Skip to content

Fix OWASP dependency check workflow #7115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 19, 2025
Merged

Fix OWASP dependency check workflow #7115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
17e2399
Fix OWASP dependency check workflow
trask Feb 17, 2025
dc751da
Merge remote-tracking branch 'upstream/main' into owasp
trask Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/repository-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,5 +98,8 @@ Repository settings in addition to what's documented already at

- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
- Generated at https://nvd.nist.gov/developers/request-an-api-key
- Key is associated with [@trask](https://github.com/trask)'s gmail address
Comment on lines +101 to +103
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the secret to this repo already

- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
13 changes: 13 additions & 0 deletions .github/workflows/owasp-dependency-check-daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,22 @@ jobs:

- name: Check dependencies
run: ./gradlew dependencyCheckAnalyze
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

- name: Upload report
if: always()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
path: javaagent/build/reports

workflow-notification:
permissions:
contents: read
issues: write
needs:
- analyze
if: always()
uses: ./.github/workflows/reusable-workflow-notification.yml
with:
success: ${{ needs.analyze.result == 'success' }}
44 changes: 44 additions & 0 deletions .github/workflows/reusable-workflow-notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# this is useful because notifications for scheduled workflows are only sent to the user who
# initially created the given workflow
name: Reusable - Workflow notification

on:
workflow_call:
inputs:
success:
type: boolean
required: true

permissions:
contents: read

jobs:
workflow-notification:
permissions:
contents: read
issues: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Open issue or add comment if issue already open
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# TODO (trask) search doesn't support exact phrases, so it's possible that this could grab the wrong issue
number=$(gh issue list --search "in:title Workflow failed: $GITHUB_WORKFLOW" --limit 1 --json number -q .[].number)

echo $number
echo ${{ inputs.success }}

if [[ $number ]]; then
if [[ "${{ inputs.success }}" == "true" ]]; then
gh issue close $number
else
gh issue comment $number \
--body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)."
fi
elif [[ "${{ inputs.success }}" == "false" ]]; then
gh issue create --title "Workflow failed: $GITHUB_WORKFLOW (#$GITHUB_RUN_NUMBER)" \
--body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)."
fi
Loading