feat: add nightly branch workflow
This commit is contained in:
GitHub Actions
@@ -13,6 +13,7 @@ Modified the supply chain security workflow to update or create PR comments that
|
||||
## Problem Statement
|
||||
|
||||
Previously, the workflow posted a new comment on each scan run, which meant:
|
||||
|
||||
- Old comments with vulnerabilities remained visible even after fixes
|
||||
- Multiple comments accumulated, causing confusion
|
||||
- No way to track when the scan was last run
|
||||
@@ -21,6 +22,7 @@ Previously, the workflow posted a new comment on each scan run, which meant:
|
||||
## Solution
|
||||
|
||||
Replaced the `actions/github-script` comment creation with the `peter-evans/create-or-update-comment` action, which:
|
||||
|
||||
1. **Finds existing comments** from the same workflow using a unique HTML comment identifier
|
||||
2. **Updates in place** instead of creating new comments
|
||||
3. **Includes timestamps** showing when the scan last ran
|
||||
@@ -33,11 +35,13 @@ Replaced the `actions/github-script` comment creation with the `peter-evans/crea
|
||||
### 1. Split PR Comment Logic into Multiple Steps
|
||||
|
||||
**Step 1: Determine PR Number**
|
||||
|
||||
- Extracts PR number from context (handles both `pull_request` and `workflow_run` events)
|
||||
- Returns empty string if no PR found
|
||||
- Uses `actions/github-script` with `result-encoding: string` for clean output
|
||||
|
||||
**Step 2: Build PR Comment Body**
|
||||
|
||||
- Generates timestamp with `date -u +"%Y-%m-%d %H:%M:%S UTC"`
|
||||
- Calculates total vulnerabilities
|
||||
- Creates formatted Markdown comment with:
|
||||
@@ -50,6 +54,7 @@ Replaced the `actions/github-script` comment creation with the `peter-evans/crea
|
||||
- Saves to `/tmp/comment-body.txt` for next step
|
||||
|
||||
**Step 3: Update or Create PR Comment**
|
||||
|
||||
- Uses `peter-evans/create-or-update-comment@v4.0.0`
|
||||
- Searches for existing comments containing `<!-- supply-chain-security-comment -->`
|
||||
- Updates existing comment or creates new one
|
||||
@@ -60,6 +65,7 @@ Replaced the `actions/github-script` comment creation with the `peter-evans/crea
|
||||
#### Status Indicators
|
||||
|
||||
**Waiting for Image**
|
||||
|
||||
```markdown
|
||||
### ⏳ Status: Waiting for Image
|
||||
|
||||
@@ -67,6 +73,7 @@ The Docker image has not been built yet...
|
||||
```
|
||||
|
||||
**No Vulnerabilities**
|
||||
|
||||
```markdown
|
||||
### ✅ Status: No Vulnerabilities Detected
|
||||
|
||||
@@ -74,6 +81,7 @@ The Docker image has not been built yet...
|
||||
```
|
||||
|
||||
**Vulnerabilities Found**
|
||||
|
||||
```markdown
|
||||
### 🚨 Status: Critical Vulnerabilities Detected
|
||||
|
||||
@@ -93,16 +101,19 @@ The Docker image has not been built yet...
|
||||
### 3. Technical Implementation Details
|
||||
|
||||
**Unique Identifier**
|
||||
|
||||
- Hidden HTML comment: `<!-- supply-chain-security-comment -->`
|
||||
- Allows `create-or-update-comment` to find previous comments from this workflow
|
||||
- Invisible to users but searchable by the action
|
||||
|
||||
**Multi-line Handling**
|
||||
|
||||
- Comment body saved to file instead of environment variable
|
||||
- Prevents issues with special characters and newlines
|
||||
- More reliable than shell heredocs or environment variables
|
||||
|
||||
**Conditional Execution**
|
||||
|
||||
- All three steps check for valid PR number
|
||||
- Steps skip gracefully if not in PR context
|
||||
- No errors on scheduled runs or release events
|
||||
@@ -112,22 +123,26 @@ The Docker image has not been built yet...
|
||||
## Benefits
|
||||
|
||||
### 1. **Always Current**
|
||||
|
||||
- Comment reflects the latest scan results
|
||||
- No confusion from multiple stale comments
|
||||
- Clear "Last Updated" timestamp
|
||||
|
||||
### 2. **Easy to Understand**
|
||||
|
||||
- Color-coded severity levels with emojis
|
||||
- Clear status headers (✅, ⚠️, 🚨)
|
||||
- Formatted tables for quick scanning
|
||||
- Links to detailed workflow logs
|
||||
|
||||
### 3. **Actionable**
|
||||
|
||||
- Immediate visibility of critical issues
|
||||
- Direct links to full reports
|
||||
- Clear indication of when action is required
|
||||
|
||||
### 4. **Reliable**
|
||||
|
||||
- Handles both `pull_request` and `workflow_run` triggers
|
||||
- Graceful fallback if PR context not available
|
||||
- No duplicate comments
|
||||
@@ -139,6 +154,7 @@ The Docker image has not been built yet...
|
||||
### Manual Testing
|
||||
|
||||
1. **Create a test PR**
|
||||
|
||||
```bash
|
||||
git checkout -b test/supply-chain-comments
|
||||
git commit --allow-empty -m "test: supply chain comment updates"
|
||||
@@ -161,6 +177,7 @@ The Docker image has not been built yet...
|
||||
### Automated Testing
|
||||
|
||||
Monitor the workflow on:
|
||||
|
||||
- Next scheduled run (Monday 00:00 UTC)
|
||||
- Next PR that triggers docker-build
|
||||
- Next release
|
||||
|
||||
Reference in New Issue
Block a user