|
1 | | -name: Notify New Security Advisories |
| 1 | +name: Post Security Advisories to Slack |
2 | 2 |
|
3 | 3 | on: |
4 | 4 | schedule: |
5 | | - - cron: '0 * * * *' |
| 5 | + - cron: "*/15 * * * *" # every 15 minutes |
6 | 6 | workflow_dispatch: |
7 | 7 |
|
8 | 8 | jobs: |
9 | | - notify: |
| 9 | + notify-advisories: |
10 | 10 | runs-on: ubuntu-latest |
11 | 11 | steps: |
12 | | - - name: Fetch advisories and send to Slack |
| 12 | + - name: Checkout repo |
| 13 | + uses: actions/checkout@v4 |
| 14 | + |
| 15 | + - name: Prepare cache dir |
| 16 | + run: mkdir -p .github/advisories-cache |
| 17 | + |
| 18 | + - name: Download previous advisory list (if exists) |
| 19 | + id: load_previous |
| 20 | + run: | |
| 21 | + if [ -f .github/advisories-cache/advisories.json ]; then |
| 22 | + echo "Found previous cache" |
| 23 | + else |
| 24 | + echo "[]" > .github/advisories-cache/advisories.json |
| 25 | + fi |
| 26 | +
|
| 27 | + - name: Fetch current advisories from GitHub |
| 28 | + id: fetch |
13 | 29 | env: |
14 | 30 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
15 | | - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SECURITY_ADVISORIES }} |
16 | 31 | run: | |
17 | 32 | curl -s -H "Authorization: token $GH_TOKEN" \ |
18 | 33 | https://api.github.com/repos/calcom/cal.com/security-advisories \ |
19 | | - | jq -r '.[] | select(.state=="published") | "\(.summary)\n\(.url)"' \ |
20 | | - | while read -r msg; do |
21 | | - [ -n "$msg" ] && curl -X POST -H 'Content-type: application/json' \ |
22 | | - --data "{\"text\":\"$msg\"}" "$SLACK_WEBHOOK" |
23 | | - done |
| 34 | + > advisories.json |
| 35 | +
|
| 36 | + - name: Compare and notify Slack |
| 37 | + env: |
| 38 | + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SECURITY_ADVISORIES }} |
| 39 | + run: | |
| 40 | + jq -r '.[].ghsa_id' advisories.json | sort > current_ids.txt |
| 41 | + jq -r '.[].ghsa_id' .github/advisories-cache/advisories.json | sort > previous_ids.txt |
| 42 | +
|
| 43 | + # Find new advisories |
| 44 | + comm -23 current_ids.txt previous_ids.txt > new_ids.txt |
| 45 | +
|
| 46 | + while read -r id; do |
| 47 | + if [ -n "$id" ]; then |
| 48 | + summary=$(jq -r --arg id "$id" '.[] | select(.ghsa_id == $id) | .summary' advisories.json) |
| 49 | + url=$(jq -r --arg id "$id" '.[] | select(.ghsa_id == $id) | .html_url' advisories.json) |
| 50 | + state=$(jq -r --arg id "$id" '.[] | select(.ghsa_id == $id) | .state' advisories.json) |
| 51 | +
|
| 52 | + curl -X POST -H 'Content-type: application/json' \ |
| 53 | + --data "{\"text\":\":rotating_light: *New GitHub Advisory Detected*\n>*Summary:* $summary\n>*State:* $state\n>$url\"}" \ |
| 54 | + "$SLACK_WEBHOOK" |
| 55 | + fi |
| 56 | + done < new_ids.txt |
| 57 | +
|
| 58 | + # Save current advisories as cache for next run |
| 59 | + cp advisories.json .github/advisories-cache/advisories.json |
0 commit comments