Skip to content

Commit 5bd5e01

Browse files
meysholdtona-agent
meysholdt
and
ona-agent
committed
Remove token file step, inline credential helper in gh api call
Co-authored-by: Ona <no-reply@ona.com>
1 parent 2e04a50 commit 5bd5e01

2 files changed

Lines changed: 6 additions & 12 deletions

File tree

.ona/fix-codescan-alert.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,11 @@ action:
1717
command -v gh && exit 0
1818
curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
1919
sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
20-
# Step 2: Export GITHUB_TOKEN from git credential helper
20+
# Step 2: Fetch the highest-severity open code scanning alert
2121
- task:
2222
command: |
23-
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' > /tmp/.gh-token
24-
# Step 3: Fetch the highest-severity open code scanning alert
25-
- task:
26-
command: |
27-
GITHUB_TOKEN=$(cat /tmp/.gh-token) gh api repos/{owner}/{repo}/code-scanning/alerts \
23+
export GITHUB_TOKEN=$(printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}')
24+
gh api repos/{owner}/{repo}/code-scanning/alerts \
2825
--jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]' \
2926
> /tmp/codescan-alert.json
3027
cat /tmp/codescan-alert.json

.ona/fix-dependabot-alert.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,11 @@ action:
1717
command -v gh && exit 0
1818
curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
1919
sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
20-
# Step 2: Export GITHUB_TOKEN from git credential helper
20+
# Step 2: Fetch the highest-severity open Dependabot alert
2121
- task:
2222
command: |
23-
printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' > /tmp/.gh-token
24-
# Step 3: Fetch the highest-severity open Dependabot alert
25-
- task:
26-
command: |
27-
GITHUB_TOKEN=$(cat /tmp/.gh-token) gh api repos/{owner}/{repo}/dependabot/alerts \
23+
export GITHUB_TOKEN=$(printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}')
24+
gh api repos/{owner}/{repo}/dependabot/alerts \
2825
--jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]' \
2926
> /tmp/dependabot-alert.json
3027
cat /tmp/dependabot-alert.json

0 commit comments

Comments
 (0)