Skip to content

vulnerabilities

vulnerabilities #43

name: vulnerabilities
on:
# Don't require this on push or pull_request, or it'll block releases even for minor vulnerabilities
# push:
# pull_request:
schedule:
- cron: '0 2 * * 2' # Every Tuesday at 2am
jobs:
skip_check:
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
vulnerabilities:
needs: skip_check
if: ${{ needs.skip_check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Make sure we get the full history, or else the version number gets screwed up
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
- uses: DeLaGuardo/[email protected]
with:
cli: latest
- uses: actions/cache@v4
with:
path: |
~/.m2/repository
~/.gitlibs
~/.clojure
~/.cpcache
key: ${{ runner.os }}-${{ hashFiles('**/deps.edn') }}
- name: Run NVD vulnerabilities check
env:
NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
run: clojure -Srepro -J-Dclojure.main.report=stderr -T:build nvd
- name: Deploy NVD vulnerability report (dev branch only) # Because GitHub is idiotic and only supports timed jobs on the default branch (dev)
if: ${{ ( success() || failure() ) && github.ref == 'refs/heads/dev' }} # Deploy report regardless of whether the job succeeded or failed
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
keep_files: true # Required so that we don't clobber the API docs (published separately)
publish_dir: ./target/nvd
destination_dir: nvd