actions/*: streamline workflows into reusable actions

.github/workflows/add-maintainer-custom-property.yml

@@ -9,36 +9,9 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: brave/security-action/actions/add-maintainer-custom-property@main
         with:
-          node-version: '20.x'
-      - id: npm
-        run: cd ${{ github.workspace }}; npm ci
-        shell: bash
-      - name: run
-        id: run
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          IGNORE_MAINTAINERS: brave-builds,brave-browser-releases,brave-support-admin
-          DEBUG: false
-        with:
-          github-token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }}
-          script: |
-            console.log('${{ github.workspace }}/src/addMaintainerCustomProperty.js');
-            const { default: addMaintainerCustomProperty } = await import('${{ github.workspace }}/src/addMaintainerCustomProperty.js');
-            return await addMaintainerCustomProperty({
-                org: process.env.GITHUB_REPOSITORY_OWNER,
-                github: github,
-                ignoreMaintainers: process.env.IGNORE_MAINTAINERS,
-                debug: process.env.DEBUG
-            });
-      - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1.1.0
-        if: ${{ fromJson(steps.run.outputs.result) != '' }}
-        with:
-          slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          message: |
-            [add-maintainer-custom-property] ${{ fromJson(steps.run.outputs.result) }}
-          channel: secops-hotspots
-          color: yellow
-          verbose: false
+          ignore_maintainers: brave-builds,brave-browser-releases,brave-support-admin
+          debug: false
+          github_token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }}
+          slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}

.github/workflows/check-new-repos.yml

@@ -8,54 +8,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Check New Repos
-        id: check-new-repos
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ secrets.GH_PAT }}
-          script: |
-            var query = `query ($owner: String!) {
-              repositoryOwner(login: $owner) {
-                repositories(last: 100) {
-                  totalCount
-                  nodes {
-                    name
-                    createdAt
-                  }
-                }
-              }
-            }`;
-            const variables = {
-              owner: context.repo.owner
-            }
-            const result = await github.graphql(query, variables);
-            const totalCount = result.repositoryOwner.repositories.totalCount;
-
-            // DEBUG: console.log("totalCount: %s", totalCount);
-            const repositories = result.repositoryOwner.repositories;
-            const yesterday = ((d) => d.setDate(d.getDate() - 1))(new Date());
-            var newerThanADay = repositories.nodes.filter(
-              repo => new Date(repo.createdAt) > yesterday
-            );
-            // DEBUG: console.log("NewerThanADay: %o", newerThanADay);
-            var message = "";
-            if (newerThanADay.length > 0) {
-              message += `${newerThanADay.length} new repos in ${variables.owner}:\n\n`;
-              for (let i = 0; i < newerThanADay.length; i++) {
-                message += `- ${newerThanADay[i].name}\n`;
-              }
-              message += `\nTotal repositories in ${variables.owner}: ${totalCount}`;
-
-              core.setSecret(message);
-            }
-
-            return message;
-      - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1.1.0
-        if: ${{ fromJson(steps.check-new-repos.outputs.result) != '' }}
+      - name: check new repos
+        uses: brave/security-action/actions/check-new-repos@main
         with:
+          github_token: ${{ secrets.ORG_READ_GITHUB_TOKEN }}
           slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          message: |
-            [check-new-repos] ${{ fromJson(steps.check-new-repos.outputs.result) }}
-          channel: secops-hotspots
-          color: yellow
-          verbose: false
+          debug: false

.github/workflows/dependabot-auto-dismiss.yml

@@ -8,24 +8,9 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - name: dependabot auto dismiss
+        uses: brave/security-action/actions/dependabot-auto-dismiss@main
         with:
-          node-version: '20.x'
-      - id: npm
-        run: cd ${{ github.workspace }}; npm ci
-        shell: bash
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          SLACK_TOKEN: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          SLACK_CHANNEL: '#secops-hotspots'
-          DEBUG: false
-        with:
-          github-token: ${{ secrets.DEPENDABOT_AUTO_DISMISS_GITHUB_TOKEN }}
-          script: |
-            const debug = process.env.DEBUG === 'true';
-            const { default: sendSlackMessage } = await import('${{ github.workspace }}/src/sendSlackMessage.js');
-            const { default: dependabotDismiss } = await import('${{ github.workspace }}/src/dependabotDismiss.js');
-            const message = await dependabotDismiss({debug, org: process.env.GITHUB_REPOSITORY_OWNER, github: github, dependabotDismissConfig: '${{ github.workspace }}/.github/dependabot-dismiss.txt'});
-            if (message.length > 0)
-              await sendSlackMessage({debug, username: 'dependabot-auto-dismiss', message: message, channel: process.env.SLACK_CHANNEL, token: process.env.SLACK_TOKEN});
+          github_token: ${{ secrets.DEPENDABOT_AUTO_DISMISS_GITHUB_TOKEN }}
+          slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
+          debug: false

