Merge pull request 'changed the pipeline to only run on specific branches and also made sure that any vulnerability issues created carried the vulnerability label' (#14 ) from pipeline-improvements into main

Reviewed-on: #14
changed the pipeline to only run on specific branches and also made sure that any vulnerability issues created carried the vulnerability label
2026-06-04 22:37:16 -05:00 · 2026-06-04 22:31:06 -05:00
1 changed files with 46 additions and 2 deletions
@@ -2,9 +2,15 @@ name: Security

 on:
  pull_request:
+    branches:
+      - main
+      - testing
+      - "v*"
  push:
    branches:
-      - "**"
+      - main
+      - testing
+      - "v*"
  workflow_dispatch:

 permissions:
@@ -181,6 +187,8 @@ jobs:
              "Authorization": f"token {token}",
              "Content-Type": "application/json",
          }
+          vulnerability_label_name = "vulnerability"
+          vulnerability_label_id = None

          def load_json(path, fallback):
              try:
@@ -203,11 +211,47 @@ jobs:
                  issues = json.load(response)
              return any(issue.get("title") == title for issue in issues)

+          def ensure_vulnerability_label():
+              global vulnerability_label_id
+
+              if vulnerability_label_id is not None:
+                  return vulnerability_label_id
+
+              labels_url = f"{api_url}/repos/{urllib.parse.quote(owner)}/{urllib.parse.quote(name)}/labels"
+
+              request = urllib.request.Request(labels_url, headers=headers)
+              with urllib.request.urlopen(request, timeout=30) as response:
+                  labels = json.load(response)
+
+              for label in labels:
+                  if label.get("name") == vulnerability_label_name:
+                      vulnerability_label_id = label.get("id")
+                      return vulnerability_label_id
+
+              payload = json.dumps({
+                  "name": vulnerability_label_name,
+                  "color": "d73a4a",
+                  "description": "Security vulnerability found by automated scans",
+                  "exclusive": False,
+                  "is_archived": False,
+              }).encode("utf-8")
+              request = urllib.request.Request(labels_url, data=payload, headers=headers, method="POST")
+              with urllib.request.urlopen(request, timeout=30) as response:
+                  created = json.load(response)
+
+              vulnerability_label_id = created.get("id")
+              return vulnerability_label_id
+
          def create_issue(title, body):
              if find_existing(title):
                  print(f"Open issue already exists: {title}")
                  return
-              payload = json.dumps({"title": title, "body": body}).encode("utf-8")
+              label_id = ensure_vulnerability_label()
+              payload = json.dumps({
+                  "title": title,
+                  "body": body,
+                  "labels": [label_id] if label_id is not None else [],
+              }).encode("utf-8")
              request = urllib.request.Request(issues_url, data=payload, headers=headers, method="POST")
              with urllib.request.urlopen(request, timeout=30) as response:
                  created = json.load(response)
Author	SHA1	Message	Date
kelly	67814d960f	Merge pull request 'changed the pipeline to only run on specific branches and also made sure that any vulnerability issues created carried the vulnerability label' (#14 ) from pipeline-improvements into main Security / security (push) Successful in 56s Details Reviewed-on: #14	2026-06-04 22:37:16 -05:00
kelly	03eb431beb	changed the pipeline to only run on specific branches and also made sure that any vulnerability issues created carried the vulnerability label Security / security (pull_request) Successful in 53s Details	2026-06-04 22:31:06 -05:00