diff --git a/.github/workflows/dependabot-nudge.yml b/.github/workflows/dependabot-nudge.yml index dc05200b..23469a68 100644 --- a/.github/workflows/dependabot-nudge.yml +++ b/.github/workflows/dependabot-nudge.yml @@ -8,49 +8,10 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + - name: dependabot nudge + uses: brave/security-action/actions/dependabot-nudge@main with: - node-version: '20.x' - - id: npm - run: cd ${{ github.workspace }}; npm ci - shell: bash - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - env: - SLACK_TOKEN: ${{ secrets.HOTSPOTS_SLACK_TOKEN }} - SLACK_CHANNEL: '#secops-hotspots' - GH_TO_SLACK_USER_MAP: ${{ secrets.GH_TO_SLACK_USER_MAP }} - DEBUG: false - with: - github-token: ${{ secrets.DEPENDABOT_NUDGE_GITHUB_TOKEN }} - script: | - const debug = process.env.DEBUG === 'true'; - const { default: sendSlackMessage } = await import('${{ github.workspace }}/src/sendSlackMessage.js'); - const { default: dependabotNudge } = await import('${{ github.workspace }}/src/dependabotNudge.js'); - - let githubToSlack = {}; - try { - githubToSlack = JSON.parse(process.env.GH_TO_SLACK_USER_MAP); - } catch (e) { - if (debug) console.log('GH_TO_SLACK_USER_MAP is not valid JSON'); - } - - // set minlevel to 'medium' if it's the first Monday of the month, otherwise stick to high or critical issues - let minlevel = 'medium'; - const today = new Date(); - if (today.getDate() > 7) { - if (debug) - console.log('Not the first Monday of the month!'); - minlevel = 'high'; - } - - const messages = await dependabotNudge({debug, org: process.env.GITHUB_REPOSITORY_OWNER, github: github, minlevel: minlevel, githubToSlack: githubToSlack}); - - for (const message of messages) { - try { - await sendSlackMessage({debug, username: 'dependabot', message: message, channel: process.env.SLACK_CHANNEL, token: process.env.SLACK_TOKEN}); - } catch (error) { - if (debug) - console.log(error); - } - } + github_token: ${{ secrets.DEPENDABOT_NUDGE_GITHUB_TOKEN }} + slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }} + gh_to_slack_user_map: ${{ secrets.GH_TO_SLACK_USER_MAP }} + debug: false \ No newline at end of file diff --git a/actions/dependabot-nudge/action.cjs b/actions/dependabot-nudge/action.cjs new file mode 100644 index 00000000..979180c9 --- /dev/null +++ b/actions/dependabot-nudge/action.cjs @@ -0,0 +1,29 @@ +module.exports = async ({ github, context, inputs, actionPath, core, debug = false }) => { + const { default: sendSlackMessage } = await import(`${actionPath}/src/sendSlackMessage.js`) + const { default: dependabotNudge } = await import(`${actionPath}/src/dependabotNudge.js`) + + let githubToSlack = {} + try { + githubToSlack = JSON.parse(inputs.gh_to_slack_user_map) + } catch (e) { + if (debug) console.log('GH_TO_SLACK_USER_MAP is not valid JSON') + } + + // set minlevel to 'medium' if it's the first Monday of the month, otherwise stick to high or critical issues + let minlevel = 'medium' + const today = new Date() + if (today.getDate() > 7) { + if (debug) { console.log('Not the first Monday of the month!') } + minlevel = 'high' + } + + const messages = await dependabotNudge({ debug, org: context.repo.owner, github, minlevel, githubToSlack }) + + for (const message of messages) { + try { + await sendSlackMessage({ debug, username: 'dependabot', message, channel: '#secops-hotspots', token: inputs.slack_token }) + } catch (error) { + if (debug) { console.log(error) } + } + } +} diff --git a/actions/dependabot-nudge/action.yml b/actions/dependabot-nudge/action.yml new file mode 100644 index 00000000..d1e1b7d2 --- /dev/null +++ b/actions/dependabot-nudge/action.yml @@ -0,0 +1,36 @@ +name: weekly-dependabot-nudge +description: Weekly Dependabot Nudge +inputs: + github_token: + description: 'GitHub Token' + required: true + slack_token: + description: 'Slack Token' + required: true + gh_to_slack_user_map: + description: 'JSON map of github usernames to slack usernames' + required: false + debug: + description: 'Debug mode' + required: false +runs: + using: 'composite' + steps: + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: '20.x' + - id: npm + run: cd ${{ github.action_path }}/../..; npm ci + shell: bash + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + DEBUG: ${{ (inputs.debug == 'true' || runner.debug) && 'true' || 'false'}} + with: + github-token: ${{ inputs.github_token }} + script: |- + const actionPath = '${{ github.action_path }}/../../' + const inputs = ${{ toJson(inputs) }} + + const script = require('${{ github.action_path }}/action.cjs') + await script({github, context, inputs, actionPath, core, + debug: process.env.DEBUG === 'true'})