canonical · DnPlas · Oct 11, 2024 · Oct 9, 2024 · Oct 10, 2024 · Oct 10, 2024
diff --git a/.github/workflows/report-vulnerability-in-gh.yaml b/.github/workflows/report-vulnerability-in-gh.yaml
@@ -0,0 +1,83 @@
+name: Report vulnerability issues in Github
+on:
+  workflow_call:
+    inputs:
+      issue-title:
+        description: The title of the issue to be created/edited
+        required: true
+        type: string
+      issue-labels:
+        description: A comma separated list of labels
+        required: false
+        type: string
+        default: "bug"
+      image-name:
+        description: "Name of the oci-image as saved in Dockerhub or in the docker cache.
+          It consists of <image-name>:<tag>."
+        required: true
+        type: string
+      vulnerability-report-artefact:
+        description: "The artefact name of the uploaded trivy report. Used to render the issue body."
+        required: true
+        type: string
+
+jobs:
+  report-vulns:
+    name: Report vulerabilities in Github
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install tools
+        run: |
+          sudo snap install gh
+          sudo snap install jq
+
+      - name: Generate image name for title
+        id: image-title
+        run: |
+          IMAGE_TITLE=$(echo ${{ inputs.image-name }} | rev | cut -f2- -d'-' | rev)
+          echo "image-title=$IMAGE_TITLE" >> $GITHUB_OUTPUT
+
+      - name: Get issue number if exists
+        id: get-issue-number
+        run: |
+          export GH_TOKEN=${{ secrets.GH_TOKEN }}
+          # The expected title has to be kept consistent across all runs so the issue can be found/edit
+          EXPECTED_TITLE=$(echo "${{ inputs.issue-title }} ${{ steps.image-title.outputs.image-title }}")
+          ISSUE_NUMBER=$(gh issue list --repo $GITHUB_REPOSITORY --limit 500 --json "number,title" | jq -r --arg expected_title "$EXPECTED_TITLE" '.[] | select(.title == $expected_title) | .number')
+          echo "issue-number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT
+
+      - name: Download report
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.vulnerability-report-artefact }}
+
+      - name: Issue body
+        id: issue-body
+        run: |
+          set -xeu
+          EXPECTED_TITLE=$(echo "${{ inputs.issue-title }} ${{ steps.image-title.outputs.image-title }}")
+          echo "## $EXPECTED_TITLE" > issue.md
+          echo "" >> issue.md
+          echo "\`\`\`" >> issue.md
+          cat ${{ inputs.vulnerability-report-artefact }}.txt >> issue.md
+          echo "\`\`\`" >> issue.md
+          echo "" >> issue.md
+          echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
+          echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
+
+      - name: Report failures via Github issue
+        run: |
+          export GH_TOKEN=${{ secrets.GH_TOKEN }}
+          EXPECTED_TITLE=$(echo "${{ inputs.issue-title }} ${{ steps.image-title.outputs.image-title }}")
+          if [ -z ${{ steps.get-issue-number.outputs.issue-number }} ]; then
+            echo "---- Creating issue ----"
+            gh issue create --repo $GITHUB_REPOSITORY \
+            --title "$EXPECTED_TITLE" \
+            --label "${{ inputs.issue-labels }}" \
+            --body-file "${{ steps.issue-body.outputs.issue-body-file }}"
+          else
+            echo "---- Editing issue ${{ steps.get-issue-number.outputs.issue-number }}----"
+            gh issue edit --repo $GITHUB_REPOSITORY ${{ steps.get-issue-number.outputs.issue-number }} \
+            --title "$EXPECTED_TITLE" \
+            --body-file "${{ steps.issue-body.outputs.issue-body-file }}"
+          fi