mirror of
https://github.com/actions/runner.git
synced 2025-12-10 04:06:57 +00:00
da083a287e
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
212 lines
10 KiB
YAML
212 lines
10 KiB
YAML
name: Dependency Status Check
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
check_type:
|
|
description: "Type of dependency check"
|
|
required: false
|
|
default: "all"
|
|
type: choice
|
|
options:
|
|
- all
|
|
- node
|
|
- dotnet
|
|
- docker
|
|
- npm
|
|
schedule:
|
|
- cron: "0 11 * * 1" # Weekly on Monday at 11 AM
|
|
|
|
jobs:
|
|
dependency-status:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
node20-status: ${{ steps.check-versions.outputs.node20-status }}
|
|
node24-status: ${{ steps.check-versions.outputs.node24-status }}
|
|
dotnet-status: ${{ steps.check-versions.outputs.dotnet-status }}
|
|
docker-status: ${{ steps.check-versions.outputs.docker-status }}
|
|
buildx-status: ${{ steps.check-versions.outputs.buildx-status }}
|
|
npm-vulnerabilities: ${{ steps.check-versions.outputs.npm-vulnerabilities }}
|
|
open-dependency-prs: ${{ steps.check-prs.outputs.open-dependency-prs }}
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: "20"
|
|
|
|
- name: Check dependency versions
|
|
id: check-versions
|
|
run: |
|
|
echo "## Dependency Status Report" >> $GITHUB_STEP_SUMMARY
|
|
echo "Generated on: $(date)" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Check Node versions
|
|
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "node" ]]; then
|
|
echo "### Node.js Versions" >> $GITHUB_STEP_SUMMARY
|
|
|
|
VERSIONS_JSON=$(curl -s https://raw.githubusercontent.com/actions/node-versions/main/versions-manifest.json)
|
|
LATEST_NODE20=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("20.")) | .version' | head -1)
|
|
LATEST_NODE24=$(echo "$VERSIONS_JSON" | jq -r '.[] | select(.version | startswith("24.")) | .version' | head -1)
|
|
|
|
CURRENT_NODE20=$(grep "NODE20_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
|
|
CURRENT_NODE24=$(grep "NODE24_VERSION=" src/Misc/externals.sh | cut -d'"' -f2)
|
|
|
|
NODE20_STATUS="✅ up-to-date"
|
|
NODE24_STATUS="✅ up-to-date"
|
|
|
|
if [ "$CURRENT_NODE20" != "$LATEST_NODE20" ]; then
|
|
NODE20_STATUS="⚠️ outdated"
|
|
fi
|
|
|
|
if [ "$CURRENT_NODE24" != "$LATEST_NODE24" ]; then
|
|
NODE24_STATUS="⚠️ outdated"
|
|
fi
|
|
|
|
echo "| Version | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|---------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Node 20 | $CURRENT_NODE20 | $LATEST_NODE20 | $NODE20_STATUS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Node 24 | $CURRENT_NODE24 | $LATEST_NODE24 | $NODE24_STATUS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
|
|
echo "node20-status=$NODE20_STATUS" >> $GITHUB_OUTPUT
|
|
echo "node24-status=$NODE24_STATUS" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# Check .NET version
|
|
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "dotnet" ]]; then
|
|
echo "### .NET SDK Version" >> $GITHUB_STEP_SUMMARY
|
|
|
|
current_dotnet_version=$(jq -r .sdk.version ./src/global.json)
|
|
current_major_minor=$(echo "$current_dotnet_version" | cut -d '.' -f 1,2)
|
|
latest_dotnet_version=$(curl -sb -H "Accept: application/json" "https://dotnetcli.blob.core.windows.net/dotnet/Sdk/$current_major_minor/latest.version")
|
|
|
|
DOTNET_STATUS="✅ up-to-date"
|
|
if [ "$current_dotnet_version" != "$latest_dotnet_version" ]; then
|
|
DOTNET_STATUS="⚠️ outdated"
|
|
fi
|
|
|
|
echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| .NET SDK | $current_dotnet_version | $latest_dotnet_version | $DOTNET_STATUS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
|
|
echo "dotnet-status=$DOTNET_STATUS" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# Check Docker versions
|
|
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "docker" ]]; then
|
|
echo "### Docker Versions" >> $GITHUB_STEP_SUMMARY
|
|
|
|
current_docker=$(grep "ARG DOCKER_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
|
|
current_buildx=$(grep "ARG BUILDX_VERSION=" ./images/Dockerfile | cut -d'=' -f2)
|
|
|
|
latest_docker=$(curl -s https://download.docker.com/linux/static/stable/x86_64/ | grep -o 'docker-[0-9]*\.[0-9]*\.[0-9]*\.tgz' | sort -V | tail -n 1 | sed 's/docker-\(.*\)\.tgz/\1/')
