diff --git a/.github/workflows/socket-fix.yml b/.github/workflows/socket-fix.yml index af8e5d671..54b105c24 100644 --- a/.github/workflows/socket-fix.yml +++ b/.github/workflows/socket-fix.yml @@ -42,48 +42,30 @@ jobs: socket config set defaultOrg "brave" socket fix . "${FLAGS[@]}" - - name: Open Pull Request + - name: Configure GPG + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + + - name: Compute branch name + id: branch env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GHSA_IDS: ${{ inputs.ghsa_ids }} run: | - if ! git diff --quiet; then - BRANCH="socket-fix/$(echo "$GHSA_IDS" | tr ', ' '-' | tr -s '-' | cut -c1-60)" - BASE_SHA="$(gh api "/repos/$GITHUB_REPOSITORY/git/refs/heads/main" --jq '.object.sha')" - CHANGED_FILES=$(git diff --name-only) - NEW_FILES=$(git ls-files --others --exclude-standard) - TREE_ITEMS="[]" - for FILE in $CHANGED_FILES $NEW_FILES; do - if [ -f "$FILE" ]; then - BLOB_SHA=$(gh api --method POST "/repos/$GITHUB_REPOSITORY/git/blobs" \ - --field content="$(base64 -w0 < "$FILE")" \ - --field encoding="base64" \ - --jq '.sha') - TREE_ITEMS=$(echo "$TREE_ITEMS" | jq --arg path "$FILE" --arg sha "$BLOB_SHA" \ - '. + [{"path": $path, "mode": "100644", "type": "blob", "sha": $sha}]') - else - TREE_ITEMS=$(echo "$TREE_ITEMS" | jq --arg path "$FILE" \ - '. + [{"path": $path, "mode": "100644", "type": "blob", "sha": null}]') - fi - done - TREE_SHA=$(jq -n --arg base_tree "$BASE_SHA" --argjson tree "$TREE_ITEMS" \ - '{base_tree: $base_tree, tree: $tree}' \ - | gh api --method POST "/repos/$GITHUB_REPOSITORY/git/trees" --input - --jq '.sha') - COMMIT_SHA=$(jq -n \ - --arg message "fix: address security advisories" \ - --arg tree "$TREE_SHA" \ - --arg parent "$BASE_SHA" \ - '{message: $message, tree: $tree, parents: [$parent], author: {name: "brave-builds", email: "devops@brave.com"}}' \ - | gh api --method POST "/repos/$GITHUB_REPOSITORY/git/commits" --input - --jq '.sha') - gh api --method POST "/repos/$GITHUB_REPOSITORY/git/refs" \ - --field ref="refs/heads/$BRANCH" \ - --field sha="$COMMIT_SHA" - gh pr create \ - --title "fix: address security advisories" \ - --body "Addresses: $GHSA_IDS" \ - --base main \ - --head "$BRANCH" - else - echo "::error::No changes produced by socket fix." - exit 1 - fi + echo "name=socket-fix/$(echo "$GHSA_IDS" | tr ', ' '-' | tr -s '-' | cut -c1-60)" >> "$GITHUB_OUTPUT" + + - name: Create Pull Request + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 + with: + commit-message: 'fix: address security advisories' + author: brave-support-admin <138038132+brave-support-admin@users.noreply.github.com> + committer: brave-support-admin <138038132+brave-support-admin@users.noreply.github.com> + branch: ${{ steps.branch.outputs.name }} + delete-branch: true + base: main + title: 'fix: address security advisories' + body: 'Addresses: ${{ inputs.ghsa_ids }}' + token: ${{ secrets.LEO_UPDATE_ICONS_PAT }}