diff --git a/.github/workflows/renovate-sanity-check.yml b/.github/workflows/renovate-sanity-check.yml index e46f5df1..1bb30762 100644 --- a/.github/workflows/renovate-sanity-check.yml +++ b/.github/workflows/renovate-sanity-check.yml @@ -9,34 +9,9 @@ jobs: run: runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.x' - - id: npm - run: cd ${{ github.workspace }}; npm ci - shell: bash - - name: run - id: run - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - env: - DEBUG: false - with: - github-token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }} - script: | - console.log('${{ github.workspace }}/src/renovateSanityCheck.js'); - const { default: renovateSanityCheck } = await import('${{ github.workspace }}/src/renovateSanityCheck.js'); - return await renovateSanityCheck({ - org: process.env.GITHUB_REPOSITORY_OWNER, - github: github, - debug: process.env.DEBUG - }); - - uses: actions-ecosystem/action-slack-notifier@fc778468d09c43a6f4d1b8cccaca59766656996a # v1.1.0 - if: ${{ fromJson(steps.run.outputs.result) != '' }} + - name: Renovate Sanity Check + uses: brave/security-action/actions/renovate-sanity-check@main with: + github_token: ${{ secrets.CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN }} slack_token: ${{ secrets.HOTSPOTS_SLACK_TOKEN }} - message: | - [renovate-sanity-check] ${{ fromJson(steps.run.outputs.result) }} - channel: secops-hotspots - color: yellow - verbose: false + debug: false \ No newline at end of file diff --git a/actions/renovate-sanity-check/action.cjs b/actions/renovate-sanity-check/action.cjs new file mode 100644 index 00000000..438f81b3 --- /dev/null +++ b/actions/renovate-sanity-check/action.cjs @@ -0,0 +1,13 @@ +module.exports = async ({ github, context, inputs, actionPath, core, debug = false }) => { + console.log(`${actionPath}/src/renovateSanityCheck.js`) + const { default: renovateSanityCheck } = await import(`${actionPath}/src/renovateSanityCheck.js`) + const { default: sendSlackMessage } = await import(`${actionPath}/src/sendSlackMessage.js`) + + const message = await renovateSanityCheck({ + org: context.repo.owner, + github, + debug + }) + + if (message.length > 0) { await sendSlackMessage({ debug, username: 'renovate-sanity-check', message: `[renovate-sanity-check] ${message}`, color: 'yellow', channel: '#security-action', token: inputs.slack_token }) } +} diff --git a/actions/renovate-sanity-check/action.yml b/actions/renovate-sanity-check/action.yml new file mode 100644 index 00000000..4b0d8c06 --- /dev/null +++ b/actions/renovate-sanity-check/action.yml @@ -0,0 +1,37 @@ +# action that runs monthly and check if all repositories in the organization are following the renovate central configuration +# to all repositories in this organization +name: renovate-sanity-check +description: Renovate Sanity Check +inputs: + github_token: + description: 'GitHub token' + required: true + slack_token: + description: 'Slack token' + required: true + debug: + description: 'Debug mode' + default: "false" +runs: + using: 'composite' + steps: + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: '20.x' + - id: npm + run: cd ${{ github.action_path }}/../..; npm ci + shell: bash + - name: run + id: run + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + DEBUG: ${{ (inputs.debug == 'true' || runner.debug) && 'true' || 'false'}} + with: + github-token: ${{ inputs.github_token }} + script: | + const actionPath = '${{ github.action_path }}/../../' + const inputs = ${{ toJson(inputs) }} + + const script = require('${{ github.action_path }}/action.cjs') + await script({github, context, inputs, actionPath, core, + debug: process.env.DEBUG === 'true'})