Skip to content

Commit

Permalink
chore(deps): bump the ci group across 1 directory with 3 updates (#957)
Browse files Browse the repository at this point in the history 
Bumps the ci group with 3 updates in the / directory:
[thollander/actions-comment-pull-request](https://github.com/thollander/actions-comment-pull-request),
[anchore/sbom-action](https://github.com/anchore/sbom-action) and
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).

Updates `thollander/actions-comment-pull-request` from 2.5.0 to 3.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/thollander/actions-comment-pull-request/releases">thollander/actions-comment-pull-request's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps-dev): bump typescript from 5.2.2 to 5.3.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/326">thollander/actions-comment-pull-request#326</a></li>
<li>chore(deps-dev): bump prettier from 3.0.3 to 3.2.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/350">thollander/actions-comment-pull-request#350</a></li>
<li>chore(deps-dev): bump <code>@​tsconfig/node20</code> from 20.1.2 to
20.1.4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/367">thollander/actions-comment-pull-request#367</a></li>
<li>chore(deps-dev): bump typescript from 5.3.3 to 5.6.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/390">thollander/actions-comment-pull-request#390</a></li>
<li>chore(deps-dev): bump <code>@​types/node</code> from 20.8.7 to
22.7.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/389">thollander/actions-comment-pull-request#389</a></li>
<li>feat: manage delete modes in a better way + consistent input naming
by <a href="https://github.com/thollander"><code>@​thollander</code></a>
in <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/391">thollander/actions-comment-pull-request#391</a></li>
</ul>
<h2>Breaking changes</h2>
<h3>Parameters</h3>
<ul>
<li>From <code>filePath</code> to <code>file-path</code></li>
<li>From <code>GITHUB_TOKEN</code> to <code>github-token</code></li>
<li>From <code>pr_number</code> to <code>pr-number</code></li>
<li>From <code>comment_tag</code> to <code>comment-tag</code></li>
<li>From <code>create_if_not_exists</code> to
<code>create-if-not-exists</code></li>
</ul>
<h3>Mode</h3>
<p><code>delete</code> now deletes a comment immediately. To delete the
comment at the end of the job, use <code>delete-on-completion</code>
mode.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/thollander/actions-comment-pull-request/compare/v2...v3.0.0">https://github.com/thollander/actions-comment-pull-request/compare/v2...v3.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/e2c37e53a7d2227b61585343765f73a9ca57eda9"><code>e2c37e5</code></a>
Merge pull request <a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/391">#391</a>
from thollander/v3</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/65f9e5c9a1f2cd378bd74b2e057c9736982a8e74"><code>65f9e5c</code></a>
docs: add migration guide</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/107ab45b779fd2e067ae8280372c847b18cd4b12"><code>107ab45</code></a>
feat: manage delete modes in a better way</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/ce644a4ba466eb7e94ddef442fbaf2ac1ae7af35"><code>ce644a4</code></a>
chore(deps-dev): bump <code>@​types/node</code> from 20.8.7 to 22.7.5
(<a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/389">#389</a>)</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/52f13cbcc809c634d886a0c6b129031dc7961f8e"><code>52f13cb</code></a>
chore(deps-dev): bump typescript from 5.3.3 to 5.6.3 (<a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/390">#390</a>)</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/77f7e428bd96191a58dcf8320c70ef69e1850658"><code>77f7e42</code></a>
chore(deps-dev): bump <code>@​tsconfig/node20</code> from 20.1.2 to
20.1.4 (<a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/367">#367</a>)</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/e5dae98d09bd6c013ca3f3eb1cf16d7f167922a9"><code>e5dae98</code></a>
chore(deps-dev): bump prettier from 3.0.3 to 3.2.5 (<a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/350">#350</a>)</li>
<li><a
href="https://github.com/thollander/actions-comment-pull-request/commit/bc14ce351a6a25022a490f2be0570c700083a7fe"><code>bc14ce3</code></a>
chore(deps-dev): bump typescript from 5.2.2 to 5.3.3 (<a
href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/326">#326</a>)</li>
<li>See full diff in <a
href="https://github.com/thollander/actions-comment-pull-request/compare/v2.5.0...v3.0.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `anchore/sbom-action` from 0.17.2 to 0.17.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anchore/sbom-action/releases">anchore/sbom-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.17.3</h2>
<h2>Changes in v0.17.3</h2>
<ul>
<li>chore(deps): update Syft to v1.14.0 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/498">#498</a>)
[<a
href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anchore/sbom-action/commit/f5e124a5e5e1d497a692818ae907d3c45829d033"><code>f5e124a</code></a>
chore(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
(<a
href="https://redirect.github.com/anchore/sbom-action/issues/493">#493</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/eff08d02ac5d0e2422e16dcd015d6e38fc0c4271"><code>eff08d0</code></a>
chore: configure changelog-ignore label (<a
href="https://redirect.github.com/anchore/sbom-action/issues/499">#499</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/18f9bdeed73d2077650049195c23cc2837e584ad"><code>18f9bde</code></a>
chore: remove snapshot tests; fix deprecation errors for outdated
packages (#...</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/2e8723687bef46234761baa3b3043f07b02b584b"><code>2e87236</code></a>
add release docs (<a
href="https://redirect.github.com/anchore/sbom-action/issues/500">#500</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/4a914bc36a0527cbd2155e1f4665d7cc1e41615b"><code>4a914bc</code></a>
chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/497">#497</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/8cb9966eff29370ee4e117ab5ebd2cf0c79d72f8"><code>8cb9966</code></a>
chore(deps): update Syft to v1.14.0 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/498">#498</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/beb779bf2267bb1c0ac81cb31db729cdfcc963aa"><code>beb779b</code></a>
Update README to include bit about permissions near the top (<a
href="https://redirect.github.com/anchore/sbom-action/issues/496">#496</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/87b31375ff0202fe594a3d320ac9a3da8c4aeb09"><code>87b3137</code></a>
chore(deps): update Syft to v1.13.0 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/488">#488</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/5cc1a40ded6c8c20f57ff3e5bcf40234823a418b"><code>5cc1a40</code></a>
chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/495">#495</a>)</li>
<li><a
href="https://github.com/anchore/sbom-action/commit/dbef89671963c1a5a3f4a6e505f8d4af12d886ee"><code>dbef896</code></a>
add awaiting response management (<a
href="https://redirect.github.com/anchore/sbom-action/issues/494">#494</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/anchore/sbom-action/compare/61119d458adab75f756bc0b9e4bde25725f86a7a...f5e124a5e5e1d497a692818ae907d3c45829d033">compare
view</a></li>
</ul>
</details>
<br />

Updates `sigstore/cosign-installer` from 3.6.0 to 3.7.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/cosign-installer/releases">sigstore/cosign-installer's
releases</a>.</em></p>
<blockquote>
<h2>v3.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump actions/checkout from 4.1.7 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/sigstore/cosign-installer/pull/172">sigstore/cosign-installer#172</a></li>
<li>bump for latest cosign v2.4.1 release by <a
href="https://github.com/bobcallaway"><code>@​bobcallaway</code></a> in
<a
href="https://redirect.github.com/sigstore/cosign-installer/pull/173">sigstore/cosign-installer#173</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0">https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sigstore/cosign-installer/commit/dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da"><code>dc72c7d</code></a>
bump for latest cosign v2.4.1 release (<a
href="https://redirect.github.com/sigstore/cosign-installer/issues/173">#173</a>)</li>
<li><a
href="https://github.com/sigstore/cosign-installer/commit/08bb361e01a71697a353a4d79b633cccf31f5530"><code>08bb361</code></a>
Bump actions/checkout from 4.1.7 to 4.2.0 (<a
href="https://redirect.github.com/sigstore/cosign-installer/issues/172">#172</a>)</li>
<li>See full diff in <a
href="https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hilmar Falkenberg <[email protected]>
  • Loading branch information
@dependabot @hilmarf
dependabot[bot] and hilmarf authored Oct 14, 2024
1 parent 12d4ad6 commit 76f6a39
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 31 deletions.
58 changes: 29 additions & 29 deletions .github/workflows/mend_scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
permissions:
pull-requests: write
steps:
- name: Checkout Code
- name: Checkout Code
uses: actions/checkout@v4

