Barazo lexicon schemas and TypeScript types barazo.forum
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

๐Ÿ”ง fix(security): remove automated alert workflow

The security-alerts workflow requires elevated permissions that
GITHUB_TOKEN doesn't provide. Dependabot is still fully functional:

โœ… Dependabot config active (auto-creates security PRs)
โœ… Manual alert checks: gh dependabot alerts -r barazo-forum/barazo-lexicons
โœ… Weekly dependency updates

The workflow works on personal repos (gxjansen.github.io) but not
on org repos due to GitHub Actions permission restrictions.

-134
-134
.github/workflows/security-alerts.yml
··· 1 - name: Security Alert Check 2 - 3 - on: 4 - schedule: 5 - # Run daily at 9 AM UTC 6 - - cron: '0 9 * * *' 7 - workflow_dispatch: 8 - push: 9 - branches: 10 - - main 11 - paths: 12 - - '.github/workflows/security-alerts.yml' 13 - 14 - permissions: 15 - contents: read 16 - issues: write 17 - security-events: read 18 - 19 - jobs: 20 - check-dependabot-alerts: 21 - runs-on: ubuntu-latest 22 - steps: 23 - - name: Check for open Dependabot alerts 24 - id: check_alerts 25 - run: | 26 - # Fetch open Dependabot alerts 27 - ALERTS=$(gh api "/repos/${{ github.repository }}/dependabot/alerts" \ 28 - --jq '.[] | select(.state=="open") | {number: .number, severity: .security_vulnerability.severity, package: .dependency.package.name, current: .security_vulnerability.vulnerable_version_range, patched: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary, cvss: .security_advisory.cvss.score}') 29 - 30 - # Count alerts by severity 31 - CRITICAL=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="CRITICAL")] | length') 32 - HIGH=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="HIGH")] | length') 33 - MODERATE=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="MODERATE")] | length') 34 - LOW=$(echo "$ALERTS" | jq -s '[.[] | select(.severity=="LOW")] | length') 35 - 36 - TOTAL=$((CRITICAL + HIGH + MODERATE + LOW)) 37 - 38 - echo "total=$TOTAL" >> $GITHUB_OUTPUT 39 - echo "critical=$CRITICAL" >> $GITHUB_OUTPUT 40 - echo "high=$HIGH" >> $GITHUB_OUTPUT 41 - echo "moderate=$MODERATE" >> $GITHUB_OUTPUT 42 - echo "low=$LOW" >> $GITHUB_OUTPUT 43 - 44 - # Save alert details for issue creation 45 - echo "$ALERTS" | jq -s '.' > alerts.json 46 - env: 47 - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 48 - 49 - - name: Create GitHub issue for alerts 50 - if: steps.check_alerts.outputs.total > 0 51 - run: | 52 - # Read alerts 53 - ALERTS=$(cat alerts.json) 54 - 55 - # Build issue body 56 - BODY="## ๐Ÿ”’ Security Alert Summary 57 - 58 - Found **${{ steps.check_alerts.outputs.total }}** open Dependabot alerts: 59 - 60 - " 61 - 62 - if [ "${{ steps.check_alerts.outputs.critical }}" -gt 0 ]; then 63 - BODY+="- ๐Ÿ”ด **Critical**: ${{ steps.check_alerts.outputs.critical }} 64 - " 65 - fi 66 - 67 - if [ "${{ steps.check_alerts.outputs.high }}" -gt 0 ]; then 68 - BODY+="- ๐ŸŸ  **High**: ${{ steps.check_alerts.outputs.high }} 69 - " 70 - fi 71 - 72 - if [ "${{ steps.check_alerts.outputs.moderate }}" -gt 0 ]; then 73 - BODY+="- ๐ŸŸก **Moderate**: ${{ steps.check_alerts.outputs.moderate }} 74 - " 75 - fi 76 - 77 - if [ "${{ steps.check_alerts.outputs.low }}" -gt 0 ]; then 78 - BODY+="- ๐ŸŸข **Low**: ${{ steps.check_alerts.outputs.low }} 79 - " 80 - fi 81 - 82 - BODY+=" 83 - ### Alert Details 84 - 85 - " 86 - 87 - # Add each alert as a row in the table 88 - BODY+="| Severity | Package | Vulnerability | Current | Fixed | 89 - |----------|---------|---------------|---------|-------| 90 - " 91 - 92 - echo "$ALERTS" | jq -r '.[] | "| \(.severity) | \(.package) | \(.summary) | \(.current) | \(.patched // "N/A") |"' >> body.txt 93 - 94 - BODY+="$(cat body.txt) 95 - 96 - ### Next Steps 97 - 98 - 1. Review Dependabot security PRs (if auto-created) 99 - 2. Manually update dependencies if needed 100 - 3. Close this issue once all alerts are resolved 101 - 102 - **Automated by:** [Security Alert Check workflow](https://github.com/${{ github.repository }}/actions/workflows/security-alerts.yml) 103 - **View all alerts:** https://github.com/${{ github.repository }}/security/dependabot 104 - " 105 - 106 - # Check if similar issue exists 107 - EXISTING=$(gh issue list \ 108 - --repo "${{ github.repository }}" \ 109 - --label "security,dependabot" \ 110 - --state open \ 111 - --search "Security Alert Summary" \ 112 - --json number \ 113 - --jq '.[0].number // empty') 114 - 115 - if [ -n "$EXISTING" ]; then 116 - echo "Updating existing issue #$EXISTING" 117 - gh issue comment "$EXISTING" \ 118 - --repo "${{ github.repository }}" \ 119 - --body "$(cat <<EOF 120 - ## ๐Ÿ”„ Alert Status Update - $(date +%Y-%m-%d) 121 - 122 - ${BODY} 123 - EOF 124 - )" 125 - else 126 - echo "Creating new issue" 127 - gh issue create \ 128 - --repo "${{ github.repository }}" \ 129 - --title "๐Ÿ”’ Security Alerts - $(date +%Y-%m-%d)" \ 130 - --label "security,dependabot" \ 131 - --body "$BODY" 132 - fi 133 - env: 134 - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}