Skip to content

meeting notes: 2024-10-02 #653

meeting notes: 2024-10-02

meeting notes: 2024-10-02 #653

Workflow file for this run

name: nix build and check advisories
on:
- push
- pull_request
jobs:
check-nix:
name: Check nix build
runs-on: ubuntu-22.04
steps:
- name: git checkout
uses: actions/checkout@v4
with:
# We need to retrieve full history to determine the correct
# `published` and `modified` timestamps
fetch-depth: 0
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: system-features = nixos-test benchmark big-parallel kvm
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check Nix flake inputs
uses: DeterminateSystems/flake-checker-action@v4
- name: Build executable (hsec-tools)
run: nix -L build
- name: Build docker image
run: nix build -L '.#packages.x86_64-linux.hsec-tools-image'
- run: mkdir -p ~/.local/dockerImages
- run: cp result ~/.local/dockerImages/hsec-tools
- name: upload executable
uses: actions/upload-artifact@v4
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
with:
name: hsec-tools-${{ github.sha }}
path: ~/.local/dockerImages
- run: docker load -i ~/.local/dockerImages/hsec-tools
- name: Run advisory syntax checks
run: |
RESULT=0
# Remove the begining of the README to extract the example.
(echo '```toml'; sed -e '1,/```toml/d' README.md) > EXAMPLE_README.md
while read FILE ; do
[ "$(dirname "$FILE")" != advisories/reserved ] || continue
echo -n "$FILE: "
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools check "$FILE" || RESULT=1
done < <(find advisories EXAMPLE_README.md EXAMPLE_ADVISORY.md -type f -name "*.md")
exit $RESULT
- name: Run advisory uniqueness checks
run: |
! find advisories -type f -name '*.md' -print0 \
| xargs -0n1 basename | sort | uniq -c | grep -E -v '[[:space:]]*1 '
- name: Generate OSV data
run: |
DATA_DIR=$PWD/osv
mkdir "$DATA_DIR"
while read FILE ; do
echo "$FILE"
ID=$(basename "$FILE" .md)
YEAR=$(echo "$ID" | cut -d - -f 2)
mkdir -p $DATA_DIR/$YEAR
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools osv "$FILE" > $DATA_DIR/$YEAR/$ID.json
done < <(find advisories -type f -name "*.md" | grep -v '^advisories/reserved/')
- name: Publish OSV data
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
env:
GITHUB_SHA: ${{ github.sha }}
run: |
DATA_DIR=$PWD/osv
BRANCH=generated/osv-export
REF=refs/remotes/origin/$BRANCH
export GIT_WORK_TREE=$DATA_DIR
git read-tree "$REF"
git add --all --intent-to-add
git diff --quiet && exit
git add --all
TREE=$(git write-tree)
git config user.email [email protected]
git config user.name "Haskell Security Response Team"
COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)")
git push origin $COMMIT:$BRANCH
- name: Generate snapshot data
run: |
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-snapshot . snapshot
diff -r advisories snapshot/advisories | grep -v gitkeep | grep -v 'Only in advisories: reserved' | grep Only && echo 'Some advisories have been created/deleted' && exit 1 || exit 0
- name: Publish snapshot data
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
env:
GITHUB_SHA: ${{ github.sha }}
run: |
DATA_DIR=$PWD/snapshot
BRANCH=generated/snapshot-export
REF=refs/remotes/origin/$BRANCH
export GIT_WORK_TREE=$DATA_DIR
git read-tree "$REF"
git add --all --intent-to-add
git diff --quiet && exit
git add --all
TREE=$(git write-tree)
git config user.email [email protected]
git config user.name "Haskell Security Response Team"
COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)")
git push origin $COMMIT:$BRANCH
- name: Generate the website
run: |
mkdir generatedWebsite
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-index . generatedWebsite
cp generatedWebsite/by-dates.html generatedWebsite/index.html
rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed"
- name: Deploy the website
uses: peaceiris/actions-gh-pages@v3
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./generatedWebsite
publish_branch: generated/gh-pages
force_orphan: true