-
Notifications
You must be signed in to change notification settings - Fork 29
268 lines (219 loc) Β· 11.3 KB
/
dependency-updates.yml
File metadata and controls
268 lines (219 loc) Β· 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
name: Daily Dependency Updates
on:
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
env:
NODE_VERSION: '18'
permissions:
contents: write
pull-requests: write
id-token: write
jobs:
dependency-updates:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: true
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Configure Git
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
- name: Create branch name with timestamp
id: branch
run: |
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BRANCH_NAME="dependency-updates/${TIMESTAMP}"
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
echo "timestamp=${TIMESTAMP}" >> $GITHUB_OUTPUT
- name: Install current dependencies
run: npm ci
- name: Run npm audit fix
run: |
echo "Running npm audit fix..."
npm audit --audit-level=moderate --json > audit_results.json || true
npm audit fix --audit-level=moderate || true
echo "npm audit fix completed"
- name: Reinstall with lockfile version 1
run: |
echo "Reinstalling dependencies with lockfile version 1..."
npm install --lockfile-version=1
echo "Dependencies reinstalled"
- name: Check for changes
id: changes
run: |
git add package-lock.json
git add package.json
if git diff --staged --quiet; then
echo "No changes detected"
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "Changes detected"
echo "has_changes=true" >> $GITHUB_OUTPUT
# Get summary of changes
echo "## Changes Summary" > changes_summary.md
echo "" >> changes_summary.md
# Check if package-lock.json changed
if git diff --staged --name-only | grep -q "package-lock.json"; then
echo "- π¦ package-lock.json updated" >> changes_summary.md
fi
# Check if package.json changed
if git diff --staged --name-only | grep -q "package.json"; then
echo "- π package.json updated" >> changes_summary.md
fi
# Get audit results
echo "" >> changes_summary.md
echo "### Audit Results" >> changes_summary.md
# Parse audit results for summary
if [ -f audit_results.json ]; then
# Check if there are any vulnerabilities
TOTAL_VULNS=$(jq -r '.metadata.vulnerabilities.total // 0' audit_results.json 2>/dev/null)
if [ "$TOTAL_VULNS" -gt 0 ]; then
echo "**Security Vulnerabilities Found ($TOTAL_VULNS total):**" >> changes_summary.md
echo "" >> changes_summary.md
# Get list of vulnerable packages
PACKAGES=$(jq -r '.vulnerabilities | keys[]' audit_results.json 2>/dev/null)
# Process each package
for PACKAGE in $PACKAGES; do
SEVERITY=$(jq -r ".vulnerabilities[\"$PACKAGE\"].severity" audit_results.json 2>/dev/null)
RANGE=$(jq -r ".vulnerabilities[\"$PACKAGE\"].range" audit_results.json 2>/dev/null)
IS_DIRECT=$(jq -r ".vulnerabilities[\"$PACKAGE\"].isDirect" audit_results.json 2>/dev/null)
FIX_AVAILABLE=$(jq -r ".vulnerabilities[\"$PACKAGE\"].fixAvailable" audit_results.json 2>/dev/null)
NODES=$(jq -r ".vulnerabilities[\"$PACKAGE\"].nodes | join(\", \")" audit_results.json 2>/dev/null)
echo "### π¨ $PACKAGE ($SEVERITY severity)" >> changes_summary.md
echo "- **Affected versions:** $RANGE" >> changes_summary.md
echo "- **Direct dependency:** $([ "$IS_DIRECT" = "true" ] && echo "Yes" || echo "No")" >> changes_summary.md
echo "- **Fix available:** $([ "$FIX_AVAILABLE" = "true" ] && echo "β
Yes" || echo "β No")" >> changes_summary.md
echo "- **Installed locations:** $NODES" >> changes_summary.md
echo "- **Advisories:**" >> changes_summary.md
# Get advisories for this package
ADVISORY_COUNT=$(jq -r ".vulnerabilities[\"$PACKAGE\"].via | length" audit_results.json 2>/dev/null)
for ((i=0; i<ADVISORY_COUNT; i++)); do
TITLE=$(jq -r ".vulnerabilities[\"$PACKAGE\"].via[$i].title" audit_results.json 2>/dev/null)
URL=$(jq -r ".vulnerabilities[\"$PACKAGE\"].via[$i].url" audit_results.json 2>/dev/null)
CVSS_SCORE=$(jq -r ".vulnerabilities[\"$PACKAGE\"].via[$i].cvss.score // 0" audit_results.json 2>/dev/null)
if [ "$CVSS_SCORE" != "0" ] && [ "$CVSS_SCORE" != "null" ]; then
echo " - [$TITLE]($URL) (CVSS: $CVSS_SCORE)" >> changes_summary.md
else
echo " - [$TITLE]($URL)" >> changes_summary.md
fi
done
echo "" >> changes_summary.md
done
echo "" >> changes_summary.md
# Summary by severity
echo "**Vulnerability Summary by Severity:**" >> changes_summary.md
