62 lines
1.9 KiB
YAML
62 lines
1.9 KiB
YAML
name: Dependabot Alerts to Issues
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "0 9 * * 1" # Weekly on Monday at 9am UTC
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
issues: write
|
|
|
|
jobs:
|
|
create-issues:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
api.github.com:443
|
|
|
|
- name: Create issues from Dependabot alerts
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
alerts=$(gh api repos/${{ github.repository }}/dependabot/alerts \
|
|
--jq '[.[] | select(.state == "open")]')
|
|
|
|
echo "$alerts" | jq -c '.[]' | while read -r alert; do
|
|
pkg=$(echo "$alert" | jq -r '.dependency.package.name')
|
|
number=$(echo "$alert" | jq -r '.number')
|
|
severity=$(echo "$alert" | jq -r '.security_advisory.severity')
|
|
summary=$(echo "$alert" | jq -r '.security_advisory.summary')
|
|
url=$(echo "$alert" | jq -r '.html_url')
|
|
ecosystem=$(echo "$alert" | jq -r '.dependency.package.ecosystem')
|
|
|
|
# Skip if issue already exists for this alert
|
|
existing=$(gh issue list \
|
|
--repo "${{ github.repository }}" \
|
|
--search "Dependabot Alert #${number}" \
|
|
--json number --jq 'length')
|
|
|
|
if [ "$existing" = "0" ]; then
|
|
gh issue create \
|
|
--repo "${{ github.repository }}" \
|
|
--title "dep: update ${pkg} (${severity})" \
|
|
--label "dependencies" \
|
|
--body "$(cat <<EOF
|
|
## Dependabot Alert #${number}
|
|
|
|
**Package:** \`${pkg}\`
|
|
**Ecosystem:** ${ecosystem}
|
|
**Severity:** ${severity}
|
|
|
|
${summary}
|
|
|
|
[View Alert](${url})
|
|
EOF
|
|
)"
|
|
fi
|
|
done
|