|
|
latest_buildx=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.tag_name' | sed 's/^v//')
|
|
|
|
DOCKER_STATUS="✅ up-to-date"
|
|
BUILDX_STATUS="✅ up-to-date"
|
|
|
|
if [ "$current_docker" != "$latest_docker" ]; then
|
|
DOCKER_STATUS="⚠️ outdated"
|
|
fi
|
|
|
|
if [ "$current_buildx" != "$latest_buildx" ]; then
|
|
BUILDX_STATUS="⚠️ outdated"
|
|
fi
|
|
|
|
echo "| Component | Current | Latest | Status |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|-----------|---------|--------|--------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Docker | $current_docker | $latest_docker | $DOCKER_STATUS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Docker Buildx | $current_buildx | $latest_buildx | $BUILDX_STATUS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
|
|
echo "docker-status=$DOCKER_STATUS" >> $GITHUB_OUTPUT
|
|
echo "buildx-status=$BUILDX_STATUS" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# Check npm vulnerabilities
|
|
if [[ "${{ github.event.inputs.check_type }}" == "all" || "${{ github.event.inputs.check_type }}" == "npm" ]]; then
|
|
echo "### NPM Security Audit" >> $GITHUB_STEP_SUMMARY
|
|
|
|
cd src/Misc/expressionFunc/hashFiles
|
|
npm install --silent
|
|
|
|
AUDIT_OUTPUT=""
|
|
AUDIT_EXIT_CODE=0
|
|
# Run npm audit and capture output and exit code
|
|
if ! AUDIT_OUTPUT=$(npm audit --json 2>&1); then
|
|
AUDIT_EXIT_CODE=$?
|
|
fi
|
|
|
|
# Check if output is valid JSON
|
|
if echo "$AUDIT_OUTPUT" | jq . >/dev/null 2>&1; then
|
|
VULN_COUNT=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.total // 0')
|
|
# Ensure VULN_COUNT is a number
|
|
VULN_COUNT=$(echo "$VULN_COUNT" | grep -o '[0-9]*' | head -1)
|
|
VULN_COUNT=${VULN_COUNT:-0}
|
|
|
|
NPM_STATUS="✅ no vulnerabilities"
|
|
if [ "$VULN_COUNT" -gt 0 ] 2>/dev/null; then
|
|
NPM_STATUS="⚠️ $VULN_COUNT vulnerabilities found"
|
|
|
|
# Get vulnerability details
|
|
HIGH_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.high // 0')
|
|
CRITICAL_VULNS=$(echo "$AUDIT_OUTPUT" | jq '.metadata.vulnerabilities.critical // 0')
|
|
|
|
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "No npm vulnerabilities found ✅" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
else
|
|
NPM_STATUS="❌ npm audit failed"
|
|
echo "npm audit failed to run or returned invalid JSON ❌" >> $GITHUB_STEP_SUMMARY
|
|
echo "Exit code: $AUDIT_EXIT_CODE" >> $GITHUB_STEP_SUMMARY
|
|
echo "Output: $AUDIT_OUTPUT" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
echo "npm-vulnerabilities=$NPM_STATUS" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Check for open dependency PRs
|
|
id: check-prs
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
echo "### Open Dependency PRs" >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Get open PRs with dependency label
|
|
OPEN_PRS=$(gh pr list --label "dependencies" --state open --json number,title,url)
|
|
PR_COUNT=$(echo "$OPEN_PRS" | jq '. | length')
|
|
|
|
if [ "$PR_COUNT" -gt 0 ]; then
|
|
echo "Found $PR_COUNT open dependency PR(s):" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "$OPEN_PRS" | jq -r '.[] | "- [#\(.number)](\(.url)) \(.title)"' >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "No open dependency PRs found ✅" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "open-dependency-prs=$PR_COUNT" >> $GITHUB_OUTPUT
|
|
|
|
- name: Summary
|
|
run: |
|
|
echo "### Summary" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Check for open PRs with the \`dependency\` label before releases" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Review and merge dependency updates regularly" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Critical vulnerabilities should be addressed immediately" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Automated workflows run weekly to check for updates:**" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Node.js versions (Mondays at 6 AM)" >> $GITHUB_STEP_SUMMARY
|
|
echo "- NPM audit fix (Mondays at 7 AM)" >> $GITHUB_STEP_SUMMARY
|
|
echo "- .NET SDK updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Docker/Buildx updates (Mondays at midnight)" >> $GITHUB_STEP_SUMMARY
|