From 17e2399b912e265eead0ebdb0021f24b3f9e2d68 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Sun, 16 Feb 2025 19:07:03 -0800 Subject: [PATCH] Fix OWASP dependency check workflow --- .github/repository-settings.md | 3 ++ .../owasp-dependency-check-daily.yml | 13 ++++++ .../reusable-workflow-notification.yml | 44 +++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 .github/workflows/reusable-workflow-notification.yml diff --git a/.github/repository-settings.md b/.github/repository-settings.md index 79d583584b1..504642120fc 100644 --- a/.github/repository-settings.md +++ b/.github/repository-settings.md @@ -71,5 +71,8 @@ Same settings as above for `main`, except: * `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password * `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password +* `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password + * Generated at https://nvd.nist.gov/developers/request-an-api-key + * Key is associated with [@trask](https://github.com/trask)'s gmail address * `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg) * `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg) diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index eeff9cc0df2..95302cf1172 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -26,9 +26,22 @@ jobs: - name: Check dependencies run: ./gradlew dependencyCheckAnalyze + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report if: always() uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: path: javaagent/build/reports + + workflow-notification: + permissions: + contents: read + issues: write + needs: + - analyze + if: always() + uses: ./.github/workflows/reusable-workflow-notification.yml + with: + success: ${{ needs.analyze.result == 'success' }} diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml new file mode 100644 index 00000000000..701f90f5a08 --- /dev/null +++ b/.github/workflows/reusable-workflow-notification.yml @@ -0,0 +1,44 @@ +# this is useful because notifications for scheduled workflows are only sent to the user who +# initially created the given workflow +name: Reusable - Workflow notification + +on: + workflow_call: + inputs: + success: + type: boolean + required: true + +permissions: + contents: read + +jobs: + workflow-notification: + permissions: + contents: read + issues: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Open issue or add comment if issue already open + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # TODO (trask) search doesn't support exact phrases, so it's possible that this could grab the wrong issue + number=$(gh issue list --search "in:title Workflow failed: $GITHUB_WORKFLOW" --limit 1 --json number -q .[].number) + + echo $number + echo ${{ inputs.success }} + + if [[ $number ]]; then + if [[ "${{ inputs.success }}" == "true" ]]; then + gh issue close $number + else + gh issue comment $number \ + --body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)." + fi + elif [[ "${{ inputs.success }}" == "false" ]]; then + gh issue create --title "Workflow failed: $GITHUB_WORKFLOW (#$GITHUB_RUN_NUMBER)" \ + --body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)." + fi