Fast and flexible Github action to gather information from last runs of selected GHA, lists a summary of PRs for matching params, state of ArgoCD environments and Snyk projects vulnerabilities.
Fully configurable with a configuration file. Disable any part of the action by not passing a corresponding token.
- easy to configure with a configuration file (see example below)
- action output can be send over Slack
- Github, Snyk and/or ArgoCD part of the action can be skiped by not passing a token
This action can be configured with the following inputs:
| Input | Description |
|---|---|
config_file_path |
Path to the configuration file. This file is required for the action to work properly. |
github_token |
Token to authenticate requests to GitHub. Used to create and label pull requests and to comment. Either GITHUB_TOKEN or a repo-scoped Personal Access Token (PAT). |
argocd_token |
Token to authenticate requests to ArgoCD API. Used to get selected environments state. |
snyk_token |
Token to authenticate requests to Snyk API. Used to get list of vulnerabilities for specified snyk projects. |
NOTE To disable any part of this action (e.g. GitHub), skip passing the authentication token of the corresponding part.
The following output is generated:
| Output | Description |
|---|---|
infra_report |
Parsed report containing infra information about selected environments. Output is in slack message format. |
To configure what data we want our report to contain, you have to provide a configuration file. The struture of this file is the following:
{
github: {
// Optional custom title to override the default one
title?: string;
// Name of the github organization
organization: string;
// Name of the repository
repository: string;
// Branch for which the workflow runs should be fetched if not overriden in specific workflow
defaultBranch: string;
// Array of workflows to be checked and added to the report
workflows: (
// Can be just a workflow filename
| string
// Or an object if we want to check the workflow for a specific branches
{
// Workflow filename
name: string;
// List of branches
branches?: string[];
}
)[];
},
argoCd: {
// Optional custom title to override the default one
title?: string;
// ArgoCD URL
url: string;
// Argo project name for which you want to fetch the environments
projects: string[];
},
snyk: {
// Optional custom title to override the default one
title?: string;
// Version of the snyk API to use, defaults to '2023-05-29'
apiVersion?: string
// Snyk organization ID
organizationId: string;
// Snyk organization name
organizationName: string;
// Which vulnerability levels should be counted and displayed in the report (defaults to ["critical", "high"])
vulnLevels?: ('critical' | 'high' | 'medium' | 'low')[];
// A list of CVEs to ignore
ignoredCVEs?: string[]
// A list of CWEs to ignore
ignoredCWEs?: string[]
// A list of vulnerability ids to ignore
ignoredVulnIds?: string[]
// A list of snyk projects
projects: {
// Project name
project: string;
// Project origin
origin: string;
// All the branches/references within a project
versions: string[];
}[];
},
githubPrs: {
// Optional custom title to override the default one
title?: string;
// Name of the github organization
organization: string;
// Name of the repository
repository: string;
// list of parameters to fetch matching PRs
prs: {
// The PR author
author?: string
// The base branch of the PR
base?: string
// List of labels
labels?: string[]
// PR state ('open' by default)
state?: 'open' | 'close' | 'all'
// title for this group of PRs. Defaults to a list of passed params and their values (e.g. author: misiekhardcore state: open labels: [frontend, renovate])
title?: string
// The type of result we want to acheive (defaults to 'list)
// 'list' - lists all PRs as links with title as a label
// 'count' - shows the number of matching PRs
resultType?: 'list' | 'count'
}[]
}
}{
"github": {
"organization": "org",
"repository": "repo",
"defaultBranch": "main",
"workflows": [
{
"name": "test",
"branches": ["main"]
},
"check-dist"
]
},
"argoCd": {
"url": "https://argocd.com",
"projects": ["argo-project"]
},
"snyk": {
"title": "some title to override the default",
"apiVersion": "2023-05029",
"organizationId": "org-id",
"organizationName": "org",
"vulnLevels": ["critical", "high", "medium", "low"],
"ignoredCVEs": ["CVE-123-4567"],
"ignoredCWEs": ["CWE-890"],
"ignoredVulnIds": [
"snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)"
],
"projects": [
{
"project": "project",
"versions": ["master"],
"origin": "github"
}
]
},
"githubPrs": {
"organization": "org",
"repository": "repo",
"prs": [
{
"author": "coolnickname",
"base": "main",
"labels": ["feature"],
"state": "all",
"title": "This is a title for all PRs in this group",
"resultType": "list"
},
{
"author": "coolnickname",
"resultType": "count"
}
]
}
}Create a workflow which passes selected inputs
name: 'build-test'
on: # Any trigger you want
pull_request:
push:
branches:
- main
# These permissions are needed if we want to get access to github workflows
permissions:
contents: read
actions: read
jobs:
infra-report:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Get the report
uses: misiekhardcore/[email protected]
id: get-report
with:
# This input is required, without the configuration file the action will throw an error
config_file_path: ${{ github.workspace }}/.github/workflows/infra-report-config.json
# Any of these can be skipped if we dont want to include them
github_token: ${{ secrets.GITHUB_TOKEN }}
argocd_token: ${{ secrets.ARGOCD_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
# As the action output is formatted as a slack message, its suits best to be send via slack
- name: Send report to slack channel
uses: slackapi/[email protected]
with:
channel-id: '#channel'
slack-message: ${{ steps.get-report.outputs.infra_report }}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}