Add Discord notifications for security update failures

StasonJatham · StasonJatham · commit cc3161069cb1 · 2025-11-11T10:34:59.000+01:00
Enhanced both security workflows with Discord webhook integration:

Security Updates Workflow:
- Sends Discord notification when tests fail after dependency upgrade
- Sends Discord notification when dependency upgrade fails
- Includes security report, test output, and workflow links
- Color-coded embeds (red for critical, yellow for warnings)

Dependabot Auto-Merge Workflow:
- Sends Discord notification when Dependabot PR tests fail
- Includes PR link, test output, and failure details
- Allows manual intervention when automation fails

Notification Format:
- Rich embeds with structured information
- Direct links to PRs and workflow runs
- Last 50 lines of test output for debugging
- Security report details
- Timestamps for tracking

Configuration:
- Requires DISCORD_WEBHOOK secret in GitHub repo settings
- Webhook URL should be full Discord webhook URL with https://

This ensures you're immediately notified when security updates need manual attention.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -29,15 +29,21 @@ jobs:
 
     - name: Run unit tests
       id: unit_tests
+      continue-on-error: true
       run: |
-        pytest tests/test_validator.py -v --tb=short
-        echo "unit_tests_passed=true" >> $GITHUB_OUTPUT
+        pytest tests/test_validator.py -v --tb=short > test-output.txt 2>&1
+        if [ $? -eq 0 ]; then
+          echo "unit_tests_passed=true" >> $GITHUB_OUTPUT
+        fi
 
     - name: Run CLI tests
       id: cli_tests
+      continue-on-error: true
       run: |
-        pytest tests/test_cli.py -v --tb=short
-        echo "cli_tests_passed=true" >> $GITHUB_OUTPUT
+        pytest tests/test_cli.py -v --tb=short >> test-output.txt 2>&1
+        if [ $? -eq 0 ]; then
+          echo "cli_tests_passed=true" >> $GITHUB_OUTPUT
+        fi
 
     - name: Check if security update
       id: check_security
@@ -119,3 +125,64 @@ This release was automatically created after Dependabot's security updates passe
 See PR #${{ github.event.pull_request.number }} for details."
 
         echo "✅ Created release v$NEW_VERSION"
+
+    - name: Send Discord notification on test failure
+      if: |
+        steps.unit_tests.outputs.unit_tests_passed != 'true' ||
+        steps.cli_tests.outputs.cli_tests_passed != 'true'
+      env:
+        DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      run: |
+        TEST_OUTPUT=$(cat test-output.txt 2>/dev/null | tail -50 || echo "No test output available")
+        TEST_OUTPUT=$(echo "$TEST_OUTPUT" | jq -Rs .)
+
+        PR_TITLE=$(gh pr view ${{ github.event.pull_request.number }} --json title --jq .title)
+        PR_URL="https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}"
+
+        curl -H "Content-Type: application/json" \
+          -d "{
+            \"embeds\": [{
+              \"title\": \"🚨 Dependabot PR Tests Failed - Manual Review Required\",
+              \"description\": \"A Dependabot security update PR has failing tests.\",
+              \"color\": 15158332,
+              \"fields\": [
+                {
+                  \"name\": \"Repository\",
+                  \"value\": \"${{ github.repository }}\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"PR\",
+                  \"value\": \"[#${{ github.event.pull_request.number }}]($PR_URL)\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"Run ID\",
+                  \"value\": \"[${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"⚠️ Issue\",
+                  \"value\": \"Dependabot created a security update PR but tests failed.\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"📋 PR Title\",
+                  \"value\": \"$PR_TITLE\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"🧪 Test Output (last 50 lines)\",
+                  \"value\": \"\`\`\`\n\" + $TEST_OUTPUT + \"\n\`\`\`\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"🔗 Actions\",
+                  \"value\": \"Please review the [PR]($PR_URL) and [workflow run](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) to fix the failing tests.\",
+                  \"inline\": false
+                }
+              ],
+              \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+            }]
+          }" \
+          "$DISCORD_WEBHOOK"
diff --git a/.github/workflows/security-updates.yml b/.github/workflows/security-updates.yml
@@ -73,9 +73,10 @@ jobs:
     - name: Run all tests
       if: steps.fix_vulnerabilities.outputs.updated == 'true'
       id: run_tests
+      continue-on-error: true
       run: |
-        pytest tests/test_validator.py -v --tb=short
-        pytest tests/test_cli.py -v --tb=short
+        pytest tests/test_validator.py -v --tb=short > test-output.txt 2>&1
+        pytest tests/test_cli.py -v --tb=short >> test-output.txt 2>&1
         echo "tests_passed=true" >> $GITHUB_OUTPUT
 
