forked from potloc/tap-hubspot
-
Notifications
You must be signed in to change notification settings - Fork 0
66 lines (60 loc) · 2.05 KB
/
dependabot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: dependabot
on:
pull_request:
branches:
- "develop"
- "hotfix/**"
- "release/**"
- "main"
- "feat/**"
- "preprod/**"
push:
branches:
- "develop"
- "hotfix/**"
- "release/**"
- "main"
- "feat/**"
- "preprod/**"
workflow_dispatch:
jobs:
dependabot:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Setup Node.js
uses: actions/setup-node@v2
with:
node-version: "14"
- name: Install GitHub CLI
run: |
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
sudo apt update
sudo apt install gh
- name: Log in to GitHub CLI
run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
- name: Check for critical Dependabot alerts
run: |
alerts=$(gh api graphql -f query='
query($repository: String!, $owner: String!) {
repository(name: $repository, owner: $owner) {
vulnerabilityAlerts(first: 10, states: OPEN) {
nodes {
securityVulnerability {
severity
}
}
}
}
}' -f repository="${{ github.event.repository.name }}" -f owner="${{ github.repository_owner }}" --jq '.data.repository.vulnerabilityAlerts.nodes[].securityVulnerability.severity')
echo "Alerts: $alerts"
if [[ "$alerts" == *"CRITICAL"* ]]; then
echo "Critical vulnerabilities found"
exit 1
else
echo "No critical vulnerabilities"
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}