Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MNT Retime JS deps issue and spin off separate dependabot issue #254

Merged
merged 1 commit into from
May 29, 2024
Merged

MNT Retime JS deps issue and spin off separate dependabot issue #254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .github/workflows/dependabot-prs-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: Dependabot PRs issue

on:
# At 12:00 on day-of-month 1 in March, June, September, and December.
schedule:
- cron: '0 12 1 3,6,9,12 *'
workflow_dispatch:

permissions: {}

jobs:
js-prs-issue:
name: Dependabot PRs issue
# Only run cron on the silverstripe account
if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Get Alerts List
id: get-alerts-list
run: |
ALERTS_LIST=''

# Get list of supported modules
curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json
# If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file.
MODULES=$(jq -e '.' __modules.json) || true
if [[ $MODULES == "" ]]; then
# If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format.
echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:"
cat __modules.json
# Instead of exiting, output an error instead of the dependabot alert list.
# We don't have any reporting indicating if this workflow fails, so this is a good way to track that.
ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.'
else
# Create a list of markdown links for supported module dependabot stuff
ALERTS_LIST=$(php -r '
$json = json_decode(file_get_contents("__modules.json"), true);
foreach ($json["supportedModules"] as $module) {
# Assumes CMS 5 is the most recent stable version
if (!isset($module["majorVersionMapping"]["5"])) {
continue;
}
$githubRef = $module["github"];
$branch = end($module["majorVersionMapping"]["5"]);
$packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json";
$headers = get_headers($packageJsonURL);
# $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found"
$response = $headers[0];
# Skip modules which do not have a package.json file
if (strpos($response, "404") !== false) {
continue;
}
# If we have something other than 404 (above) or 200, output an error string for the list
# and move on.
if (strpos($response, "200") === false) {
echo "- $githubRef: Unable to check package.json, response was $response.\\n";
continue;
}

# If we get here, we have a package.json file so we should add a dependabot alerts URL to the list
echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n";
}
')
fi

echo 'ALERTS_LIST is:'
echo $ALERTS_LIST
echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT


- name: Dependabot PRs issue
uses: silverstripe/gha-issue@v1
env:
ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }}
with:
title: Dependabot pull-requests
description: |
This is an automatically created issue used to list dependabot pull requests every 3 months.\n
\n
It was created by the `.github/workflows/dependabot-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n
\n
### Triage instructions (Silverstripe Ltd CMS Squad)\n
1. Put on the following labels:\n
- `type/bug`\n
- `impact/low`\n
2. Move this issue to the "Ready" column on our internal zenhub board\n
3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts\n
\n
### Dependabot pull-requests:\n
See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n
- Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n
- Merge these PRs if there are no merge-conflicts and CI is green\n
- If there are conflicts or CI isn't green, get dependabot to recreate the PR\n
- If there are still problems, manually resolve them and open your own PR\n
- Backport anything that seems like it needs to be patched immediately\n
\n
### Dependabot alerts:\n
After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.\n
- Make a quick determination as to whether any alerts warrant using our security process\n
- Ignore or dismiss any alerts that aren't relevant\n
- Try to resolve any relevant alerts which dependabot is unable to resolve automatically\n
\n
Respositories with alerts:\n
${{ env.ALERTS_LIST }}

- name: Delete temporary files
shell: bash
if: always()
run: |
if [[ -f __modules.json ]]; then
rm __modules.json
fi
78 changes: 3 additions & 75 deletions .github/workflows/js-prs-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: JS PRs issue

on:
# At 12:00 on day-of-month 1 in every 3rd month.
# At 12:00 on day-of-month 1 in March and September.
# This is 12 hours after update-js workflows run on repos such as silverstripe/asset-admin
schedule:
- cron: '0 12 1 */3 *'
- cron: '0 12 1 3,9 *'
workflow_dispatch:

permissions: {}
Expand All @@ -18,68 +18,13 @@ jobs:
permissions:
issues: write
steps:
- name: Get Alerts List
id: get-alerts-list
run: |
ALERTS_LIST=''

# Get list of supported modules
curl -s -o __modules.json https://raw.githubusercontent.com/silverstripe/supported-modules/main/repositories.json
# If we can't parse the JSON at all, $MODULES will be an empty string and that means we couldn't fetch the file.
MODULES=$(jq -e '.' __modules.json) || true
if [[ $MODULES == "" ]]; then
# If there is some error getting the file, the error will be in the __modules.json file - importantly, not in JSON format.
echo "Cannot parse supported-modules JSON. Aborting. The content we tried to parse was:"
cat __modules.json
# Instead of exiting, output an error instead of the dependabot alert list.
# We don't have any reporting indicating if this workflow fails, so this is a good way to track that.
ALERTS_LIST='Failed to parse supported-modules JSON. Please check the GitHub action log.'
else
# Create a list of markdown links for supported module dependabot stuff
ALERTS_LIST=$(php -r '
$json = json_decode(file_get_contents("__modules.json"), true);
foreach ($json["supportedModules"] as $module) {
# Assumes CMS 5 is the most recent stable version
if (!isset($module["majorVersionMapping"]["5"])) {
continue;
}
$githubRef = $module["github"];
$branch = end($module["majorVersionMapping"]["5"]);
$packageJsonURL = "https://raw.githubusercontent.com/$githubRef/$branch/package.json";
$headers = get_headers($packageJsonURL);
# $headers[0] includes the response code in a format like: "HTTP/1.1 404 Not Found"
$response = $headers[0];
# Skip modules which do not have a package.json file
if (strpos($response, "404") !== false) {
continue;
}
# If we have something other than 404 (above) or 200, output an error string for the list
# and move on.
if (strpos($response, "200") === false) {
echo "- $githubRef: Unable to check package.json, response was $response.\\n";
continue;
}

# If we get here, we have a package.json file so we should add a dependabot alerts URL to the list
echo "- [$githubRef](https://github.com/$githubRef/security/dependabot)\\n";
}
')
fi

echo 'ALERTS_LIST is:'
echo $ALERTS_LIST
echo "alerts_list=$ALERTS_LIST" >> $GITHUB_OUTPUT


- name: JS PRs issue
uses: silverstripe/gha-issue@v1
env:
ALERTS_LIST: ${{ steps.get-alerts-list.outputs.alerts_list }}
with:
title: JS pull-requests
description: |
This is an automatically created issue used to list automatically created
javascript pull requests every 3 months.\n
javascript pull requests every 6 months.\n
\n
It was created by the `.github/workflows/js-prs-issue.yml` workflow in the [silverstripe/.github](https://github.com/silverstripe/.github/) repository.\n
\n
Expand Down Expand Up @@ -108,20 +53,3 @@ jobs:
7. Git commit, push the changes and create a pull-request\n
8. List the pull-request(s) on this issue\n
9. Move this issue to the peer review column on the CMS Squad internal zenhub board\n
\n
### Dependabot pull-requests:\n
- [List of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22})\n
- Most of these should be automatically closed if the "Update JS pull-requests" above are merged\n
- You can make a judgement call as to whether to merge any easy ones that are left\n
\n
### Dependabot alerts:\n
After all of the above have been completed and resolved, check for any outstanding dependabot alerts:\n
${{ env.ALERTS_LIST }}

- name: Delete temporary files
shell: bash
if: always()
run: |
if [[ -f __modules.json ]]; then
rm __modules.json
fi