changed the pipeline to only run on specific branches and also made sure that any vulnerability issues created carried the vulnerability label #14
@@ -2,9 +2,15 @@ name: Security
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- testing
|
||||||
|
- "v*"
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- "**"
|
- main
|
||||||
|
- testing
|
||||||
|
- "v*"
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
@@ -181,6 +187,8 @@ jobs:
|
|||||||
"Authorization": f"token {token}",
|
"Authorization": f"token {token}",
|
||||||
"Content-Type": "application/json",
|
"Content-Type": "application/json",
|
||||||
}
|
}
|
||||||
|
vulnerability_label_name = "vulnerability"
|
||||||
|
vulnerability_label_id = None
|
||||||
|
|
||||||
def load_json(path, fallback):
|
def load_json(path, fallback):
|
||||||
try:
|
try:
|
||||||
@@ -203,11 +211,47 @@ jobs:
|
|||||||
issues = json.load(response)
|
issues = json.load(response)
|
||||||
return any(issue.get("title") == title for issue in issues)
|
return any(issue.get("title") == title for issue in issues)
|
||||||
|
|
||||||
|
def ensure_vulnerability_label():
|
||||||
|
global vulnerability_label_id
|
||||||
|
|
||||||
|
if vulnerability_label_id is not None:
|
||||||
|
return vulnerability_label_id
|
||||||
|
|
||||||
|
labels_url = f"{api_url}/repos/{urllib.parse.quote(owner)}/{urllib.parse.quote(name)}/labels"
|
||||||
|
|
||||||
|
request = urllib.request.Request(labels_url, headers=headers)
|
||||||
|
with urllib.request.urlopen(request, timeout=30) as response:
|
||||||
|
labels = json.load(response)
|
||||||
|
|
||||||
|
for label in labels:
|
||||||
|
if label.get("name") == vulnerability_label_name:
|
||||||
|
vulnerability_label_id = label.get("id")
|
||||||
|
return vulnerability_label_id
|
||||||
|
|
||||||
|
payload = json.dumps({
|
||||||
|
"name": vulnerability_label_name,
|
||||||
|
"color": "d73a4a",
|
||||||
|
"description": "Security vulnerability found by automated scans",
|
||||||
|
"exclusive": False,
|
||||||
|
"is_archived": False,
|
||||||
|
}).encode("utf-8")
|
||||||
|
request = urllib.request.Request(labels_url, data=payload, headers=headers, method="POST")
|
||||||
|
with urllib.request.urlopen(request, timeout=30) as response:
|
||||||
|
created = json.load(response)
|
||||||
|
|
||||||
|
vulnerability_label_id = created.get("id")
|
||||||
|
return vulnerability_label_id
|
||||||
|
|
||||||
def create_issue(title, body):
|
def create_issue(title, body):
|
||||||
if find_existing(title):
|
if find_existing(title):
|
||||||
print(f"Open issue already exists: {title}")
|
print(f"Open issue already exists: {title}")
|
||||||
return
|
return
|
||||||
payload = json.dumps({"title": title, "body": body}).encode("utf-8")
|
label_id = ensure_vulnerability_label()
|
||||||
|
payload = json.dumps({
|
||||||
|
"title": title,
|
||||||
|
"body": body,
|
||||||
|
"labels": [label_id] if label_id is not None else [],
|
||||||
|
}).encode("utf-8")
|
||||||
request = urllib.request.Request(issues_url, data=payload, headers=headers, method="POST")
|
request = urllib.request.Request(issues_url, data=payload, headers=headers, method="POST")
|
||||||
with urllib.request.urlopen(request, timeout=30) as response:
|
with urllib.request.urlopen(request, timeout=30) as response:
|
||||||
created = json.load(response)
|
created = json.load(response)
|
||||||
|
|||||||
Reference in New Issue
Block a user