Skip to content

DataHub Security Advisory Alert #171

DataHub Security Advisory Alert

DataHub Security Advisory Alert #171

name: DataHub Security Advisory Alert
on:
schedule:
- cron: '0 0 * * *' # Runs every day at midnight
workflow_dispatch:
jobs:
check-security-advisories:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Fetch security advisories
env:
GH_TOKEN: ${{ github.token }}
run: |
gh api -H "Accept: application/vnd.github+json" /repos/datahub-project/datahub/security-advisories > advisories.json
- name: Get last run date for this Action
id: get_last_run_date
env:
GH_TOKEN: ${{ github.token }}
run: |
LAST_RUN_DATE=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/ministryofjustice/data-catalogue/actions/runs \
--jq '.workflow_runs[]
| select(.conclusion=="success" and .status=="completed" and (.path|endswith("security-alerts.yml")))
| .run_started_at' \
| head -n 1)
echo "last_run_date=${LAST_RUN_DATE}" >> "${GITHUB_OUTPUT}"
echo "${LAST_RUN_DATE}"
- name: Read current version from values.yaml
id: read_current_version
run: |
CURRENT_VERSION=$(python -c "import yaml; print(yaml.safe_load(open('helm_deploy/values-base.yaml'))['global']['datahub']['version'])")
echo "current_version=${CURRENT_VERSION}" >> "${GITHUB_OUTPUT}"
echo "${CURRENT_VERSION}"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Load cached Poetry installation
id: cached-poetry
uses: actions/cache@v4
with:
path: ~/.local
key: poetry-1.7.1-0
- name: Install Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.7.1
virtualenvs-create: true
virtualenvs-in-project: true
- name: Load cached venv
id: cached-poetry-dependencies
uses: actions/cache@v4
with:
path: .venv
key: pydeps-${{ hashFiles('**/poetry.lock') }}
- name: Install dependencies
if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
run: poetry install --no-interaction --no-root
- name: Install project
run: poetry install --no-interaction
- name: Filter advisories
id: filter_advisories
env:
REPO: datahub
REPO_OWNER: datahub-project
run: |
source .venv/bin/activate
python scripts/filter_advisories.py \
"${{ steps.read_current_version.outputs.current_version }}" \
"${{ steps.get_last_run_date.outputs.last_run_date }}"
- name: Send advisories to Slack
id: send_to_slack
if: ${{ steps.filter_advisories.outputs.num_filtered_advisories != '0' }}
uses: slackapi/[email protected]
with:
channel-id: 'C071VNHPUHZ'
payload-file-path: "./filtered_advisories.json"
env:
SLACK_BOT_TOKEN: ${{ secrets.VULN_CHECK_SLACK_BOT_TOKEN }}
- name: Slack failure notification
if: ${{ failure() && github.ref == 'refs/heads/main' }}
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_ALERT_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK