From b0b7c786f2bddd5200bf081b34865ee15ca06c76 Mon Sep 17 00:00:00 2001 From: Souvik Date: Fri, 13 Mar 2026 20:38:30 +0530 Subject: [PATCH] Aligning to lts-3.16 --- .github/workflows/vulnerability-ci.yml | 622 +++++++++++++++++++++++-- 1 file changed, 580 insertions(+), 42 deletions(-) diff --git a/.github/workflows/vulnerability-ci.yml b/.github/workflows/vulnerability-ci.yml index 8c9ef41d1d..184490ac17 100644 --- a/.github/workflows/vulnerability-ci.yml +++ b/.github/workflows/vulnerability-ci.yml @@ -32,27 +32,109 @@ jobs: - name: Install dependencies run: npm --prefix frontend install - - name: Running security audit + - name: Running security audit (before fix) + run: npm --prefix frontend audit --json > Periodic-frontend-audit-before.json + continue-on-error: true + + - name: Parse audit summary (before fix) + id: parse-audit-before + run: | + if [ -f Periodic-frontend-audit-before.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit-before.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Attempt to fix vulnerabilities + run: npm --prefix frontend audit fix + continue-on-error: true + + - name: Running security audit (after fix) run: npm --prefix frontend audit --json > Periodic-frontend-audit.json continue-on-error: true - - name: Parse audit summary + - name: Parse audit summary (after fix) id: parse-audit run: | - vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json) - moderate=$(echo $vulnerabilities | jq '.moderate') - high=$(echo $vulnerabilities | jq '.high') - critical=$(echo $vulnerabilities | jq '.critical') - echo "moderate=$moderate" >> $GITHUB_OUTPUT - echo "high=$high" >> $GITHUB_OUTPUT - echo "critical=$critical" >> $GITHUB_OUTPUT + if [ -f Periodic-frontend-audit.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Check for changes + id: check-changes + run: | + git add frontend/package-lock.json + if git diff --staged --quiet; then + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "has_changes=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-changes.outputs.has_changes == 'true' + id: create-pr + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + add-paths: | + frontend/package-lock.json + commit-message: "fix: automated security fixes for frontend dependencies" + branch: automated-security-fixes/frontend-${{ github.run_id }} + base: lts-3.16 + title: "[Security] Automated Dependency Fixes - Frontend" + body: | + ## Automated Security Fixes + + This PR contains automated dependency updates generated via npm audit fix. + + ### Scope + Frontend + + ### Vulnerabilities + **Before:** + - Critical: ${{ steps.parse-audit-before.outputs.critical }} + - High: ${{ steps.parse-audit-before.outputs.high }} + - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} + + **After:** + - Critical: ${{ steps.parse-audit.outputs.critical }} + - High: ${{ steps.parse-audit.outputs.high }} + - Moderate: ${{ steps.parse-audit.outputs.moderate }} + + ⚠ī¸ Some vulnerabilities may remain and require manual upgrades. + + **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + + Generated by: Vulnerability CI + reviewers: kavinvenkatachalam,johnsoncherian + labels: security,automated - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: Periodic-frontend-audit-report path: Periodic-frontend-audit.json retention-days: 7 + if-no-files-found: warn - name: Determine notification color id: determine-color @@ -74,6 +156,56 @@ jobs: - name: Send Slack Notification run: | + PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" + PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" + + if [ "$PR_CREATED" == "true" ]; then + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "🔧 *Automated Fix PR Created*" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" + }, + { + "type": "mrkdwn", + "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" + } + ] + }' + PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" + PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" + PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" + PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" + PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" + PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" + PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" + else + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "ℹī¸ *No auto-fixable vulnerabilities found*" + } + }' + fi + payload=$(cat < Periodic-server-audit-before.json + continue-on-error: true + + - name: Parse audit summary (before fix) + id: parse-audit-before + run: | + if [ -f Periodic-server-audit-before.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit-before.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Attempt to fix vulnerabilities + run: npm --prefix server audit fix + continue-on-error: true + + - name: Running security audit (after fix) run: npm --prefix server audit --json > Periodic-server-audit.json continue-on-error: true - - name: Parse audit summary + - name: Parse audit summary (after fix) id: parse-audit run: | - vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json) - moderate=$(echo $vulnerabilities | jq '.moderate') - high=$(echo $vulnerabilities | jq '.high') - critical=$(echo $vulnerabilities | jq '.critical') - echo "moderate=$moderate" >> $GITHUB_OUTPUT - echo "high=$high" >> $GITHUB_OUTPUT - echo "critical=$critical" >> $GITHUB_OUTPUT + if [ -f Periodic-server-audit.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Check for changes + id: check-changes + run: | + git add server/package-lock.json + if git diff --staged --quiet; then + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "has_changes=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-changes.outputs.has_changes == 'true' + id: create-pr + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + add-paths: | + server/package-lock.json + commit-message: "fix: automated security fixes for server dependencies" + branch: automated-security-fixes/server-${{ github.run_id }} + base: lts-3.16 + title: "[Security] Automated Dependency Fixes - Server" + body: | + ## Automated Security Fixes + + This PR contains automated dependency updates generated via npm audit fix. + + ### Scope + Server + + ### Vulnerabilities + **Before:** + - Critical: ${{ steps.parse-audit-before.outputs.critical }} + - High: ${{ steps.parse-audit-before.outputs.high }} + - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} + + **After:** + - Critical: ${{ steps.parse-audit.outputs.critical }} + - High: ${{ steps.parse-audit.outputs.high }} + - Moderate: ${{ steps.parse-audit.outputs.moderate }} + + ⚠ī¸ Some vulnerabilities may remain and require manual upgrades. + + **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + + Generated by: Vulnerability CI + reviewers: gsmithun4 + labels: security,automated - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: Periodic-server-audit-report path: Periodic-server-audit.json retention-days: 7 + if-no-files-found: warn - name: Determine notification color id: determine-color @@ -238,6 +452,56 @@ jobs: - name: Send Slack Notification run: | + PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" + PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" + + if [ "$PR_CREATED" == "true" ]; then + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "🔧 *Automated Fix PR Created*" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" + }, + { + "type": "mrkdwn", + "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" + } + ] + }' + PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" + PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" + PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" + PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" + PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" + PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" + PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" + else + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "ℹī¸ *No auto-fixable vulnerabilities found*" + } + }' + fi + payload=$(cat < Periodic-plugins-audit-before.json + continue-on-error: true + + - name: Parse audit summary (before fix) + id: parse-audit-before + run: | + if [ -f Periodic-plugins-audit-before.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit-before.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Attempt to fix vulnerabilities + run: npm --prefix plugins audit fix + continue-on-error: true + + - name: Running security audit (after fix) run: npm --prefix plugins audit --json > Periodic-plugins-audit.json continue-on-error: true - - name: Parse audit summary + - name: Parse audit summary (after fix) id: parse-audit run: | - vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json) - moderate=$(echo $vulnerabilities | jq '.moderate') - high=$(echo $vulnerabilities | jq '.high') - critical=$(echo $vulnerabilities | jq '.critical') - echo "moderate=$moderate" >> $GITHUB_OUTPUT - echo "high=$high" >> $GITHUB_OUTPUT - echo "critical=$critical" >> $GITHUB_OUTPUT + if [ -f Periodic-plugins-audit.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Check for changes + id: check-changes + run: | + git add plugins/package-lock.json + if git diff --staged --quiet; then + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "has_changes=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-changes.outputs.has_changes == 'true' + id: create-pr + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + add-paths: | + plugins/package-lock.json + commit-message: "fix: automated security fixes for plugins dependencies" + branch: automated-security-fixes/plugins-${{ github.run_id }} + base: main + title: "[Security] Automated Dependency Fixes - Plugins" + body: | + ## Automated Security Fixes + + This PR contains automated dependency updates generated via npm audit fix. + + ### Scope + Plugins + + ### Vulnerabilities + **Before:** + - Critical: ${{ steps.parse-audit-before.outputs.critical }} + - High: ${{ steps.parse-audit-before.outputs.high }} + - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} + + **After:** + - Critical: ${{ steps.parse-audit.outputs.critical }} + - High: ${{ steps.parse-audit.outputs.high }} + - Moderate: ${{ steps.parse-audit.outputs.moderate }} + + ⚠ī¸ Some vulnerabilities may remain and require manual upgrades. + + **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + + Generated by: Vulnerability CI + reviewers: gsmithun4 + labels: security,automated - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: Periodic-plugins-audit-report path: Periodic-plugins-audit.json retention-days: 7 + if-no-files-found: warn - name: Determine notification color id: determine-color @@ -566,6 +912,56 @@ jobs: - name: Send Slack Notification run: | + PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" + PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" + + if [ "$PR_CREATED" == "true" ]; then + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "🔧 *Automated Fix PR Created*" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" + }, + { + "type": "mrkdwn", + "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" + } + ] + }' + PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" + PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" + PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" + PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" + PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" + PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" + PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" + else + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "ℹī¸ *No auto-fixable vulnerabilities found*" + } + }' + fi + payload=$(cat < Periodic-root-audit-before.json + continue-on-error: true + + - name: Parse audit summary (before fix) + id: parse-audit-before + run: | + if [ -f Periodic-root-audit-before.