From ef73ba3de768cfbab0bdae45c5a90257e6ae9ec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Kalij=C3=A4rvi?= Date: Wed, 24 Jan 2024 14:05:56 +0200 Subject: [PATCH 1/3] Added npm audit github action to run npm audit fix in custom modules and in custom themes. --- .github/workflows/npm-audit.yml | 82 +++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/npm-audit.yml diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml new file mode 100644 index 00000000..e65559b6 --- /dev/null +++ b/.github/workflows/npm-audit.yml @@ -0,0 +1,82 @@ +name: Npm audit + +on: + schedule: + - cron: '0 12 * * 0' # Run every fortnight on Sunday at 12 + +jobs: + npm_audit: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Use Node.js from .nvmrc in modules/custom + id: npm_audit_modules + run: | + find public/modules/custom -type f -name ".nvmrc" -exec sh -c ' + dir=$(dirname "$1") + node_version=$(cat "$1") + echo "Using Node.js version $node_version in $dir" + cd "$dir" + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash + export NVM_DIR="$HOME/.nvm" + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + nvm install $node_version + nvm use $node_version + npm install --silent + set +e + npm audit --package-lock-only --loglevel=error; + # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. + if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi; + set -e + ' sh {} \; + + - name: Use Node.js from .nvmrc in themes/custom + id: npm_audit_themes + run: | + find public/themes/custom -type f -name ".nvmrc" -exec sh -c ' + dir=$(dirname "$1") + node_version=$(cat "$1") + echo "Using Node.js version $node_version in $dir" + cd "$dir" + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash + export NVM_DIR="$HOME/.nvm" + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + nvm install $node_version + nvm use $node_version + npm install --silent + set +e + npm audit --package-lock-only --loglevel=error; + # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. + if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi; + set -e + ' sh {} \; + + - name: Create Pull Request + if: steps.npm_audit_modules.outputs.CREATE_PR == 'true' || steps.npm_audit_themes.outputs.CREATE_PR == 'true' + uses: peter-evans/create-pull-request@v4 + with: + committer: GitHub + author: actions-bot + commit-message: Updated node modules based on npm audit fix + title: Automatic npm audit fix + labels: auto-update + body: | + # Npm audit + ## How to install + + * Update the HDBT theme + * `git fetch --all` + * `git checkout automation/npm-audit` + * `git pull origin automation/npm-audit` + * In the custom module or custom theme folder, run `nvm use && npm i && npm run build` + + ## How to test + Run `npm audit` + + * [ ] Check that the `npm audit` prints `found 0 vulnerabilities` + * [ ] Check that the changes for distributed files are sensible + + branch: automation/npm-audit From 42453937fe19f6c059a74b2033834d6a13893ef7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Kalij=C3=A4rvi?= Date: Thu, 25 Jan 2024 13:51:20 +0200 Subject: [PATCH 2/3] Handle BC breaks when running npm audit fix. --- .github/workflows/npm-audit.yml | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml index e65559b6..66820ac1 100644 --- a/.github/workflows/npm-audit.yml +++ b/.github/workflows/npm-audit.yml @@ -1,6 +1,7 @@ name: Npm audit on: + workflow_dispatch: schedule: - cron: '0 12 * * 0' # Run every fortnight on Sunday at 12 @@ -20,16 +21,20 @@ jobs: node_version=$(cat "$1") echo "Using Node.js version $node_version in $dir" cd "$dir" - curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash - export NVM_DIR="$HOME/.nvm" - [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" nvm install $node_version nvm use $node_version npm install --silent set +e npm audit --package-lock-only --loglevel=error; # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. - if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi; + if [ $? -gt 0 ]; then + npm audit fix --package-lock-only --loglevel=error; + if [ $? -gt 0 ]; then + echo "BC_BREAK=:exclamation: NPM Audit fix could not fix all vulnerabilities. Fix them manually by running \`npm audit fix --force\` and test the functionalities thoroughly as there might be breaking changes. :exclamation:" >> $GITHUB_ENV; + fi; + echo "CREATE_PR=true" >> $GITHUB_OUTPUT; + fi; set -e ' sh {} \; @@ -41,16 +46,20 @@ jobs: node_version=$(cat "$1") echo "Using Node.js version $node_version in $dir" cd "$dir" - curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash - export NVM_DIR="$HOME/.nvm" - [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" nvm install $node_version nvm use $node_version npm install --silent set +e npm audit --package-lock-only --loglevel=error; # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. - if [ $? -gt 0 ]; then npm audit fix --package-lock-only --loglevel=error; echo "CREATE_PR=true" >> $GITHUB_OUTPUT; fi; + if [ $? -gt 0 ]; then + npm audit fix --package-lock-only --loglevel=error; + if [ $? -gt 0 ]; then + echo "BC_BREAK=:exclamation: NPM Audit fix could not fix all vulnerabilities. Fix them manually by running \`npm audit fix --force\` and test the functionalities thoroughly as there might be breaking changes. :exclamation:" >> $GITHUB_ENV; + fi; + echo "CREATE_PR=true" >> $GITHUB_OUTPUT; + fi; set -e ' sh {} \; @@ -65,6 +74,9 @@ jobs: labels: auto-update body: | # Npm audit + + ${{ env.BC_BREAK }} + ## How to install * Update the HDBT theme From 74dc311f3e82c1bc059b23568b7df11d4cda62a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Kalij=C3=A4rvi?= Date: Mon, 29 Jan 2024 12:19:00 +0200 Subject: [PATCH 3/3] Simplified npm audit action. --- .github/workflows/npm-audit.yml | 33 ++++----------------------------- 1 file changed, 4 insertions(+), 29 deletions(-) diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml index 66820ac1..3f695bcf 100644 --- a/.github/workflows/npm-audit.yml +++ b/.github/workflows/npm-audit.yml @@ -13,10 +13,10 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Use Node.js from .nvmrc in modules/custom - id: npm_audit_modules + - name: Run npm audit + id: npm_audit run: | - find public/modules/custom -type f -name ".nvmrc" -exec sh -c ' + find public/modules/custom public/themes/custom -type f -name ".nvmrc" -exec sh -c ' dir=$(dirname "$1") node_version=$(cat "$1") echo "Using Node.js version $node_version in $dir" @@ -24,7 +24,6 @@ jobs: export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" nvm install $node_version nvm use $node_version - npm install --silent set +e npm audit --package-lock-only --loglevel=error; # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. @@ -38,33 +37,9 @@ jobs: set -e ' sh {} \; - - name: Use Node.js from .nvmrc in themes/custom - id: npm_audit_themes - run: | - find public/themes/custom -type f -name ".nvmrc" -exec sh -c ' - dir=$(dirname "$1") - node_version=$(cat "$1") - echo "Using Node.js version $node_version in $dir" - cd "$dir" - export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" - nvm install $node_version - nvm use $node_version - npm install --silent - set +e - npm audit --package-lock-only --loglevel=error; - # The npm audit command will exit with a 0 exit code if no vulnerabilities were found. - if [ $? -gt 0 ]; then - npm audit fix --package-lock-only --loglevel=error; - if [ $? -gt 0 ]; then - echo "BC_BREAK=:exclamation: NPM Audit fix could not fix all vulnerabilities. Fix them manually by running \`npm audit fix --force\` and test the functionalities thoroughly as there might be breaking changes. :exclamation:" >> $GITHUB_ENV; - fi; - echo "CREATE_PR=true" >> $GITHUB_OUTPUT; - fi; - set -e - ' sh {} \; - name: Create Pull Request - if: steps.npm_audit_modules.outputs.CREATE_PR == 'true' || steps.npm_audit_themes.outputs.CREATE_PR == 'true' + if: steps.npm_audit.outputs.CREATE_PR == 'true' uses: peter-evans/create-pull-request@v4 with: committer: GitHub