Daily Advisory Scan #58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Daily Advisory Scan | |
| on: | |
| schedule: | |
| - cron: "0 9 * * *" | |
| workflow_dispatch: | |
| concurrency: | |
| group: daily-audit | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| issues: write | |
| env: | |
| CARGO_TERM_COLOR: never | |
| jobs: | |
| advisories: | |
| name: Advisory Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable | |
| with: | |
| toolchain: 1.93.0 | |
| - name: Install cargo-deny | |
| run: cargo install cargo-deny --locked | |
| - name: Run advisory scan | |
| id: scan | |
| continue-on-error: true | |
| shell: bash | |
| run: | | |
| cargo deny check advisories 2>&1 | tee /tmp/advisory-output.txt | |
| exit "${PIPESTATUS[0]}" | |
| - name: Open issue on advisory failure | |
| id: advisory_issue | |
| if: steps.scan.outcome == 'failure' | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| run: | | |
| issues_enabled=$(gh api "repos/$GITHUB_REPOSITORY" --jq '.has_issues') | |
| if [[ "$issues_enabled" != "true" ]]; then | |
| echo "issue_url=" >> "$GITHUB_OUTPUT" | |
| echo "::notice::Repository issues are disabled; skipping advisory issue creation." | |
| exit 0 | |
| fi | |
| # Avoid opening a duplicate while an advisory issue is still open. | |
| open_count=$(gh issue list \ | |
| --repo "$GITHUB_REPOSITORY" \ | |
| --label "security" \ | |
| --state open \ | |
| --search "Advisory scan failed in:title" \ | |
| --json number \ | |
| --jq 'length') | |
| if [[ "$open_count" -gt 0 ]]; then | |
| echo "An open advisory issue already exists — skipping duplicate." | |
| exit 0 | |
| fi | |
| advisory_output=$(cat /tmp/advisory-output.txt) | |
| { | |
| printf '## Advisory scan failed\n\n' | |
| printf 'Workflow run: %s\n\n' "${RUN_URL}" | |
| printf '```\n%s\n```\n\n' "${advisory_output}" | |
| printf 'Review `deny.toml` for the current ignore list. If this advisory is a known\n' | |
| printf 'acceptable risk, add an entry with a `reason` field. If it requires a\n' | |
| printf 'dependency update, open a tracking issue and link it here.\n\n' | |
| printf 'cc @JordanTheJet @Audacity88 @singlerider\n' | |
| } > /tmp/issue-body.md | |
| issue_url=$(gh issue create \ | |
| --repo "$GITHUB_REPOSITORY" \ | |
| --title "ci: Advisory scan failed — $(date -u +%Y-%m-%d)" \ | |
| --label "security" \ | |
| --label "risk: high" \ | |
| --body-file /tmp/issue-body.md) | |
| echo "issue_url=$issue_url" >> "$GITHUB_OUTPUT" | |
| - name: Propagate scan failure | |
| if: steps.scan.outcome == 'failure' | |
| env: | |
| ISSUE_URL: ${{ steps.advisory_issue.outputs.issue_url }} | |
| run: | | |
| if [[ -n "$ISSUE_URL" ]]; then | |
| echo "::error::Advisory scan failed. See $ISSUE_URL for details." | |
| else | |
| echo "::error::Advisory scan failed. Repository issues are disabled or issue creation was skipped; inspect this workflow log for details." | |
| fi | |
| exit 1 |