.github/workflows/dependabot-nudge.yml

@@ -8,49 +8,10 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - name: dependabot nudge
+        uses: brave/security-action/actions/dependabot-nudge@main
         with:
-          node-version: '20.x'
-      - id: npm
-        run: cd ${{ github.workspace }}; npm ci
-        shell: bash
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          SLACK_TOKEN: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          SLACK_CHANNEL: '#secops-hotspots'
-          GH_TO_SLACK_USER_MAP: ${{ secrets.GH_TO_SLACK_USER_MAP }}
-          DEBUG: false
-        with:
-          github-token: ${{ secrets.DEPENDABOT_NUDGE_GITHUB_TOKEN }}
-          script: |
-            const debug = process.env.DEBUG === 'true';
-            const { default: sendSlackMessage } = await import('${{ github.workspace }}/src/sendSlackMessage.js');
-            const { default: dependabotNudge } = await import('${{ github.workspace }}/src/dependabotNudge.js');
-
-            let githubToSlack = {};
-            try {
-              githubToSlack = JSON.parse(process.env.GH_TO_SLACK_USER_MAP);
-            } catch (e) {
-              if (debug) console.log('GH_TO_SLACK_USER_MAP is not valid JSON');
-            }
-
-            // set minlevel to 'medium' if it's the first Monday of the month, otherwise stick to high or critical issues
-            let minlevel = 'medium';
-            const today = new Date();
-            if (today.getDate() > 7) {
-              if (debug)
-                console.log('Not the first Monday of the month!');
-              minlevel = 'high';
-            }
-
-            const messages = await dependabotNudge({debug, org: process.env.GITHUB_REPOSITORY_OWNER, github: github, minlevel: minlevel, githubToSlack: githubToSlack});
-
-            for (const message of messages) {
-              try {
-                await sendSlackMessage({debug, username: 'dependabot', message: message, channel: process.env.SLACK_CHANNEL, token: process.env.SLACK_TOKEN});
-              } catch (error) {
-                if (debug)
-                  console.log(error);
-              }
-            }
+          github_token: ${{ secrets.DEPENDABOT_NUDGE_GITHUB_TOKEN }}
+          slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
+          gh_to_slack_user_map: ${{ secrets.GH_TO_SLACK_USER_MAP }}
+          debug: false

.github/workflows/older-than-2y.yml

@@ -8,56 +8,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Older Than 2 Years Informer
-        id: older-than-2y
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ secrets.GH_PAT }}
-          script: |
-            const org = process.env.GITHUB_REPOSITORY_OWNER;
-
-            function formatInMessage(r) {
-              var pushedAt = new Date(r.pushed_at);
-              return `- ${r.private ? '😎 ' : ''} ${r.full_name} ${r.html_url}\t🌟 ${r.stargazers_count}🍴${r.forks} - Last pushed ${pushedAt.getFullYear()}/${pushedAt.getMonth()}/${pushedAt.getDay()+1}\n`
-            }
-
-            const v = await github.paginate('GET /orgs/{org}/repos', {
-              org: org,
-              headers: {
-                'X-GitHub-Api-Version': '2022-11-28'
-              }
-            })
-            const maxOlderDate = ((d) => d.setDate(d.getDate() - 2*365))(new Date()); // 2 years
-            const reposOlderThanDate = v.filter(r => r.archived === false).filter(r => r.disabled === false).filter(r => new Date(r.pushed_at) < maxOlderDate)
-            const forks = reposOlderThanDate.filter(r => r.fork === true)
-            const nonForks = reposOlderThanDate.filter(r => r.fork === false)
-            // console.log(reposOlderThanDate[0]) // DEBUG
-
-            if (reposOlderThanDate.length == 0) return "";
-
-            var message = `${org} has ${reposOlderThanDate.length} outdated repositories.\nConsider archiving them.`
-
-            if (nonForks.length !== 0) message += "\n\nRepositories:\n"
-            for (var i = 0; i < nonForks.length; i++) {
-              var r = nonForks[i]
-              message += formatInMessage(r)
-            }
-
-            if (forks.length !== 0) message += "\n\nForks:\n"
-            for (var i = 0; i < forks.length; i++) {
-              var r = forks[i]
-              message += formatInMessage(r)
-            }
-
-            core.setSecret(message);
-
-            return message;
-      - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1.1.0
-        if: ${{ fromJson(steps.older-than-2y.outputs.result) != '' }}
+      - name: older than 2 years informer
+        uses: brave/security-action/actions/older-than-2y@main
         with:
+          github_token: ${{ secrets.ORG_READ_GITHUB_TOKEN }}
           slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          message: |
-            [older-than-2y] ${{ fromJson(steps.older-than-2y.outputs.result) }}
-          channel: secops-hotspots
-          color: blue
-          verbose: false
+          debug: false

