Add workflow and script to add security-incident-response to GHSAs #2764
Conversation
|
|
||
| jobs: | ||
| add-team-to-ghsa: | ||
| runs-on: macos-latest |
There was a problem hiding this comment.
nit: does ubuntu-latest work for us? macos has a lower number of concurrent jobs
There was a problem hiding this comment.
Unfortunately no. I'm not sure why but the jq command breaks in ubuntu. Fought with it for a couple of hours before deciding macos was good enough 🤷
There was a problem hiding this comment.
is it related to the jq version? could you point me to the error message or the line? I'm happy to debug with it!
There was a problem hiding this comment.
Yeah it's line 17 in the shell script
This will reproduce if raw_ghsa.json has the contents of the gh call from lines 11-14:
jq -r '[ .[] | select(all(.collaborating_teams.[]; .slug != "ghsa-testing-2"))| .ghsa_id ] | sort | .[] ' raw_ghsa.json
Works on mac jq version v1.7 but not on ubuntu version 1.6
The error on ubuntu is:
jq: error: syntax error, unexpected '[', expecting FORMAT or QQSTRING_START (Unix shell quoting issues?) at <top-level>, line 1:
[ .[] | select(all(.collaborating_teams.[]; .slug != "ghsa-testing-2"))| .ghsa_id ] | sort | .[]
jq: 1 compile error
If I'm remembering correctly it comes from the .[] iterator on collaborating_teams.
There was a problem hiding this comment.
wanna give ubuntu-24.04 a try 
it installs jq 1.7 https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
There was a problem hiding this comment.
Yeah that works! I thought I tried ubuntu-latest and it failed but maybe I didn't, or maybe latest didn't get 24.04 🤔
Anyway I just ran it as a workflow with runs-on: ubuntu-24.04 in my private repo and it worked fine. Thanks for figuring that out
There was a problem hiding this comment.
sorry for missing this thread 🫠 yeah, ubuntu-latest is still points to ubuntu-22.04 https://github.com/actions/runner-images/blob/main/README.md#available-images. we need to specify the version explicitly!
|
Good call about not needing to fetch everything and switching to I've been testing this in a private repo. Happy to add you there if you'd like. |
|
This succeeded on its first run (and added the security team to all the GHSAs that didn't have it) and then failed on its second run. I'm debugging in my private repo. Don't want to echo anything in the public repo to avoid leaking security info. |
|
The failure is because Fixed here: #2829 |
Problem
Github doesn't have a default way to add a specific team to all GHSAs without also giving that team admin access. We would like to be able to include non-Anza people in the
security-incident-responseteam without making them org admins.Summary of Changes
This creates a Github action that runs a script hourly. The script gets a list of all GHSAs and checks if any of them don't have
security-incident-responsein the collaborating_teams list. For any GHSAs that don't already have the team it is added.As far as I can tell it's necessary to do this with polling because security_adisory.reported won't fire for advisories created via draft.
The workflow uses
runs-on: macos-latestbecause the jq commands don't work correctly in ubuntu. I'm not sure why, but don't want to spend more time debugging it.The GH_TOKEN has
repoaccess and is already added to secrets.