Skip to content
CVE Patching

CVE Patching #41

Sign in to view logs

CVE Patching

CVE Patching #41

Workflow file for this run

.github/workflows/cve-patching.yml at 8df3352
name: CVE Patching
on:
schedule:
- cron: '0 12 * * *'
workflow_dispatch:
jobs:
patch-cves:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Install uv
run: curl -LsSf https://astral.sh/uv/install.sh | sh
- name: Install dependencies
run: uv pip install --system -r requirements.txt
- name: Install Trivy
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Install Jujutsu
run: |
wget https://github.com/martinvonz/jj/releases/download/v0.23.0/jj-v0.23.0-x86_64-unknown-linux-musl.tar.gz
tar xzf jj-v0.23.0-x86_64-unknown-linux-musl.tar.gz
sudo mv jj /usr/local/bin/
sudo chmod +x /usr/local/bin/jj
- name: Install asdf
run: |
git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.14.0
echo '. "$HOME/.asdf/asdf.sh"' >> ~/.bashrc
source ~/.bashrc
asdf plugin add golang
shell: bash
- name: Run CVE patching
env:
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
GITHUB_APP_ID: ${{ secrets.GITHUB_APP_ID }}
GITHUB_APP_PRIVATE_KEY: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets.GITHUB_APP_INSTALLATION_ID }}
run: make patch
- name: Commit updated CVE results
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add cves.yaml
git commit -m "Update CVE patching results"
git push