Update insecure dependencies #780
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Update insecure dependencies" | |
| on: | |
| workflow_dispatch: {} | |
| schedule: | |
| - cron: 0 3 * * * | |
| permissions: read-all | |
| jobs: | |
| build-matrix: | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| branches: ${{ steps.generate-matrix.outputs.branches }} | |
| steps: | |
| - id: generate-matrix | |
| run: | | |
| # The head -1 is because GITHUB_OUTPUT is easier to work with single line output and this file is created with automation in `lifecycle.yaml` | |
| ACTIVE_BRANCHES=`gh api /repos/${{ github.repository }}/contents/active-branches.json --jq '.content | @base64d' | head -1` | |
| echo "branches=${ACTIVE_BRANCHES}" >> $GITHUB_OUTPUT | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| update-insecure-dependencies: | |
| env: | |
| OSV_SCANNER_ADDITIONAL_OPTS: "" | |
| timeout-minutes: 20 | |
| needs: | |
| - build-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| branch: ${{ fromJSON(needs.build-matrix.outputs.branches) }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Set Swap Space | |
| uses: pierotofy/set-swap-space@0404882bc4666c0ff2f6fd8b3d32af69a730183c | |
| with: | |
| swap-size-gb: 10 | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ matrix.branch }} | |
| - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: "Install tools" | |
| run: | | |
| go install github.com/google/osv-scanner/cmd/osv-scanner@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1 | |
| - name: "Prepare commit body - before" | |
| id: prepare_commit_body_before | |
| run: | | |
| SCAN_OUTPUT_BEFORE=$(osv-scanner $OSV_SCANNER_ADDITIONAL_OPTS --lockfile=go.mod | tr "+" "|" | awk 'NR>3 {print last} {last=$0}' || true) | |
| echo "SCAN_OUTPUT_BEFORE<<EOF" >> $GITHUB_ENV | |
| echo "$SCAN_OUTPUT_BEFORE" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| - name: "Update dependencies" | |
| id: update | |
| run: | | |
| make update-vulnerable-dependencies | |
| - name: "Prepare commit body - after" | |
| id: prepare_commit_body_after | |
| run: | | |
| SCAN_OUTPUT_AFTER=$(osv-scanner $OSV_SCANNER_ADDITIONAL_OPTS --lockfile=go.mod | tr "+" "|" | awk 'NR>3 {print last} {last=$0}' || true) | |
| echo "SCAN_OUTPUT_AFTER<<EOF" >> $GITHUB_ENV | |
| echo "$SCAN_OUTPUT_AFTER" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| - name: Generate GitHub app token | |
| id: github-app-token | |
| uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| - name: "Create Pull Request" | |
| uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6 | |
| with: | |
| commit-message: "chore(deps): security update" | |
| signoff: true | |
| branch: chore/security-updates-${{ matrix.branch }} | |
| body: | | |
| Scan output: | |
| Before update: | |
| ${{ env.SCAN_OUTPUT_BEFORE }} | |
| After update: | |
| ${{ env.SCAN_OUTPUT_AFTER }} | |
| If a package is showing up in the scan but the script is not trying to update it then it might be because there is no fixed version yet. | |
| delete-branch: true | |
| title: "chore(deps): security update" | |
| draft: false | |
| labels: dependencies,${{ matrix.branch }} | |
| token: ${{ steps.github-app-token.outputs.token }} | |
| committer: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com> | |
| author: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com> |