Skip to content

Bump mikepenz/action-junit-report from 4.0.1 to 4.0.3 #367

Bump mikepenz/action-junit-report from 4.0.1 to 4.0.3

Bump mikepenz/action-junit-report from 4.0.1 to 4.0.3 #367

name: Suppress Trivy alert
on:
issue_comment:
types:
- created
workflow_dispatch:
inputs:
cve_id:
description: CVE ID
type: string
required: true
project:
description: Project
type: choice
required: true
options:
- approved-premises-and-delius
- approved-premises-and-oasys
- court-case-and-delius
- create-and-vary-a-licence-and-delius
- custody-key-dates-and-delius
- domain-events-and-delius
- effective-proposal-framework-and-delius
- external-api-and-delius
- make-recall-decisions-and-delius
- manage-pom-cases-and-delius
- offender-events-and-delius
- pathfinder-and-delius
- person-search-index-from-delius
- pre-sentence-reports-to-delius
- prison-case-notes-to-probation
- prison-custody-status-to-delius
- refer-and-monitor-and-delius
- risk-assessment-scores-to-delius
- sentence-plan-and-delius
- sentence-plan-and-oasys
- soc-and-delius
- tier-to-delius
- unpaid-work-and-delius
- workforce-allocations-to-delius
- manage-offences-and-delius
- resettlement-passport-and-delius
- prison-education-and-delius
- opd-and-delius
- hmpps-auth-and-delius
- dps-and-delius
- arns-and-delius
- cas3-and-delius
# ^ add new projects here
# GitHub Actions doesn't support dynamic choices, we must add each project here to enable manual deployments
# See https://github.com/community/community/discussions/11795
reason:
description: Reason
type: string
required: true
jobs:
build:
if: github.event_name=='workflow_dispatch' || (startsWith(github.event.comment.body, 'Suppress') && startsWith(github.event.issue.title, 'CVE-'))
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: main
- name: Set CVE from Issue Title automatically
if: github.event_name=='issue_comment'
run: |
echo "cve_id=$(echo "$TITLE" | sed -E 's/(.*) .*/\1/')" | tee -a "$GITHUB_ENV" # CVE-123
echo "project=$(echo "$TITLE" | sed -E 's/.* \((.*)\)/\1/')" | tee -a "$GITHUB_ENV" # project-name
echo "reason=$COMMENT" | tee -a "$GITHUB_ENV"
env:
TITLE: ${{ github.event.issue.title }}
COMMENT: ${{ github.event.comment.body }}
REASON: ${{ inputs.reason }}
- name: Set CVE from manual input
if: github.event_name=='workflow_dispatch'
run: |
echo "cve_id=$CVE_ID" | tee -a "$GITHUB_ENV"
echo "project=$PROJECT" | tee -a "$GITHUB_ENV"
echo "reason=$REASON" | tee -a "$GITHUB_ENV"
env:
CVE_ID: ${{ inputs.cve_id }}
PROJECT: ${{ inputs.project }}
REASON: ${{ inputs.reason }}
- name: Update trivyignore file and create pull request
run: |
git switch -c "suppress/${CVE_ID}_${PROJECT}"
git push origin "suppress/${CVE_ID}_${PROJECT}"
git pull origin "suppress/${CVE_ID}_${PROJECT}"
git push origin "suppress/${CVE_ID}_${PROJECT}"
echo -e "\n# ${REASON} by ${ACTOR}\n${CVE_ID} exp:$(date -d '+2 weeks' '+%Y-%m-%d')" >> "projects/${PROJECT}/.trivyignore"
gh api --method PUT "/repos/ministryofjustice/hmpps-probation-integration-services/contents/projects/${PROJECT}/.trivyignore" \
--field message="Suppress ${CVE_ID} in ${PROJECT}" \
--field content=@<( base64 -i "projects/${PROJECT}/.trivyignore" ) \
--field branch="suppress/${CVE_ID}_${PROJECT}" \
--field sha="$( git rev-parse "suppress/${CVE_ID}_${PROJECT}:projects/${PROJECT}/.trivyignore" )"
gh pr create \
--title "Suppress ${CVE_ID} in ${PROJECT}" \
--body "Suppressed by ${ACTOR} with reason: ${REASON}" \
--label 'dependencies,security'
env:
GITHUB_TOKEN: ${{ github.token }}
CVE_ID: ${{ env.cve_id }}
PROJECT: ${{ env.project }}
REASON: ${{ env.reason }}
ACTOR: ${{ github.actor }}