From 32f356d3e9056df6e64857ad1f9b570f1a27e886 Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:27:44 -0300 Subject: [PATCH 1/8] Check for tools version update --- .github/workflows/tools_version_check1.yml | 34 +++++++++++++++ .github/workflows/tools_version_check2.yml | 50 ++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 .github/workflows/tools_version_check1.yml create mode 100644 .github/workflows/tools_version_check2.yml diff --git a/.github/workflows/tools_version_check1.yml b/.github/workflows/tools_version_check1.yml new file mode 100644 index 00000000..b3d4dd7d --- /dev/null +++ b/.github/workflows/tools_version_check1.yml @@ -0,0 +1,34 @@ +name: Tools Version Checker 1 + +on: [push, pull_request] + +jobs: + check-versions-1: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + # Add any necessary libraries for YAML parsing and HTTP requests + pip install PyYAML requests + + - name: Check tools versions + run: | + python .github/scripts/check_versions.py # Assuming you have a script like this in place. + + - name: Create issue if outdated + uses: JasonEtco/create-an-issue@v2 # This is a third-party action; review and choose appropriately. + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # You need to set this in your repository secrets + with: + title: Outdated Tool Detected + body: .github/templates/outdated_tool_issue.md # Assuming you have a template like this in place. + labels: outdated,automation # Add relevant labels here. diff --git a/.github/workflows/tools_version_check2.yml b/.github/workflows/tools_version_check2.yml new file mode 100644 index 00000000..48626e8e --- /dev/null +++ b/.github/workflows/tools_version_check2.yml @@ -0,0 +1,50 @@ +name: Check Security Tools Versions 2 + +on: [push, pull_request] + +jobs: + check-versions-2: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y jq curl + + - name: Parse config.yml + run: | + # Use your own logic here to extract tool versions from config.yml + TOOL_VERSION=$(cat config.yml | grep "tool_name" | cut -d ':' -f2) # Example logic + echo "TOOL_VERSION=$TOOL_VERSION" >> $GITHUB_ENV + + - name: Check latest version + run: | + # Fetch the latest version. This logic will depend on the tool you're checking + LATEST_VERSION=$(curl -s https://api.example.com/tool/latest-version) # Example API call + echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_ENV + + - name: Compare versions and create issue if outdated + run: | + if [[ "$TOOL_VERSION" != "$LATEST_VERSION" ]]; then + echo "Outdated version detected!" + + issue_data=$(cat <<- EOM + { + "title": "Outdated tool_name version detected", + "body": "The current version of tool_name in config.yml is $TOOL_VERSION, but the latest available version is $LATEST_VERSION. Please update.", + "labels": ["security", "update-needed"] + } + EOM + ) + + curl -s \ + -X POST \ + -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d "$issue_data" \ + https://api.github.com/repos/${{ github.repository }}/issues + fi From 692b79b66533b30a060a14a80e10973b85db3fcf Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:35:07 -0300 Subject: [PATCH 2/8] python example --- .github/scripts/check_versions.py | 32 ++++++++++++++ .github/workflows/tools_version_check.yml | 24 +++++++++++ .github/workflows/tools_version_check1.yml | 34 --------------- .github/workflows/tools_version_check2.yml | 50 ---------------------- 4 files changed, 56 insertions(+), 84 deletions(-) create mode 100644 .github/scripts/check_versions.py create mode 100644 .github/workflows/tools_version_check.yml delete mode 100644 .github/workflows/tools_version_check1.yml delete mode 100644 .github/workflows/tools_version_check2.yml diff --git a/.github/scripts/check_versions.py b/.github/scripts/check_versions.py new file mode 100644 index 00000000..29705d3c --- /dev/null +++ b/.github/scripts/check_versions.py @@ -0,0 +1,32 @@ +import yaml +import requests + + +def get_latest_docker_image_version(repo_name): + url = f"https://registry.hub.docker.com/v2/repositories/huskyci/{repo_name}/tags" + response = requests.get(url) + data = response.json() + + # Assuming the first result is the latest + latest_version = data['results'][0]['name'] + return latest_version + + +def main(): + with open('config.yaml', 'r') as f: + config = yaml.safe_load(f) + + for tool, tool_info in config.items(): + current_version = tool_info['imageTag'] + latest_version = get_latest_docker_image_version( + tool_info['image'].split('/')[-1]) + + if current_version != latest_version: + print( + f"[WARNING] {tool} is outdated. Current: {current_version}, Latest: {latest_version}") + else: + print(f"{tool} is up-to-date with version {current_version}.") + + +if __name__ == "__main__": + main() diff --git a/.github/workflows/tools_version_check.yml b/.github/workflows/tools_version_check.yml new file mode 100644 index 00000000..8b850fd2 --- /dev/null +++ b/.github/workflows/tools_version_check.yml @@ -0,0 +1,24 @@ +name: Tools Version Checker + +on: [push, pull_request] + +jobs: + check-versions: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pyyaml requests + + - name: Check tool versions + run: python .github/scripts/check_versions.py diff --git a/.github/workflows/tools_version_check1.yml b/.github/workflows/tools_version_check1.yml deleted file mode 100644 index b3d4dd7d..00000000 --- a/.github/workflows/tools_version_check1.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Tools Version Checker 1 - -on: [push, pull_request] - -jobs: - check-versions-1: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - - name: Set up Python - uses: actions/setup-python@v2 - with: - python-version: '3.x' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - # Add any necessary libraries for YAML parsing and HTTP requests - pip install PyYAML requests - - - name: Check tools versions - run: | - python .github/scripts/check_versions.py # Assuming you have a script like this in place. - - - name: Create issue if outdated - uses: JasonEtco/create-an-issue@v2 # This is a third-party action; review and choose appropriately. - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # You need to set this in your repository secrets - with: - title: Outdated Tool Detected - body: .github/templates/outdated_tool_issue.md # Assuming you have a template like this in place. - labels: outdated,automation # Add relevant labels here. diff --git a/.github/workflows/tools_version_check2.yml b/.github/workflows/tools_version_check2.yml deleted file mode 100644 index 48626e8e..00000000 --- a/.github/workflows/tools_version_check2.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Check Security Tools Versions 2 - -on: [push, pull_request] - -jobs: - check-versions-2: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Install dependencies - run: | - sudo apt-get update - sudo apt-get install -y jq curl - - - name: Parse config.yml - run: | - # Use your own logic here to extract tool versions from config.yml - TOOL_VERSION=$(cat config.yml | grep "tool_name" | cut -d ':' -f2) # Example logic - echo "TOOL_VERSION=$TOOL_VERSION" >> $GITHUB_ENV - - - name: Check latest version - run: | - # Fetch the latest version. This logic will depend on the tool you're checking - LATEST_VERSION=$(curl -s https://api.example.com/tool/latest-version) # Example API call - echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_ENV - - - name: Compare versions and create issue if outdated - run: | - if [[ "$TOOL_VERSION" != "$LATEST_VERSION" ]]; then - echo "Outdated version detected!" - - issue_data=$(cat <<- EOM - { - "title": "Outdated tool_name version detected", - "body": "The current version of tool_name in config.yml is $TOOL_VERSION, but the latest available version is $LATEST_VERSION. Please update.", - "labels": ["security", "update-needed"] - } - EOM - ) - - curl -s \ - -X POST \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - -d "$issue_data" \ - https://api.github.com/repos/${{ github.repository }}/issues - fi From b54817480f3a08d8e1c7f87686f182d75847f6f8 Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:39:17 -0300 Subject: [PATCH 3/8] python example --- .github/scripts/check_versions.