.github/workflows/renovate-sanity-check.yml

@@ -9,34 +9,9 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
-        with:
-          node-version: '20.x'
-      - id: npm
-        run: cd ${{ github.workspace }}; npm ci
-        shell: bash
-      - name: run
-        id: run
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          DEBUG: false
-        with:
-          github-token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }}
-          script: |
-            console.log('${{ github.workspace }}/src/renovateSanityCheck.js');
-            const { default: renovateSanityCheck } = await import('${{ github.workspace }}/src/renovateSanityCheck.js');
-            return await renovateSanityCheck({
-                org: process.env.GITHUB_REPOSITORY_OWNER,
-                github: github,
-                debug: process.env.DEBUG
-            });
-      - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1.1.0
-        if: ${{ fromJson(steps.run.outputs.result) != '' }}
+      - name: Renovate Sanity Check
+        uses: brave/security-action/actions/renovate-sanity-check@main
         with:
+          github_token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }}
           slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }}
-          message: |
-            [renovate-sanity-check] ${{ fromJson(steps.run.outputs.result) }}
-          channel: secops-hotspots
-          color: yellow
-          verbose: false
+          debug: false

actions/add-mantainer-custom-property/action.cjs

@@ -0,0 +1,21 @@
+module.exports = async ({ github, context, inputs, actionPath, core, debug = false }) => {
+  const { default: addMaintainerCustomProperty } = await import(`${actionPath}/src/addMaintainerCustomProperty.js`)
+  const { default: sendSlackMessage } = await import(`${actionPath}/src/sendSlackMessage.js`)
+
+  const reposWithoutMaintainer = await addMaintainerCustomProperty({
+    org: context.repo.owner,
+    github,
+    ignoreMaintainers: inputs.ignore_maintainers,
+    debug
+  })
+
+  if (reposWithoutMaintainer.trim().length > 0) {
+    await sendSlackMessage({
+      token: inputs.slack_token,
+      message: `[add-maintainer-custom-property] ${reposWithoutMaintainer}`,
+      channel: '#secops-hotspots',
+      color: 'yellow',
+      username: 'add-maintainer-custom-property'
+    })
+  }
+}

actions/add-mantainer-custom-property/action.yml

@@ -0,0 +1,40 @@
+# action that add maintainer as a custom property
+# to all repositories in this organization
+name: add-maintainer-custom-property
+description: Add Maintainer as Custom Property to Repositories
+inputs:
+  github_token:
+    description: 'GitHub Token'
+    required: true
+  slack_token:
+    description: 'Slack Token'
+    required: true
+  ignore_maintainers:
+    description: 'Comma separated list of maintainers to ignore'
+    default: brave-builds,brave-browser-releases,brave-support-admin
+  debug:
+    description: 'Debug mode'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      with:
+        node-version: '20.x'
+    - id: npm
+      run: cd ${{ github.action_path }}/../..; npm ci
+      shell: bash
+    - name: run
+      id: run
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      env:
+        DEBUG: ${{ (inputs.debug == 'true' || runner.debug) && 'true' || 'false'}}
+      with:
+        github-token: ${{ inputs.github_token }}
+        script: |
+          const actionPath = '${{ github.action_path }}/../../'
+          const inputs = ${{ toJson(inputs) }}
+
+          const script = require('${{ github.action_path }}/action.cjs')
+          await script({github, context, inputs, actionPath, core,
+            debug: process.env.DEBUG === 'true'})