mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-11 10:44:41 +00:00
a3f7e72321
Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
52 lines
1.6 KiB
YAML
52 lines
1.6 KiB
YAML
name: govulncheck
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
|
|
workflow_dispatch: # allow manual trigger for testing
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/govulncheck.yml"
|
|
|
|
jobs:
|
|
source-scan:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Check out code into the Go module directory
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
|
|
- name: Install govulncheck
|
|
run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
|
|
- name: Scan source code for known vulnerabilities
|
|
run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
|
|
|
|
- name: Post to slack
|
|
if: failure() && github.event_name == 'schedule'
|
|
uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
|
|
env:
|
|
SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
|
|
with:
|
|
channel-id: 'C05PXRM304B'
|
|
payload: |
|
|
{
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "Govulncheck failed in ${{ github.repository }}"
|
|
},
|
|
"accessory": {
|
|
"type": "button",
|
|
"text": {
|
|
"type": "plain_text",
|
|
"text": "View results"
|
|
},
|
|
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|