1+ name : Daily Snap Monitor
2+
3+ on :
4+ schedule :
5+ - cron : " 17 3 * * *"
6+ workflow_dispatch :
7+
8+ permissions :
9+ contents : read
10+
11+ jobs :
12+ monitor :
13+ runs-on : ubuntu-latest
14+
15+ env :
16+ PACKAGE_NAME : cvecli
17+ CVE_ID : cve-2025-55182
18+
19+ steps :
20+ - name : Initialize state
21+ shell : bash
22+ run : |
23+ echo "CVECLI_VERSION=unknown" >> "$GITHUB_ENV"
24+ echo "TEST_STATUS=failed" >> "$GITHUB_ENV"
25+ echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV"
26+ echo "CVE_COMMAND=cvecli --id ${CVE_ID}" >> "$GITHUB_ENV"
27+
28+ name : Setup snapd
29+ shell : bash
30+ run : |
31+ set -euo pipefail
32+
33+ sudo apt-get update
34+ sudo apt-get install -y snapd
35+
36+ sudo systemctl enable --now snapd.socket || true
37+ sudo systemctl restart snapd || true
38+
39+ sudo ln -sf /var/lib/snapd/snap /snap || true
40+ echo "/snap/bin" >> "$GITHUB_PATH"
41+
42+ snap version
43+
44+ name : Install or update cvecli
45+ shell : bash
46+ run : |
47+ set -euo pipefail
48+
49+ if snap list "${PACKAGE_NAME}" >/dev/null 2>&1; then
50+ sudo snap refresh "${PACKAGE_NAME}" --channel=stable || \
51+ sudo snap refresh "${PACKAGE_NAME}" --channel=stable
52+ else
53+ sudo snap install "${PACKAGE_NAME}" --channel=stable || \
54+ sudo snap install "${PACKAGE_NAME}" --channel=stable
55+ fi
56+
57+ command -v cvecli
58+
59+ name : Get version
60+ shell : bash
61+ run : |
62+ set -euo pipefail
63+
64+ version="$(cvecli --version 2>/dev/null || true)"
65+ version="$(echo "$version" | head -n 1 | tr -d '\r')"
66+
67+ if [ -z "$version" ]; then
68+ version="unknown"
69+ fi
70+
71+ echo "CVECLI_VERSION=${version}" >> "$GITHUB_ENV"
72+
73+ name : Run CVE functional test
74+ shell : bash
75+ run : |
76+ set -euo pipefail
77+
78+ set +e
79+ output="$(cvecli --id "${CVE_ID}" 2>&1)"
80+ rc=$?
81+ set -e
82+
83+ printf '%s\n' "$output" > cve_output.txt
84+
85+ stripped="$(printf '%s' "$output" | tr -d '\r' | tr -d '[:space:]')"
86+
87+ if [ $rc -ne 0 ]; then
88+ echo "TEST_STATUS=failed" >> "$GITHUB_ENV"
89+ echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV"
90+ elif [ -z "$stripped" ]; then
91+ echo "TEST_STATUS=failed" >> "$GITHUB_ENV"
92+ echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV"
93+ else
94+ echo "TEST_STATUS=success" >> "$GITHUB_ENV"
95+ echo "CVE_OUTPUT_RETURNED=yes" >> "$GITHUB_ENV"
96+ fi
97+
98+ name : Build Telegram message
99+ if : always()
100+ shell : bash
101+ run : |
102+ set -euo pipefail
103+
104+ if [ "${TEST_STATUS}" = "success" ]; then
105+ STATUS="✅ Healthy"
106+ else
107+ STATUS="❌ Failed"
108+ fi
109+
110+ MSG="$(printf '%s\n' \
111+ "Status: ${STATUS}" \
112+ "Package: ${PACKAGE_NAME}" \
113+ "Version: ${CVECLI_VERSION}" \
114+ "CVE command: ${CVE_COMMAND}" \
115+ "Output returned: ${CVE_OUTPUT_RETURNED}" \
116+ "Repo: ${GITHUB_REPOSITORY}" \
117+ "Run: #${GITHUB_RUN_NUMBER}" \
118+ "SHA: ${GITHUB_SHA}" \
119+ "Branch: ${GITHUB_REF_NAME}")"
120+
121+ echo "MESSAGE<<EOF" >> "$GITHUB_ENV"
122+ echo "$MSG" >> "$GITHUB_ENV"
123+ echo "EOF" >> "$GITHUB_ENV"
124+
125+ name : Send Telegram notification
126+ if : always()
127+ shell : bash
128+ env :
129+ TELEGRAM_TOKEN : ${{ secrets.TELEGRAM_TOKEN }}
130+ TELEGRAM_CHAT_ID : ${{ secrets.TELEGRAM_CHAT_ID }}
131+ run : |
132+ set -euo pipefail
133+
134+ curl -fsS --retry 3 --retry-all-errors \
135+ -X POST "https://api.telegram.org/bot${TELEGRAM_TOKEN}/sendMessage" \
136+ -d "chat_id=${TELEGRAM_CHAT_ID}" \
137+ --data-urlencode "text=${MESSAGE}"
138+
139+ name : Fail workflow if unhealthy
140+ if : always()
141+ shell : bash
142+ run : |
143+ set -euo pipefail
144+
145+ if [ "${TEST_STATUS}" != "success" ]; then
146+ exit 1
147+ fi
0 commit comments