     - name: Get current version
@@ -188,6 +189,121 @@ EOF
           echo "PR will merge automatically once all checks pass"
         fi
 
+    - name: Send Discord notification on test failure
+      if: |
+        steps.fix_vulnerabilities.outputs.updated == 'true' &&
+        steps.run_tests.outputs.tests_passed != 'true'
+      env:
+        DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      run: |
+        SECURITY_REPORT=$(cat security-report.txt 2>/dev/null | head -30 || echo "No security report available")
+        TEST_OUTPUT=$(cat test-output.txt 2>/dev/null | tail -50 || echo "No test output available")
+
+        # Escape JSON special characters
+        SECURITY_REPORT=$(echo "$SECURITY_REPORT" | jq -Rs .)
+        TEST_OUTPUT=$(echo "$TEST_OUTPUT" | jq -Rs .)
+
+        curl -H "Content-Type: application/json" \
+          -d "{
+            \"embeds\": [{
+              \"title\": \"🚨 Security Update Failed - Manual Review Required\",
+              \"description\": \"A security update was attempted but tests failed. Manual intervention is needed.\",
+              \"color\": 15158332,
+              \"fields\": [
+                {
+                  \"name\": \"Repository\",
+                  \"value\": \"${{ github.repository }}\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"Workflow\",
+                  \"value\": \"Security Updates\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"Run ID\",
+                  \"value\": \"[${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"⚠️ Issue\",
+                  \"value\": \"Security vulnerabilities were found and dependencies were updated, but tests failed after the update.\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"📋 Security Report (truncated)\",
+                  \"value\": \"\`\`\`\n\" + $SECURITY_REPORT + \"\n\`\`\`\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"🧪 Test Output (last 50 lines)\",
+                  \"value\": \"\`\`\`\n\" + $TEST_OUTPUT + \"\n\`\`\`\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"🔗 Actions\",
+                  \"value\": \"Please review the [workflow run](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) and fix the failing tests manually.\",
+                  \"inline\": false
+                }
+              ],
+              \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+            }]
+          }" \
+          "$DISCORD_WEBHOOK"
+
+    - name: Send Discord notification on upgrade failure
+      if: |
+        (steps.pip_audit.outputs.vulnerabilities_found == 'true' || steps.safety_check.outputs.safety_issues == 'true') &&
+        steps.fix_vulnerabilities.outputs.updated != 'true'
+      env:
+        DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      run: |
+        SECURITY_REPORT=$(cat security-report.txt 2>/dev/null || echo "No security report available")
+        SECURITY_REPORT=$(echo "$SECURITY_REPORT" | jq -Rs .)
+
+        curl -H "Content-Type: application/json" \
+          -d "{
+            \"embeds\": [{
+              \"title\": \"⚠️ Security Vulnerabilities Found - Upgrade Failed\",
+              \"description\": \"Security vulnerabilities detected but automatic upgrade failed.\",
+              \"color\": 16776960,
+              \"fields\": [
+                {
+                  \"name\": \"Repository\",
+                  \"value\": \"${{ github.repository }}\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"Workflow\",
+                  \"value\": \"Security Updates\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"Run ID\",
+                  \"value\": \"[${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\",
+                  \"inline\": true
+                },
+                {
+                  \"name\": \"⚠️ Issue\",
+                  \"value\": \"Could not automatically upgrade dependencies. Manual upgrade required.\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"📋 Security Report\",
+                  \"value\": \"\`\`\`\n\" + $SECURITY_REPORT + \"\n\`\`\`\",
+                  \"inline\": false
+                },
+                {
+                  \"name\": \"🔗 Actions\",
+                  \"value\": \"Please review the [workflow run](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) and upgrade dependencies manually.\",
+                  \"inline\": false
+                }
+              ],
+              \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+            }]
+          }" \
+          "$DISCORD_WEBHOOK"
+
     - name: No vulnerabilities found
       if: steps.pip_audit.outputs.vulnerabilities_found != 'true' && steps.safety_check.outputs.safety_issues != 'true'
       run: |
diff --git a/pyresolvers/lib/core/__version__.py b/pyresolvers/lib/core/__version__.py
@@ -1,2 +1,2 @@
-__version__ = '2.1.0'
+__version__ = '2.1.1'
 

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-__version__ = '2.1.0'`
	`1`	`+__version__ = '2.1.1'`
`2`	`2`