Auto-suppress CVEs #6970
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-suppress CVEs | |
| on: | |
| schedule: | |
| # At 12 midnight and every 3rd hour from 10am through 11pm | |
| - cron: "0 0,10-23/3 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: tibdex/github-app-token@v1 | |
| id: generate-token | |
| with: | |
| app_id: ${{ secrets.HMCTS_GITHUB_CCD_APP_ID }} | |
| private_key: ${{ secrets.HMCTS_GITHUB_CCD_PRIVATE_KEY }} | |
| - uses: actions/checkout@v6 | |
| with: | |
| token: ${{ steps.generate-token.outputs.token }} | |
| ref: master | |
| - name: Run yarn audit | |
| run: yarn npm audit --recursive --environment production --json > yarn-audit-known-issues || true | |
| # continue-on-error: true | |
| - name: Check if working directory has changes | |
| id: check_git_changes | |
| run: | | |
| if [[ -n "$(git status --porcelain)" ]]; then | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_changes=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Check if added lines contain Yarn errors | |
| id: check_yarn_errors | |
| run: | | |
| added="$(git diff | grep '^+' | sed 's/^\+//')" | |
| clean_added="$(echo "$added" | sed 's/\x1b\[[0-9;]*m//g')" | |
| if echo "$clean_added" | grep -q 'YYN0035: Bad Request'; then | |
| echo "has_yarn_errors=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_yarn_errors=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Commit suppressed CVEs if there are changes | |
| if: steps.check_git_changes.outputs.has_changes == 'true' && steps.check_yarn_errors.outputs.has_yarn_errors == 'false' | |
| uses: stefanzweifel/git-auto-commit-action@v4 | |
| with: | |
| commit_message: Auto-suppress CVEs | |
| branch: master | |
| skip_dirty_check: true |