Check apt dependencies for updates #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check apt dependencies for updates | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 0' # Run weekly on Sunday at midnight | |
| workflow_dispatch: # Allow manual triggering | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-apt-updates: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Check for apt package updates | |
| id: check-updates | |
| run: | | |
| # Create a list of all pinned apt packages from github workflow files | |
| # Exclude the current workflow file and ensure package names are not empty | |
| grep -r "apt-get install" .github/workflows/ --exclude="dependabot-apt-update.yml" | grep -o "[a-zA-Z0-9_.:\+~-]\+=[a-zA-Z0-9_.:\+~-]\+" > pinned_apt_packages.txt | |
| # Create report file header | |
| echo "# Apt Package Update Report" > apt_update_report.md | |
| echo "Generated on $(date)" >> apt_update_report.md | |
| echo "" >> apt_update_report.md | |
| if [ -s pinned_apt_packages.txt ]; then | |
| echo "Checking these pinned apt packages for updates:" | |
| cat pinned_apt_packages.txt | |
| echo "## Pinned Packages" >> apt_update_report.md | |
| echo "" >> apt_update_report.md | |
| echo "| Package | Current Version | Latest Version | Update Available |" >> apt_update_report.md | |
| echo "|---------|----------------|---------------|-----------------|" >> apt_update_report.md | |
| # Update apt database | |
| sudo apt-get update | |
| updates_available=false | |
| # Check each package for available updates | |
| while read package; do | |
| pkg_name=${package%=*} | |
| current_version=${package#*=} | |
| # Skip empty package names | |
| if [ -z "$pkg_name" ]; then | |
| continue | |
| fi | |
| available_version=$(apt-cache policy $pkg_name | grep Candidate | awk '{print $2}') | |
| echo "Package: $pkg_name" | |
| echo " Current pinned version: $current_version" | |
| echo " Latest available version: $available_version" | |
| echo "" | |
| if [ "$current_version" != "$available_version" ]; then | |
| update_status="Yes" | |
| updates_available=true | |
| else | |
| update_status="No" | |
| fi | |
| echo "| $pkg_name | $current_version | $available_version | $update_status |" >> apt_update_report.md | |
| done < pinned_apt_packages.txt | |
| echo "" >> apt_update_report.md | |
| if [ "$updates_available" = true ]; then | |
| echo "## Action Required" >> apt_update_report.md | |
| echo "Please update the pinned versions in the workflow files to the latest available versions." >> apt_update_report.md | |
| echo "updates_available=true" >> $GITHUB_OUTPUT | |
| echo "Check complete. Manual update required for outdated packages." | |
| else | |
| echo "## No Action Required" >> apt_update_report.md | |
| echo "All pinned packages are up to date." >> apt_update_report.md | |
| echo "updates_available=false" >> $GITHUB_OUTPUT | |
| echo "Check complete. No manual update required." | |
| fi | |
| else | |
| echo "No pinned apt packages found in workflow files." | |
| echo "## No Pinned Packages Found" >> apt_update_report.md | |
| echo "No pinned apt packages were found in the workflow files." >> apt_update_report.md | |
| echo "updates_available=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Handle issue creation/update | |
| if: steps.check-updates.outputs.updates_available == 'true' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const content = fs.readFileSync('./apt_update_report.md', 'utf8'); | |
| // Check if issue already exists by searching for it | |
| const existingIssues = await github.rest.issues.listForRepo({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: 'dependencies,apt', | |
| state: 'open' | |
| }); | |
| const existingIssue = existingIssues.data.find(issue => | |
| issue.title === 'Outdated apt packages in workflows' | |
| ); | |
| if (existingIssue) { | |
| // Update existing issue | |
| await github.rest.issues.update({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: existingIssue.number, | |
| body: content | |
| }); | |
| console.log(`Updated existing issue #${existingIssue.number}`); | |
| } else { | |
| // Create new issue | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: 'Outdated apt packages in workflows', | |
| body: content, | |
| labels: ['dependencies', 'apt'] | |
| }); | |
| console.log('Created new issue for outdated packages'); | |
| } |