|
| 1 | +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json |
| 2 | + |
| 3 | +name: Daily macOS Monitor |
| 4 | + |
| 5 | +on: |
| 6 | + schedule: |
| 7 | + - cron: "17 3 * * *" |
| 8 | + workflow_dispatch: |
| 9 | + |
| 10 | +permissions: |
| 11 | + contents: read |
| 12 | + |
| 13 | +jobs: |
| 14 | + monitor: |
| 15 | + runs-on: macos-latest |
| 16 | + |
| 17 | + env: |
| 18 | + TAP_NAME: DebaA17/tap |
| 19 | + FORMULA_NAME: cvecli |
| 20 | + CVE_ID: CVE-2025-55182 |
| 21 | + |
| 22 | + steps: |
| 23 | + - name: Initialize state |
| 24 | + shell: bash |
| 25 | + run: | |
| 26 | + set -euo pipefail |
| 27 | + echo "CVECLI_VERSION=unknown" >> "$GITHUB_ENV" |
| 28 | + echo "TEST_STATUS=failed" >> "$GITHUB_ENV" |
| 29 | + echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV" |
| 30 | + echo "CVE_COMMAND=cvecli --id ${CVE_ID}" >> "$GITHUB_ENV" |
| 31 | +
|
| 32 | + - name: Install or update cvecli (Homebrew) |
| 33 | + shell: bash |
| 34 | + run: | |
| 35 | + set -euo pipefail |
| 36 | +
|
| 37 | + brew --version |
| 38 | + brew tap "${TAP_NAME}" |
| 39 | +
|
| 40 | + if brew list --formula "${FORMULA_NAME}" >/dev/null 2>&1; then |
| 41 | + brew upgrade "${FORMULA_NAME}" || true |
| 42 | + else |
| 43 | + brew install "${FORMULA_NAME}" |
| 44 | + fi |
| 45 | +
|
| 46 | + command -v cvecli |
| 47 | +
|
| 48 | + - name: Get version |
| 49 | + shell: bash |
| 50 | + run: | |
| 51 | + set -euo pipefail |
| 52 | +
|
| 53 | + version="$(cvecli --version 2>/dev/null || true)" |
| 54 | + version="$(echo "$version" | head -n 1 | tr -d '\r')" |
| 55 | + if [ -z "$version" ]; then |
| 56 | + version="unknown" |
| 57 | + fi |
| 58 | + echo "CVECLI_VERSION=${version}" >> "$GITHUB_ENV" |
| 59 | +
|
| 60 | + - name: Run CVE functional test |
| 61 | + shell: bash |
| 62 | + run: | |
| 63 | + set -euo pipefail |
| 64 | +
|
| 65 | + set +e |
| 66 | + output="$(cvecli --id "${CVE_ID}" 2>&1)" |
| 67 | + rc=$? |
| 68 | + set -e |
| 69 | +
|
| 70 | + printf '%s\n' "$output" > cve_output.txt |
| 71 | +
|
| 72 | + stripped="$(printf '%s' "$output" | tr -d '\r' | tr -d '[:space:]')" |
| 73 | + lowered="$(printf '%s' "$output" | tr -d '\r' | tr '[:upper:]' '[:lower:]')" |
| 74 | +
|
| 75 | + if [ $rc -ne 0 ]; then |
| 76 | + echo "TEST_STATUS=failed" >> "$GITHUB_ENV" |
| 77 | + echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV" |
| 78 | + elif [ -z "$stripped" ]; then |
| 79 | + echo "TEST_STATUS=failed" >> "$GITHUB_ENV" |
| 80 | + echo "CVE_OUTPUT_RETURNED=no" >> "$GITHUB_ENV" |
| 81 | + elif printf '%s' "$lowered" | grep -q "^[[:space:]]*error:\|failed to fetch cve\|network error\|invalid json"; then |
| 82 | + echo "TEST_STATUS=failed" >> "$GITHUB_ENV" |
| 83 | + echo "CVE_OUTPUT_RETURNED=yes" >> "$GITHUB_ENV" |
| 84 | + else |
| 85 | + echo "TEST_STATUS=success" >> "$GITHUB_ENV" |
| 86 | + echo "CVE_OUTPUT_RETURNED=yes" >> "$GITHUB_ENV" |
| 87 | + fi |
| 88 | +
|
| 89 | + - name: Build Telegram message |
| 90 | + if: always() |
| 91 | + shell: bash |
| 92 | + run: | |
| 93 | + set -euo pipefail |
| 94 | +
|
| 95 | + if [ "${TEST_STATUS}" = "success" ]; then |
| 96 | + STATUS="✅ Healthy" |
| 97 | + else |
| 98 | + STATUS="❌ Failed" |
| 99 | + fi |
| 100 | +
|
| 101 | + MSG="$(printf '%s\n' \ |
| 102 | + "Monitor: macOS (Homebrew)" \ |
| 103 | + "Status: ${STATUS}" \ |
| 104 | + "Tap: ${TAP_NAME}" \ |
| 105 | + "Formula: ${FORMULA_NAME}" \ |
| 106 | + "Version: ${CVECLI_VERSION}" \ |
| 107 | + "CVE command: ${CVE_COMMAND}" \ |
| 108 | + "Output returned: ${CVE_OUTPUT_RETURNED}" \ |
| 109 | + "Repo: ${GITHUB_REPOSITORY}" \ |
| 110 | + "Run: #${GITHUB_RUN_NUMBER}" \ |
| 111 | + "SHA: ${GITHUB_SHA}" \ |
| 112 | + "Branch: ${GITHUB_REF_NAME}")" |
| 113 | +
|
| 114 | + echo "MESSAGE<<EOF" >> "$GITHUB_ENV" |
| 115 | + echo "$MSG" >> "$GITHUB_ENV" |
| 116 | + echo "EOF" >> "$GITHUB_ENV" |
| 117 | +
|
| 118 | + - name: Send Telegram notification |
| 119 | + if: always() |
| 120 | + shell: bash |
| 121 | + env: |
| 122 | + TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_TOKEN }} |
| 123 | + TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }} |
| 124 | + run: | |
| 125 | + set -euo pipefail |
| 126 | +
|
| 127 | + curl -fsS --retry 3 --retry-all-errors \ |
| 128 | + -X POST "https://api.telegram.org/bot${TELEGRAM_TOKEN}/sendMessage" \ |
| 129 | + -d "chat_id=${TELEGRAM_CHAT_ID}" \ |
| 130 | + --data-urlencode "text=${MESSAGE}" |
| 131 | +
|
| 132 | + - name: Fail workflow if unhealthy |
| 133 | + if: always() |
| 134 | + shell: bash |
| 135 | + run: | |
| 136 | + set -euo pipefail |
| 137 | + if [ "${TEST_STATUS}" != "success" ]; then |
| 138 | + exit 1 |
| 139 | + fi |
| 140 | +
|
0 commit comments