diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml new file mode 100644 index 0000000..53d76ca --- /dev/null +++ b/.github/workflows/dependabot.yaml @@ -0,0 +1,66 @@ +name: dependabot +on: + pull_request: + branches: + - "develop" + - "hotfix/**" + - "release/**" + - "main" + - "feat/**" + - "preprod/**" + push: + branches: + - "develop" + - "hotfix/**" + - "release/**" + - "main" + - "feat/**" + - "preprod/**" + + workflow_dispatch: + +jobs: + dependabot: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: "14" + + - name: Install GitHub CLI + run: | + curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null + sudo apt update + sudo apt install gh + + - name: Log in to GitHub CLI + run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token + + - name: Check for critical Dependabot alerts + run: | + alerts=$(gh api graphql -f query=' + query($repository: String!, $owner: String!) { + repository(name: $repository, owner: $owner) { + vulnerabilityAlerts(first: 10, states: OPEN) { + nodes { + securityVulnerability { + severity + } + } + } + } + }' -f repository="${{ github.event.repository.name }}" -f owner="${{ github.repository_owner }}" --jq '.data.repository.vulnerabilityAlerts.nodes[].securityVulnerability.severity') + echo "Alerts: $alerts" + if [[ "$alerts" == *"CRITICAL"* ]]; then + echo "Critical vulnerabilities found" + exit 1 + else + echo "No critical vulnerabilities" + fi + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}