99 check :
1010 runs-on : ubuntu-latest
1111 steps :
12- - uses : actions/github-script@v6
12+ - uses : actions/checkout@v3
13+ - uses : actions/setup-node@v3
14+ with :
15+ node-version : latest
16+ - uses : actions/github-script@v7
1317 with :
1418 github-token : ${{ secrets.ACTIVE_TOKEN }}
1519 script : |
16- if (!'${{secrets.SECURITY_ISSUE_REPO}}')
17- return;
20+ const {default: SecurityChecker} = await import('${{ github.workspace }}/.github/scripts/security-checker.mjs')
1821
19- const { owner, repo } = context.repo;
20- const state = 'open';
21- const dependabotLabel = 'dependabot';
22- const codeqlLabel = 'codeql';
23- const securityLabel = 'security notification';
22+ const securityChecker = new SecurityChecker(github, context, '${{secrets.SECURITY_ISSUE_REPO}}');
2423
25- async function getDependabotAlerts () {
26- const dependabotListAlertsUrl = `https://api.github.com/repos/${ owner }/${ repo }/dependabot/alerts?state=${ state }`;
27- const dependabotRequestOptions = {
28- headers: { 'Authorization': 'Bearer ${{ secrets.ACTIVE_TOKEN }}' }
29- }
30-
31- const response = await fetch(dependabotListAlertsUrl, dependabotRequestOptions);
32- const data = await response.json();
33-
34- // If data isn't arry somethig goes wrong
35- if (Array.isArray(data))
36- return data;
37-
38- return [];
39- }
40-
41- async function getCodeqlAlerts () {
42- // When CodeQL is turned of it throws error
43- try {
44- const { data } = await github.rest.codeScanning.listAlertsForRepo({ owner, repo, state });
45-
46- return data;
47- } catch (_) {
48- return [];
49- }
50- }
51-
52- async function createIssue ({owner, repo, labels, originRepo, summary, description, link, package = ''}) {
53- const title = `[${originRepo}] ${summary}`;
54- const body = ''
55- + `#### Repository: \`${ originRepo }\`\n`
56- + (!!package ? `#### Package: \`${ package }\`\n` : '')
57- + `#### Description:\n`
58- + `${ description }\n`
59- + `#### Link: ${ link }`
60-
61- return github.rest.issues.create({ owner, repo, title, body, labels });
62- }
63-
64- function needCreateIssue (alert) {
65- return !issueDictionary[alert.html_url]
66- && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24;
67- }
68-
69- const dependabotAlerts = await getDependabotAlerts();
70- const codeqlAlerts = await getCodeqlAlerts();
71- const {data: existedIssues} = await github.rest.issues.listForRepo({ owner, repo, labels: [securityLabel], state });
72-
73- const issueDictionary = existedIssues.reduce((res, issue) => {
74- const alertUrl = issue.body.match(/Link:\s*(https.*\d*)/)?.[1];
75-
76- if (alertUrl)
77- res[alertUrl] = issue;
78-
79- return res;
80- }, {})
81-
82- dependabotAlerts.forEach(alert => {
83- if (!needCreateIssue(alert))
84- return;
85-
86- createIssue({ owner,
87- repo: '${{ secrets.SECURITY_ISSUE_REPO }}',
88- labels: [dependabotLabel, securityLabel],
89- originRepo: repo,
90- summary: alert.security_advisory.summary,
91- description: alert.security_advisory.description,
92- link: alert.html_url,
93- package: alert.dependency.package.name
94- })
95- });
96-
97- codeqlAlerts.forEach(alert => {
98- if (!needCreateIssue(alert))
99- return;
100-
101- createIssue({ owner,
102- repo: '${{ secrets.SECURITY_ISSUE_REPO }}',
103- labels: [codeqlLabel, securityLabel],
104- originRepo: repo,
105- summary: alert.rule.description,
106- description: alert.most_recent_instance.message.text,
107- link: alert.html_url,
108- })
109- });
24+ await securityChecker.check();
0 commit comments