From 63f8caca6d255359b62e1c9a107d656ef5de5080 Mon Sep 17 00:00:00 2001 From: Michal Mironczuk Date: Mon, 17 Feb 2025 12:42:01 +0100 Subject: [PATCH] reverted securityAlertsReview --- .github/workflows/securityAlertsReview.yml | 52 +++++++++++----------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/.github/workflows/securityAlertsReview.yml b/.github/workflows/securityAlertsReview.yml index 852eb012b..c3084d0a2 100644 --- a/.github/workflows/securityAlertsReview.yml +++ b/.github/workflows/securityAlertsReview.yml @@ -13,22 +13,6 @@ on: types: - ready_for_review workflow_dispatch: - inputs: - pr_number: - description: 'Pull Request number to review alerts for' - required: true - unresolved_alerts: - description: 'JSON string of unresolved alerts' - required: true - dismissed_alerts: - description: 'JSON string of dismissed alerts' - required: true - unresolved_count: - description: 'Count of unresolved alerts' - required: true - dismissed_count: - description: 'Count of dismissed alerts' - required: true jobs: check-security-alerts: @@ -51,21 +35,39 @@ jobs: echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV echo "PR number: $PR_NUMBER" - - name: Assign Inputs to Environment Variables + - name: Fetch Security Alerts for PR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "Assigning inputs to environment variables..." - echo "UNRESOLVED_ALERTS=${{ github.event.inputs.unresolved_alerts }}" >> $GITHUB_ENV - echo "DISMISSED_ALERTS=${{ github.event.inputs.dismissed_alerts }}" >> $GITHUB_ENV - echo "UNRESOLVED_COUNT=${{ github.event.inputs.unresolved_count }}" >> $GITHUB_ENV - echo "DISMISSED_COUNT=${{ github.event.inputs.dismissed_count }}" >> $GITHUB_ENV + echo "Fetching security alerts for PR #${PR_NUMBER}..." + + # Fetch security alerts via GitHub API + ALERTS=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" \ + "https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts?pr=${PR_NUMBER}") - - name: Debug Assigned Variables - run: | + # Log raw API response for debugging + echo "Raw API Response:" + echo "$ALERTS" + + # Ensure valid JSON parsing; default to empty array if parsing fails + UNRESOLVED_ALERTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "open") ]' || echo "[]") + DISMISSED_ALERTS=$(echo "$ALERTS" | jq -c '[.[] | select(.state == "dismissed" and (.dismissed_comment == null or .dismissed_comment == ""))]' || echo "[]") + + UNRESOLVED_COUNT=$(echo "$UNRESOLVED_ALERTS" | jq -r 'length') + DISMISSED_COUNT=$(echo "$DISMISSED_ALERTS" | jq -r 'length') + + # Output for debugging echo "UNRESOLVED_ALERTS: $UNRESOLVED_ALERTS" echo "DISMISSED_ALERTS: $DISMISSED_ALERTS" echo "UNRESOLVED_COUNT: $UNRESOLVED_COUNT" echo "DISMISSED_COUNT: $DISMISSED_COUNT" + # Save them properly in the environment as single-line JSON + echo "UNRESOLVED_ALERTS=$UNRESOLVED_ALERTS" >> $GITHUB_ENV + echo "DISMISSED_ALERTS=$DISMISSED_ALERTS" >> $GITHUB_ENV + echo "UNRESOLVED_COUNT=$UNRESOLVED_COUNT" >> $GITHUB_ENV + echo "DISMISSED_COUNT=$DISMISSED_COUNT" >> $GITHUB_ENV + - name: Find Existing PR Comment id: find_comment @@ -173,4 +175,4 @@ jobs: exit 1 # Fail the workflow fi - echo "✅ No security issues found. The workflow will pass successfully." + echo "✅ No security issues found. The workflow will pass successfully." \ No newline at end of file