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit-before.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Attempt to fix vulnerabilities + run: npm audit fix + continue-on-error: true + + - name: Running security audit (after fix) run: npm audit --json > Periodic-root-audit.json continue-on-error: true - - name: Parse audit summary + - name: Parse audit summary (after fix) id: parse-audit run: | - vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json) - moderate=$(echo $vulnerabilities | jq '.moderate') - high=$(echo $vulnerabilities | jq '.high') - critical=$(echo $vulnerabilities | jq '.critical') - echo "moderate=$moderate" >> $GITHUB_OUTPUT - echo "high=$high" >> $GITHUB_OUTPUT - echo "critical=$critical" >> $GITHUB_OUTPUT + if [ -f Periodic-root-audit.json ]; then + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "moderate=$moderate" >> $GITHUB_OUTPUT + echo "high=$high" >> $GITHUB_OUTPUT + echo "critical=$critical" >> $GITHUB_OUTPUT + else + echo "moderate=0" >> $GITHUB_OUTPUT + echo "high=0" >> $GITHUB_OUTPUT + echo "critical=0" >> $GITHUB_OUTPUT + fi + + - name: Check for changes + id: check-changes + run: | + git add package-lock.json + if git diff --staged --quiet; then + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "has_changes=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-changes.outputs.has_changes == 'true' + id: create-pr + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + add-paths: | + package-lock.json + commit-message: "fix: automated security fixes for root dependencies" + branch: automated-security-fixes/root-${{ github.run_id }} + base: lts-3.16 + title: "[Security] Automated Dependency Fixes - Root" + body: | + ## Automated Security Fixes + + This PR contains automated dependency updates generated via npm audit fix. + + ### Scope + Root + + ### Vulnerabilities + **Before:** + - Critical: ${{ steps.parse-audit-before.outputs.critical }} + - High: ${{ steps.parse-audit-before.outputs.high }} + - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} + + **After:** + - Critical: ${{ steps.parse-audit.outputs.critical }} + - High: ${{ steps.parse-audit.outputs.high }} + - Moderate: ${{ steps.parse-audit.outputs.moderate }} + + ⚠ī¸ Some vulnerabilities may remain and require manual upgrades. + + **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + + Generated by: Vulnerability CI + reviewers: gsmithun4 + labels: security,automated - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: Periodic-root-audit-report path: Periodic-root-audit.json retention-days: 7 + if-no-files-found: warn - name: Determine notification color id: determine-color @@ -730,6 +1208,56 @@ jobs: - name: Send Slack Notification run: | + PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" + PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" + + if [ "$PR_CREATED" == "true" ]; then + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "🔧 *Automated Fix PR Created*" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" + }, + { + "type": "mrkdwn", + "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" + } + ] + }' + PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" + PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" + PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" + PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" + PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" + PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" + PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" + else + PR_SECTION=' , + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "ℹī¸ *No auto-fixable vulnerabilities found*" + } + }' + fi + payload=$(cat <> $GITHUB_OUTPUT - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: frontend-audit-report path: frontend-audit.json retention-days: 7 + if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 @@ -923,11 +1453,13 @@ jobs: echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: server-audit-report path: server-audit.json retention-days: 7 + if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 @@ -978,11 +1510,13 @@ jobs: echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: marketplace-audit-report path: marketplace-audit.json retention-days: 7 + if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 @@ -1032,11 +1566,13 @@ jobs: echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: plugins-audit-report path: plugins-audit.json retention-days: 7 + if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 @@ -1087,11 +1623,13 @@ jobs: echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report + if: always() uses: actions/upload-artifact@v4 with: name: root-audit-report path: root-audit.json retention-days: 7 + if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1