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/scripts/check_versions.py b/.github/scripts/check_versions.py index 29705d3c..86f3fa54 100644 --- a/.github/scripts/check_versions.py +++ b/.github/scripts/check_versions.py @@ -1,5 +1,8 @@ import yaml import requests +import os + +print("Current Directory:", os.getcwd()) def get_latest_docker_image_version(repo_name): @@ -13,7 +16,7 @@ def get_latest_docker_image_version(repo_name): def main(): - with open('config.yaml', 'r') as f: + with open('api/config.yaml', 'r') as f: config = yaml.safe_load(f) for tool, tool_info in config.items(): From 14b628fbaf58408b578e0d4ad13e4e1faa4050c6 Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:53:47 -0300 Subject: [PATCH 4/8] fail step on outdated dependencies --- .github/scripts/check_versions.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/scripts/check_versions.py b/.github/scripts/check_versions.py index 86f3fa54..b647f821 100644 --- a/.github/scripts/check_versions.py +++ b/.github/scripts/check_versions.py @@ -1,6 +1,7 @@ import yaml import requests import os +import sys print("Current Directory:", os.getcwd()) @@ -16,6 +17,8 @@ def get_latest_docker_image_version(repo_name): def main(): + dependencies_are_outdated = False + with open('api/config.yaml', 'r') as f: config = yaml.safe_load(f) @@ -27,9 +30,13 @@ def main(): if current_version != latest_version: print( f"[WARNING] {tool} is outdated. Current: {current_version}, Latest: {latest_version}") + dependencies_are_outdated = True else: print(f"{tool} is up-to-date with version {current_version}.") + if dependencies_are_outdated: + sys.exit(1) + if __name__ == "__main__": main() From eaa537c41b60d8615265b44cad841fe7d7d5d504 Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:56:00 -0300 Subject: [PATCH 5/8] update actions --- .github/workflows/tools_version_check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tools_version_check.yml b/.github/workflows/tools_version_check.yml index 8b850fd2..8605787c 100644 --- a/.github/workflows/tools_version_check.yml +++ b/.github/workflows/tools_version_check.yml @@ -8,10 +8,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4.1.1 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4.7.1 with: python-version: '3.x' From 9b4e4690f3f2f62cc70a549a6d2c7da417b47ec4 Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 16:58:33 -0300 Subject: [PATCH 6/8] changing from warning to error message --- .github/scripts/check_versions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/check_versions.py b/.github/scripts/check_versions.py index b647f821..f157d083 100644 --- a/.github/scripts/check_versions.py +++ b/.github/scripts/check_versions.py @@ -29,7 +29,7 @@ def main(): if current_version != latest_version: print( - f"[WARNING] {tool} is outdated. Current: {current_version}, Latest: {latest_version}") + f"::error::{tool} is outdated. Current: {current_version}, Latest: {latest_version}") dependencies_are_outdated = True else: print(f"{tool} is up-to-date with version {current_version}.") From feaddffdba2d7d9f9cfc58dedf9820bc3f498eab Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 17:01:06 -0300 Subject: [PATCH 7/8] change to run scheduled once a day at midnight --- .github/workflows/tools_version_check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tools_version_check.yml b/.github/workflows/tools_version_check.yml index 8605787c..6ce722b1 100644 --- a/.github/workflows/tools_version_check.yml +++ b/.github/workflows/tools_version_check.yml @@ -1,6 +1,8 @@ name: Tools Version Checker -on: [push, pull_request] +on: + schedule: + - cron: '0 0 * * *' # This will run every day at midnight jobs: check-versions: From 6ea0110d6072218b969f213d9627ffc62a86391c Mon Sep 17 00:00:00 2001 From: Caique Coelho Date: Fri, 27 Oct 2023 17:04:21 -0300 Subject: [PATCH 8/8] add option to workflow_dispatch: --- .github/workflows/tools_version_check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tools_version_check.yml b/.github/workflows/tools_version_check.yml index 6ce722b1..15b1d3e4 100644 --- a/.github/workflows/tools_version_check.yml +++ b/.github/workflows/tools_version_check.yml @@ -3,6 +3,7 @@ name: Tools Version Checker on: schedule: - cron: '0 0 * * *' # This will run every day at midnight + workflow_dispatch: jobs: check-versions: