Public Access
857525268a
Universal: Cascade Main → Dev / Cascade main → branches (push) Has been cancelled
Generic: Repo Health / Access control (push) Has been cancelled
Generic: Repo Health / Release configuration (push) Has been cancelled
Generic: Repo Health / Scripts governance (push) Has been cancelled
Generic: Repo Health / Repository health (push) Has been cancelled
Authored-by: Moko Consulting
117 lines
4.1 KiB
YAML
117 lines
4.1 KiB
YAML
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
#
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
#
|
|
# FILE INFORMATION
|
|
# DEFGROUP: Gitea.Workflow
|
|
# INGROUP: MokoStandards
|
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
|
# PATH: /templates/workflows/dependency-audit.yml
|
|
# VERSION: 01.00.00
|
|
# BRIEF: Scheduled dependency audit — runs composer audit across repos
|
|
|
|
name: Dependency Audit
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 8 * * 1' # Every Monday at 08:00 UTC
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
|
|
jobs:
|
|
audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
php-version: '8.3'
|
|
tools: composer
|
|
|
|
- name: Run composer audit
|
|
id: audit
|
|
run: |
|
|
if [ ! -f composer.json ]; then
|
|
echo "No composer.json found — skipping."
|
|
echo "skip=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
echo "skip=false" >> "$GITHUB_OUTPUT"
|
|
|
|
set +e
|
|
AUDIT_OUTPUT=$(composer audit --format=json 2>&1)
|
|
AUDIT_EXIT=$?
|
|
set -e
|
|
|
|
echo "$AUDIT_OUTPUT" > audit-results.json
|
|
|
|
if [ "$AUDIT_EXIT" -ne 0 ]; then
|
|
echo "vulnerable=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "vulnerable=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Parse vulnerabilities
|
|
if: steps.audit.outputs.skip != 'true'
|
|
id: parse
|
|
run: |
|
|
if [ "${{ steps.audit.outputs.vulnerable }}" = "true" ]; then
|
|
echo "## Vulnerabilities Found" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "" >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
# Extract advisory count
|
|
ADVISORIES=$(jq -r '.advisories | length // 0' audit-results.json 2>/dev/null || echo "0")
|
|
echo "Found **${ADVISORIES}** advisories." >> "$GITHUB_STEP_SUMMARY"
|
|
echo "" >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
# List each advisory
|
|
jq -r '
|
|
.advisories | to_entries[] |
|
|
"| \(.key) | \(.value[0].title // "N/A") | \(.value[0].cve // "N/A") | \(.value[0].affectedVersions // "N/A") |"
|
|
' audit-results.json 2>/dev/null | {
|
|
echo "| Package | Title | CVE | Affected Versions |"
|
|
echo "|---------|-------|-----|-------------------|"
|
|
cat
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
echo "count=${ADVISORIES}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "## No Vulnerabilities Found" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "All dependencies passed the audit." >> "$GITHUB_STEP_SUMMARY"
|
|
echo "count=0" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Notify via ntfy
|
|
if: steps.audit.outputs.vulnerable == 'true'
|
|
run: |
|
|
NTFY_URL="${{ vars.NTFY_URL }}"
|
|
NTFY_TOPIC="${{ vars.NTFY_TOPIC }}"
|
|
REPO="${{ github.repository }}"
|
|
COUNT="${{ steps.parse.outputs.count }}"
|
|
RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
|
|
curl -s \
|
|
-H "Title: Dependency Audit: ${REPO}" \
|
|
-H "Priority: high" \
|
|
-H "Tags: warning,package" \
|
|
-H "Click: ${RUN_URL}" \
|
|
-d "Found ${COUNT} vulnerability advisory(ies) in ${REPO}. Review the workflow run for details." \
|
|
"${NTFY_URL}/${NTFY_TOPIC}"
|
|
|
|
- name: Summary
|
|
if: always() && steps.audit.outputs.skip != 'true'
|
|
run: |
|
|
echo "" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "---" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "Audit completed at $(date -u '+%Y-%m-%d %H:%M:%S UTC')." >> "$GITHUB_STEP_SUMMARY"
|
|
echo "Repository: **${{ github.repository }}**" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "Branch: **${{ github.ref_name }}**" >> "$GITHUB_STEP_SUMMARY"
|