Sys.sleep(1) | |
| deps_with_vulnerabilities = subset(dependencies_scan, no_of_vulnerabilities > 0) | |
| if(nrow(deps_with_vulnerabilities) > 0) { | |
| message("❗ Vulnerabilities found in the following dependencies:") | |
| message(deps_with_vulnerabilities["package"]) | |
| if ("${{ env.allow-failure }}" == "true") quit(status=1) | |
| } | |
| }, | |
| error = function(e) { | |
| message('🚨 Caught an error!') | |
| print(e) | |
| } | |
| ) | |
| shell: Rscript {0} | |
| working-directory: ${{ inputs.package-subdirectory }} | |
| - name: Run oysteR scan on renv.lock 🔒 | |
| run: | | |
| tryCatch( | |
| expr = { | |
| if (file.exists("renv.lock")) { | |
| renv_lock_scan = oysteR::audit_renv_lock(dir = ".", verbose = TRUE) | |
| print(as.data.frame( | |
| renv_lock_scan[c( | |
| "package", | |
| "version", | |
| "vulnerabilities", | |
| "no_of_vulnerabilities" | |
| )] | |
| )) | |
| Sys.sleep(1) | |
| deps_with_vulnerabilities = subset(renv_lock_scan, no_of_vulnerabilities > 0) | |
| if(nrow(deps_with_vulnerabilities) > 0) { | |
| message("❗ Vulnerabilities found in the following dependencies:") | |
| message(deps_with_vulnerabilities["package"]) | |
| if ("${{ env.allow-failure }}" == "true") quit(status=1) | |
| } | |
| } else { | |
| print("No renv.lock file, not scanning.") | |
| } | |
| }, | |
| error = function(e) { | |
| message('🚨 Caught an error!') | |
| print(e) | |
| } | |
| ) | |
| shell: Rscript {0} |