XEngine_OPenSource/.github/workflows/codeql-to-commit.yml at 7523a9e2aadc1efc61bd69d542218e6bca88b45e · libxengine/XEngine_OPenSource · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Auto Copilot Autofix (High & Medium Only)

on:
  workflow_run:
    workflows: ["CodeQL Advanced"]
    types: [completed]

jobs:
  auto-fix:
    runs-on: ubuntu-latest
    permissions:
      security-events: read
      contents: write
      pull-requests: write

    steps:
      - name: Trigger Autofix for High & Medium alerts
        env:
          GH_TOKEN: ${{ secrets.AUTOFIX_TOKEN }}
          OWNER: ${{ github.repository_owner }}
          REPO: ${{ github.event.repository.name }}
        run: |
          for SEVERITY in "critical" "error" "warning"; do
            echo "====== Processing severity: $SEVERITY ======"

            ALERTS=$(gh api \
              "/repos/$OWNER/$REPO/code-scanning/alerts?severity=$SEVERITY&state=open&per_page=100" \
              --jq '[.[] | .number]')

            COUNT=$(echo $ALERTS | jq 'length')
            echo "Found $COUNT alerts with severity: $SEVERITY"

            if [ "$COUNT" -eq 0 ]; then
              continue
            fi

            for NUMBER in $(echo $ALERTS | jq -r '.[]'); do
              echo "--- Alert #$NUMBER ($SEVERITY) ---"

              EXISTING=$(gh api \
                /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
                --jq '.status' 2>/dev/null || echo "none")

              if [ "$EXISTING" = "success" ]; then
                echo "✅ Fix already exists, committing directly..."
              else
                echo "⏳ Generating fix..."
                gh api -X POST \
                  /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix || {
                  echo "⚠️ Failed to trigger autofix for #$NUMBER, skipping"
                  continue
                }

                for i in 1 2 3; do
                  sleep 30
                  EXISTING=$(gh api \
                    /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
                    --jq '.status' 2>/dev/null || echo "none")
                  echo "  Attempt $i: status = $EXISTING"
                  [ "$EXISTING" = "success" ] && break
                done
              fi

              if [ "$EXISTING" = "success" ]; then
                BRANCH="autofix/${SEVERITY}/alert-${NUMBER}"
                gh api -X POST \
                  /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix/commits \
                  -f target_ref="$BRANCH" && \
                echo "✅ Committed fix to branch: $BRANCH" || \
                echo "❌ Failed to commit fix for alert #$NUMBER"
              else
                echo "⚠️ Autofix not available for alert #$NUMBER (status: $EXISTING), skipping"
              fi

            done
          done