- name: Set up Java 17
Expand All @@ -45,19 +45,19 @@ jobs:
uses: dcarbone/[email protected]
with:
version: '1.7'

- name: Download Mend Universal Agent
run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar

- name: Run Mend Scan
- name: Run Mend Scan
run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN
env:
USER_KEY: ${{ secrets.MEND_USER_KEY }}
PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }}
WSS_URL: ${{ secrets.MEND_URL }}
API_KEY: ${{ secrets.MEND_API_TOKEN }}
CONFIG_FILE: './.github/config/mend.config'

- name: Generate Report
env:
USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
Expand All @@ -74,36 +74,36 @@ jobs:
}
EOF
)
login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
--header 'Content-Type: application/json' --silent \
--data "${data}" | jq -r .retVal.jwtToken )
security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}" )
requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )
function print {
printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
}
function restricted_license {
declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
ret_val=""
Expand All @@ -112,10 +112,10 @@ jobs:
api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
issue_count=$((issue_count+api_resp_no))
if [[ $api_resp_no -gt 0 ]]
then
val=$(echo "${api_resp}" | jq -r .retVal[] )
Expand All @@ -125,62 +125,62 @@ jobs:
export VIOLATIONS_VERBOSE="${ret_val}"
export VIOLATIONS="${issue_count}"
}
print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
if [[ $security_vulnerability_no -gt 0 ]]
then
echo "${security_vulnerability}" | jq -r .retVal[]
fi
print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
if [[ $major_updates_pending_no -gt 0 ]]
then
echo "${major_updates_pending}" | jq -r .retVal[]
fi
print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
if [[ $requires_review_no -gt 0 ]]
then
echo "${requires_review}" | jq -r .retVal[]
fi
print "HIGH RISK LICENSES: ${high_license_risk_no}"
if [[ high_license_risk_no -gt 0 ]]
then
echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
fi
restricted_license
print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
if [[ $VIOLATIONS -gt 0 ]]
then
echo "${VIOLATIONS_VERBOSE}" | jq .
fi
echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT
echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT
echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT
if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
then
echo "status=x" >> $GITHUB_OUTPUT
else
else
echo "status=white_check_mark" >> $GITHUB_OUTPUT
fi
- name: Check if PR exists
uses: 8BitJonny/[email protected]
id: pr_exists
with:
filterOutClosed: true
sha: ${{ github.event.pull_request.head.sha }}

- name: Comment Mend Status on PR
if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }}
uses: thollander/actions-comment-pull-request@v2.5.0
uses: thollander/actions-comment-pull-request@v3.0.0
with:
message: |
## Mend Scan Summary: :${{ steps.report.outputs.status }}:
Expand All @@ -192,7 +192,7 @@ jobs:
| LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} |
| HIGH RISK LICENSES | ${{ steps.report.outputs.high_license_risk_no }} |
| RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} |
[Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
[Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
comment_tag: tag_mend_scan
comment-tag: tag_mend_scan
4 changes: 2 additions & 2 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,10 @@ jobs:
check-latest: false

- name: Setup Syft
uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
uses: anchore/sbom-action/download-syft@f5e124a5e5e1d497a692818ae907d3c45829d033 # v0.17.3

- name: Setup Cosign
uses: sigstore/cosign-installer@v3.6.0
uses: sigstore/cosign-installer@v3.7.0

- name: Setup git config
run: |
Expand Down

0 comments on commit 76f6a39

Please sign in to comment.