-
Notifications
You must be signed in to change notification settings - Fork 18
115 lines (115 loc) · 5.25 KB
/
nix.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: nix build and check advisories
on:
- push
- pull_request
jobs:
check-nix:
name: Check nix build
runs-on: ubuntu-22.04
steps:
- name: git checkout
uses: actions/checkout@v4
with:
# We need to retrieve full history to determine the correct
# `published` and `modified` timestamps
fetch-depth: 0
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: system-features = nixos-test benchmark big-parallel kvm
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check Nix flake inputs
uses: DeterminateSystems/flake-checker-action@v4
- name: Build executable (hsec-tools)
run: nix -L build
- name: Build docker image
run: nix build -L '.#packages.x86_64-linux.hsec-tools-image'
- run: mkdir -p ~/.local/dockerImages
- run: cp result ~/.local/dockerImages/hsec-tools
- name: upload executable
uses: actions/upload-artifact@v4
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
with:
name: hsec-tools-${{ github.sha }}
path: ~/.local/dockerImages
- run: docker load -i ~/.local/dockerImages/hsec-tools
- name: Run advisory syntax checks
run: |
RESULT=0
# Remove the begining of the README to extract the example.
(echo '```toml'; sed -e '1,/```toml/d' README.md) > EXAMPLE_README.md
while read FILE ; do
[ "$(dirname "$FILE")" != advisories/reserved ] || continue
echo -n "$FILE: "
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools check "$FILE" || RESULT=1
done < <(find advisories EXAMPLE_README.md EXAMPLE_ADVISORY.md -type f -name "*.md")
exit $RESULT
- name: Run advisory uniqueness checks
run: |
! find advisories -type f -name '*.md' -print0 \
| xargs -0n1 basename | sort | uniq -c | grep -E -v '[[:space:]]*1 '
- name: Generate OSV data
run: |
DATA_DIR=$PWD/osv
mkdir "$DATA_DIR"
while read FILE ; do
echo "$FILE"
ID=$(basename "$FILE" .md)
YEAR=$(echo "$ID" | cut -d - -f 2)
mkdir -p $DATA_DIR/$YEAR
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools osv "$FILE" > $DATA_DIR/$YEAR/$ID.json
done < <(find advisories -type f -name "*.md" | grep -v '^advisories/reserved/')
- name: Publish OSV data
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
env:
GITHUB_SHA: ${{ github.sha }}
run: |
DATA_DIR=$PWD/osv
BRANCH=generated/osv-export
REF=refs/remotes/origin/$BRANCH
export GIT_WORK_TREE=$DATA_DIR
git read-tree "$REF"
git add --all --intent-to-add
git diff --quiet && exit
git add --all
TREE=$(git write-tree)
git config user.email [email protected]
git config user.name "Haskell Security Response Team"
COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)")
git push origin $COMMIT:$BRANCH
- name: Generate snapshot data
run: |
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-snapshot . snapshot
diff -r advisories snapshot/advisories | grep -v gitkeep | grep -v 'Only in advisories: reserved' | grep Only && echo 'Some advisories have been created/deleted' && exit 1 || exit 0
- name: Publish snapshot data
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
env:
GITHUB_SHA: ${{ github.sha }}
run: |
DATA_DIR=$PWD/snapshot
BRANCH=generated/snapshot-export
REF=refs/remotes/origin/$BRANCH
export GIT_WORK_TREE=$DATA_DIR
git read-tree "$REF"
git add --all --intent-to-add
git diff --quiet && exit
git add --all
TREE=$(git write-tree)
git config user.email [email protected]
git config user.name "Haskell Security Response Team"
COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)")
git push origin $COMMIT:$BRANCH
- name: Generate the website
run: |
mkdir generatedWebsite
docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-index . generatedWebsite
cp generatedWebsite/by-dates.html generatedWebsite/index.html
rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed"
- name: Deploy the website
uses: peaceiris/actions-gh-pages@v3
if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }}
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./generatedWebsite
publish_branch: generated/gh-pages
force_orphan: true