react-tools/.github/workflows/autofix-publish.yml at master · nDriaDev/react-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
name: Dependency Audit & Publish

on:
  # schedule:
  #   - cron: '0 23 * * *'  # every day at 23:00 UTC (01:00 IT)
  workflow_dispatch:

permissions:
  contents: write
  id-token: write

jobs:
  audit:
    runs-on: ubuntu-latest
    env:
      CI: true

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: latest

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'
          registry-url: 'https://registry.npmjs.org'

      - name: Configure git
        run: |
          git config user.name  "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Install dependencies
        run: pnpm install

      - name: Audit (1st pass)
        id: audit1
        run: |
          if pnpm audit 2>&1 | tee audit1.log | grep -q "found [^0]"; then
            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
          else
            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
          fi

      - name: No vulnerabilities found — done
        if: steps.audit1.outputs.vulnerable == 'false'
        run: echo "✅ No vulnerabilities. Nothing to do."

      - name: Update dependencies
        if: steps.audit1.outputs.vulnerable == 'true'
        run: pnpm update

      - name: Audit (2nd pass — after update)
        if: steps.audit1.outputs.vulnerable == 'true'
        id: audit2
        run: |
          if pnpm audit 2>&1 | tee audit2.log | grep -q "found [^0]"; then
            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
          else
            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Commit + release after update
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'false'
        run: |
          git clean -fd
          git add pnpm-lock.yaml package.json
          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
          git diff --staged --quiet || git commit -m "chore: update dependencies"
          git push
          bash scripts/release.sh patch

      - name: Audit fix
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true'
        run: |
          pnpm audit --fix
          pnpm install

      - name: Audit (3rd pass — after audit fix)
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true'
        id: audit3
        run: |
          if pnpm audit 2>&1 | tee audit3.log | grep -q "found [^0]"; then
            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
          else
            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Commit + release after audit fix
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true' &&
          steps.audit3.outputs.vulnerable == 'false'
        run: |
          git clean -fd
          git add pnpm-lock.yaml package.json
          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
          git diff --staged --quiet || git commit -m "chore: update dependencies"
          git push
          bash scripts/release.sh patch

      - name: Clean reinstall
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true' &&
          steps.audit3.outputs.vulnerable == 'true'
        run: |
          rm -rf node_modules
          [ -f pnpm-lock.yaml ] && rm pnpm-lock.yaml
          [ -f pnpm-workspace.yaml ] && rm pnpm-workspace.yaml
          pnpm install

      - name: Audit (4th pass — after clean reinstall)
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true' &&
          steps.audit3.outputs.vulnerable == 'true'
        id: audit4
        run: |
          if pnpm audit 2>&1 | tee audit4.log | grep -q "found [^0]"; then
            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
          else
            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Commit + release after clean reinstall
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true' &&
          steps.audit3.outputs.vulnerable == 'true' &&
          steps.audit4.outputs.vulnerable == 'false'
        run: |
          git clean -fd
          git add pnpm-lock.yaml package.json
          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
          git diff --staged --quiet || git commit -m "chore: update dependencies"
          git push
          bash scripts/release.sh patch

      # -- Vulnerabilites not resolved: email notification ----------
      # - name: Upload audit logs as artifact
      #   if: >
      #     steps.audit1.outputs.vulnerable == 'true' &&
      #     steps.audit2.outputs.vulnerable == 'true' &&
      #     steps.audit3.outputs.vulnerable == 'true' &&
      #     steps.audit4.outputs.vulnerable == 'true'
      #   uses: actions/upload-artifact@v4
      #   with:
      #     name: audit-logs
      #     path: audit*.log
      #     retention-days: 7

      # - name: Send failure email
      #   if: >
      #     steps.audit1.outputs.vulnerable == 'true' &&
      #     steps.audit2.outputs.vulnerable == 'true' &&
      #     steps.audit3.outputs.vulnerable == 'true' &&
      #     steps.audit4.outputs.vulnerable == 'true'
      #   uses: dawidd6/action-send-mail@v3
      #   with:
      #     server_address: ${{ secrets.MAIL_SERVER }}
      #     server_port: ${{ secrets.MAIL_PORT }}
      #     username: ${{ secrets.MAIL_USERNAME }}
      #     password: ${{ secrets.MAIL_PASSWORD }}
      #     subject: "⚠️ vite-plugin-monitor: vulnerabilità non risolvibili automaticamente"
      #     to: ${{ secrets.MAIL_TO }}
      #     from: ${{ secrets.MAIL_USERNAME }}
      #     body: |
      #       Il workflow di audit giornaliero ha trovato vulnerabilità che non è riuscito
      #       a risolvere automaticamente dopo tutti i tentativi (update, audit --fix, clean reinstall).

      #       Repo:    ${{ github.repository }}
      #       Branch:  ${{ github.ref_name }}
      #       Run:     ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

      #       I log completi sono disponibili come artefatto nella run linkata sopra.

      #       Intervento manuale richiesto.
      #     attachments: audit4.log

      - name: Fail job if vulnerabilities are unresolved
        if: >
          steps.audit1.outputs.vulnerable == 'true' &&
          steps.audit2.outputs.vulnerable == 'true' &&
          steps.audit3.outputs.vulnerable == 'true' &&
          steps.audit4.outputs.vulnerable == 'true'
        run: |
          echo "❌ Vulnerabilities could not be resolved automatically."
          cat audit4.log
          exit 1