Skip to content

feat: Alert for js security alerts on slack #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Luca Forstner (lforst) wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Alert for js security alerts on slack #46

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/dependabot-security-alerts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Report Dependabot security alerts

on:
schedule:
- cron: "0 5 * * *" # every day at 6am GMT+1
workflow_dispatch:

permissions:
contents: read

concurrency:
group: dependabot-security-alerts-${{ github.ref }}
cancel-in-progress: false

jobs:
report-alerts:
name: Report alerts (${{ matrix.repo }})
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
include:
- owner: braintrustdata
repo: braintrust-sdk-javascript
slack_channel_id: C0AKG7XPG3T
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ secrets.BRAINTRUST_BOT_APP_ID }}
private-key: ${{ secrets.BRAINTRUST_BOT_PRIVATE_KEY }}
owner: ${{ matrix.owner }}
repositories: |
${{ matrix.repo }}
permission-vulnerability-alerts: read

- name: Count open Dependabot alerts
id: alerts
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GH_REPO: ${{ matrix.owner }}/${{ matrix.repo }}
run: |
set -euo pipefail

count="$(gh api --paginate --slurp \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2026-03-10" \
"/repos/${GH_REPO}/dependabot/alerts?state=open&per_page=100" \
--jq '([.[] | length] | add) // 0')"
echo "count=${count}" >> "${GITHUB_OUTPUT}"

- name: Send Slack message
if: steps.alerts.outputs.count != '0'
uses: ./actions/slack/send
with:
token: ${{ secrets.SLACK_BOT_TOKEN }}
channel: ${{ matrix.slack_channel_id }}
text: "Open Dependabot security alerts for ${{ matrix.owner }}/${{ matrix.repo }}: ${{ steps.alerts.outputs.count }}"
fail_on_error: "true"