PI-1473 add enhancement ability for domain events #358
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Suppress Trivy alert | |
| on: | |
| issue_comment: | |
| types: | |
| - created | |
| workflow_dispatch: | |
| inputs: | |
| cve_id: | |
| description: CVE ID | |
| type: string | |
| required: true | |
| project: | |
| description: Project | |
| type: choice | |
| required: true | |
| options: | |
| - approved-premises-and-delius | |
| - approved-premises-and-oasys | |
| - court-case-and-delius | |
| - create-and-vary-a-licence-and-delius | |
| - custody-key-dates-and-delius | |
| - domain-events-and-delius | |
| - effective-proposal-framework-and-delius | |
| - external-api-and-delius | |
| - make-recall-decisions-and-delius | |
| - manage-pom-cases-and-delius | |
| - offender-events-and-delius | |
| - pathfinder-and-delius | |
| - person-search-index-from-delius | |
| - pre-sentence-reports-to-delius | |
| - prison-case-notes-to-probation | |
| - prison-custody-status-to-delius | |
| - refer-and-monitor-and-delius | |
| - risk-assessment-scores-to-delius | |
| - sentence-plan-and-delius | |
| - sentence-plan-and-oasys | |
| - soc-and-delius | |
| - tier-to-delius | |
| - unpaid-work-and-delius | |
| - workforce-allocations-to-delius | |
| - manage-offences-and-delius | |
| - resettlement-passport-and-delius | |
| - prison-education-and-delius | |
| - opd-and-delius | |
| # ^ add new projects here | |
| # GitHub Actions doesn't support dynamic choices, we must add each project here to enable manual deployments | |
| # See https://github.com/community/community/discussions/11795 | |
| reason: | |
| description: Reason | |
| type: string | |
| required: true | |
| jobs: | |
| build: | |
| if: github.event_name=='workflow_dispatch' || (startsWith(github.event.comment.body, 'Suppress') && startsWith(github.event.issue.title, 'CVE-')) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: Set CVE from Issue Title automatically | |
| if: github.event_name=='issue_comment' | |
| run: | | |
| echo "cve_id=$(echo "$TITLE" | sed -E 's/(.*) .*/\1/')" | tee -a "$GITHUB_ENV" # CVE-123 | |
| echo "project=$(echo "$TITLE" | sed -E 's/.* \((.*)\)/\1/')" | tee -a "$GITHUB_ENV" # project-name | |
| echo "reason=$COMMENT" | tee -a "$GITHUB_ENV" | |
| env: | |
| TITLE: ${{ github.event.issue.title }} | |
| COMMENT: ${{ github.event.comment.body }} | |
| REASON: ${{ inputs.reason }} | |
| - name: Set CVE from manual input | |
| if: github.event_name=='workflow_dispatch' | |
| run: | | |
| echo "cve_id=$CVE_ID" | tee -a "$GITHUB_ENV" | |
| echo "project=$PROJECT" | tee -a "$GITHUB_ENV" | |
| echo "reason=$REASON" | tee -a "$GITHUB_ENV" | |
| env: | |
| CVE_ID: ${{ inputs.cve_id }} | |
| PROJECT: ${{ inputs.project }} | |
| REASON: ${{ inputs.reason }} | |
| - name: Update trivyignore file and create pull request | |
| run: | | |
| git switch -c "suppress/${CVE_ID}_${PROJECT}" | |
| git push origin "suppress/${CVE_ID}_${PROJECT}" | |
| git pull origin "suppress/${CVE_ID}_${PROJECT}" | |
| git push origin "suppress/${CVE_ID}_${PROJECT}" | |
| echo -e "\n# ${REASON} by ${ACTOR}\n${CVE_ID} exp:$(date -d '+2 weeks' '+%Y-%m-%d')" >> "projects/${PROJECT}/.trivyignore" | |
| gh api --method PUT "/repos/ministryofjustice/hmpps-probation-integration-services/contents/projects/${PROJECT}/.trivyignore" \ | |
| --field message="Suppress ${CVE_ID} in ${PROJECT}" \ | |
| --field content=@<( base64 -i "projects/${PROJECT}/.trivyignore" ) \ | |
| --field branch="suppress/${CVE_ID}_${PROJECT}" \ | |
| --field sha="$( git rev-parse "suppress/${CVE_ID}_${PROJECT}:projects/${PROJECT}/.trivyignore" )" | |
| gh pr create \ | |
| --title "Suppress ${CVE_ID} in ${PROJECT}" \ | |
| --body "Suppressed by ${ACTOR} with reason: ${REASON}" \ | |
| --label 'dependencies,security' | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| CVE_ID: ${{ env.cve_id }} | |
| PROJECT: ${{ env.project }} | |
| REASON: ${{ env.reason }} | |
| ACTOR: ${{ github.actor }} |