jq -r '.metadata.vulnerabilities | to_entries[] | select(.value > 0) |
if .key == "critical" then "π΄ Critical: " + (.value | tostring)
elif .key == "high" then "π High: " + (.value | tostring)
elif .key == "moderate" then "π‘ Moderate: " + (.value | tostring)
elif .key == "low" then "π’ Low: " + (.value | tostring)
elif .key == "info" then "βΉοΈ Info: " + (.value | tostring)
else .key + ": " + (.value | tostring)
end' audit_results.json 2>/dev/null | while read line; do
echo "- $line" >> changes_summary.md
done
echo "" >> changes_summary.md
# Recommendations
echo "**Recommended Actions:**" >> changes_summary.md
# Check for packages with fixes available
FIXABLE_COUNT=$(jq -r '[.vulnerabilities[] | select(.fixAvailable == true)] | length' audit_results.json 2>/dev/null)
if [ "$FIXABLE_COUNT" -gt 0 ]; then
echo "- π§ Run \`npm audit fix\` to automatically fix $FIXABLE_COUNT vulnerable package(s)" >> changes_summary.md
fi
# Check for direct dependencies
DIRECT_VULNS=$(jq -r '[.vulnerabilities[] | select(.isDirect == true)] | length' audit_results.json 2>/dev/null)
if [ "$DIRECT_VULNS" -gt 0 ]; then
echo "- β οΈ $DIRECT_VULNS direct dependencies have vulnerabilities - consider updating or replacing" >> changes_summary.md
fi
# Check for critical/high severity
CRITICAL_HIGH=$(jq -r '(.metadata.vulnerabilities.critical // 0) + (.metadata.vulnerabilities.high // 0)' audit_results.json 2>/dev/null)
if [ "$CRITICAL_HIGH" -gt 0 ]; then
echo "- π¨ $CRITICAL_HIGH critical/high severity vulnerabilities require immediate attention" >> changes_summary.md
fi
else
echo "β
**No security vulnerabilities found**" >> changes_summary.md
fi
# Add dependency summary
echo "" >> changes_summary.md
echo "**Dependency Summary:**" >> changes_summary.md
jq -r '.metadata.dependencies |
"- Total dependencies: " + (.total | tostring) + "\n" +
"- Production: " + (.prod | tostring) + "\n" +
"- Development: " + (.dev | tostring) + "\n" +
"- Optional: " + (.optional | tostring)' audit_results.json 2>/dev/null >> changes_summary.md
else
echo "β
No vulnerabilities found" >> changes_summary.md
fi
echo "" >> changes_summary.md
echo "### Files Changed" >> changes_summary.md
git diff --staged --name-only | sed 's/^/- /' >> changes_summary.md
fi
- name: Create branch and commit changes
if: steps.changes.outputs.has_changes == 'true'
run: |
git checkout -b ${{ steps.branch.outputs.branch_name }}
git commit -m "chore: automated dependency updates
- Run npm audit fix to address security vulnerabilities
- Reinstall dependencies with lockfile-version=1
- Automated update on ${{ steps.branch.outputs.timestamp }}
π€ Assisted by GenAI"
- name: Push branch
if: steps.changes.outputs.has_changes == 'true'
run: |
git push origin ${{ steps.branch.outputs.branch_name }}
- name: Create Pull Request
if: steps.changes.outputs.has_changes == 'true'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
// Read the changes summary
let body = '';
try {
body = fs.readFileSync('changes_summary.md', 'utf8');
} catch (error) {
body = 'Automated dependency updates performed.';
}
// Add additional context to PR body
const fullBody = `# π Automated Dependency Updates
This PR contains automated dependency updates performed by the daily maintenance workflow.
${body}
## What was done:
1. β
Ran \`npm audit fix\` to address security vulnerabilities
2. β
Ran \`npm install --lockfile-version=1\` to ensure lockfile compatibility
3. β
Committed any resulting changes
## Review Guidelines:
- π Review the changes in \`package-lock.json\` for any unexpected updates
- π§ͺ Ensure CI tests pass before merging
- π This PR can be safely merged if all checks pass
---
*This PR was automatically created by the dependency-updates workflow.*
`;
const { data: pr } = await github.rest.pulls.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `chore: automated dependency updates (${{ steps.branch.outputs.timestamp }})`,
head: '${{ steps.branch.outputs.branch_name }}',
base: 'main',
body: fullBody,
draft: false
});
console.log(`Created PR #${pr.number}: ${pr.html_url}`);
- name: Summary
run: |
if [ "${{ steps.changes.outputs.has_changes }}" == "true" ]; then
echo "β
Dependency updates completed and PR created"
echo "Branch: ${{ steps.branch.outputs.branch_name }}"
else
echo "βΉοΈ No dependency updates needed"
fi