diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml new file mode 100644 index 0000000..cfc31c6 --- /dev/null +++ b/.gitea/workflows/audit.yml @@ -0,0 +1,101 @@ +name: Dependency Audit + +on: + schedule: + - cron: '0 6 * * 1' # Mondays 06:00 UTC + workflow_dispatch: {} + +jobs: + audit: + runs-on: ubuntu-latest + env: + DOTNET_ROOT: /home/mika/.dotnet + GITEA_API: https://git.kuns.dev/api/v1 + REPO: releases/ClaudeDo + ISSUE_TITLE: 'Dependency audit: vulnerable packages detected' + steps: + - name: Checkout main + env: + TOKEN: ${{ secrets.GITEA_TOKEN }} + run: | + set -euo pipefail + git clone --depth 1 --branch main \ + "https://oauth2:${TOKEN}@git.kuns.dev/${REPO}.git" src + + - name: Scan for vulnerable / outdated packages + run: | + set -euo pipefail + export PATH="$DOTNET_ROOT:$PATH" + cd src + + : > audit.log + : > vuln.md + found=0 + + # .slnx tooling needs .NET 9; iterate per-project to stay on .NET 8. + while IFS= read -r proj; do + echo "==== $proj ====" | tee -a audit.log + dotnet restore "$proj" >/dev/null + + vuln="$(dotnet list "$proj" package --vulnerable --include-transitive 2>&1)" + echo "$vuln" | tee -a audit.log + if echo "$vuln" | grep -qi "has the following vulnerable"; then + found=1 + { + printf '#### `%s`\n\n```\n' "$proj" + echo "$vuln" + printf '```\n\n' + } >> vuln.md + fi + + # Outdated is informational only — never fails the run. + dotnet list "$proj" package --outdated 2>&1 | tee -a audit.log || true + echo "" | tee -a audit.log + done < <(find . -name '*.csproj' | sort) + + if [ "$found" -ne 0 ]; then + echo "::error::Vulnerable packages detected — see log above." >&2 + exit 1 + fi + echo "No vulnerable packages found." + + - name: Report vulnerabilities to a Gitea issue + if: failure() + env: + TOKEN: ${{ secrets.GITEA_TOKEN }} + RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + run: | + set -euo pipefail + cd src + + if [ -s vuln.md ]; then + DETAILS="$(cat vuln.md)" + else + DETAILS="The audit job failed before producing findings — check the run log." + fi + BODY="$(printf 'Automated weekly dependency audit found vulnerable packages.\n\n%s\n\n[View workflow run](%s)' \ + "$DETAILS" "$RUN_URL")" + + # Reuse an existing open issue if one is already tracking this. + EXISTING="$(curl -sS \ + -H "Authorization: token ${TOKEN}" \ + "${GITEA_API}/repos/${REPO}/issues?state=open&type=issues&limit=50" \ + | jq -r --arg t "$ISSUE_TITLE" '.[] | select(.title==$t) | .number' | head -n1)" + + if [ -n "$EXISTING" ]; then + echo "Commenting on existing issue #$EXISTING" + jq -n --arg body "$BODY" '{body:$body}' \ + | curl -sS --fail-with-body -X POST \ + -H "Authorization: token ${TOKEN}" \ + -H "Content-Type: application/json" \ + -d @- \ + "${GITEA_API}/repos/${REPO}/issues/${EXISTING}/comments" >/dev/null + else + echo "Creating new issue" + jq -n --arg title "$ISSUE_TITLE" --arg body "$BODY" '{title:$title, body:$body}' \ + | curl -sS --fail-with-body -X POST \ + -H "Authorization: token ${TOKEN}" \ + -H "Content-Type: application/json" \ + -d @- \ + "${GITEA_API}/repos/${REPO}/issues" >/dev/null + fi diff --git a/.gitea/workflows/changelog.yml b/.gitea/workflows/changelog.yml new file mode 100644 index 0000000..4904d35 --- /dev/null +++ b/.gitea/workflows/changelog.yml @@ -0,0 +1,85 @@ +name: Changelog + +on: + push: + tags: + - 'v*' + +jobs: + changelog: + runs-on: ubuntu-latest + env: + REPO: releases/ClaudeDo + steps: + - name: Checkout main (full history) + env: + TOKEN: ${{ secrets.GITEA_TOKEN }} + run: | + set -euo pipefail + git clone "https://oauth2:${TOKEN}@git.kuns.dev/${REPO}.git" src + cd src + git fetch --tags --force + git checkout main + + - name: Regenerate CHANGELOG.md + run: | + set -euo pipefail + cd src + + emit_group() { + # $1 range, $2 conventional-type, $3 heading + local range="$1" type="$2" title="$3" lines + lines="$(git log "$range" --no-merges --pretty=format:'%s|%h' \ + | grep -E "^${type}(\([^)]*\))?(!)?: " || true)" + [ -z "$lines" ] && return 0 + printf '### %s\n\n' "$title" + while IFS='|' read -r subject hash; do + printf -- '- %s (%s)\n' "${subject#*: }" "$hash" + done <<< "$lines" + printf '\n' + } + + emit_section() { + # $1 range, $2 tag, $3 date + printf '## %s — %s\n\n' "$2" "$3" + emit_group "$1" feat "Features" + emit_group "$1" fix "Fixes" + emit_group "$1" perf "Performance" + emit_group "$1" refactor "Refactoring" + emit_group "$1" docs "Documentation" + } + + # Tags ascending by semver so we can pair each with its predecessor. + mapfile -t TAGS < <(git tag --sort=v:refname | grep -E '^v' || true) + + { + printf '# Changelog\n\n' + for ((i=${#TAGS[@]}-1; i>=0; i--)); do + TAG="${TAGS[$i]}" + DATE="$(git log -1 --format=%ad --date=short "$TAG")" + if (( i > 0 )); then + RANGE="${TAGS[$((i-1))]}..${TAG}" + else + RANGE="$TAG" + fi + emit_section "$RANGE" "$TAG" "$DATE" + done + } > CHANGELOG.md + + cat CHANGELOG.md + + - name: Commit and push if changed + env: + TOKEN: ${{ secrets.GITEA_TOKEN }} + run: | + set -euo pipefail + cd src + if git diff --quiet -- CHANGELOG.md; then + echo "CHANGELOG.md unchanged; nothing to commit." + exit 0 + fi + git config user.name "ClaudeDo CI" + git config user.email "ci@kuns.dev" + git add CHANGELOG.md + git commit -m "docs(changelog): update for ${GITHUB_REF_NAME}" + git push origin main