Adding security check and updater pipeline

2026-03-18 13:47:01 -07:00
parent 9f055f6fa3
commit cb55297bb5
4 changed files with 712 additions and 1 deletions
--- a/scripts/create_mr.sh
+++ b/scripts/create_mr.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+BRANCH="dependency-updates-$(date +%Y%m%d)"
+SUMMARY_FILE="/tmp/update_summary.md"
+
+# configure git
+git config user.email "ci@gitlab.com"
+git config user.name "GitLab CI"
+
+# create and push the update branch
+git checkout -b "$BRANCH"
+git add pyproject.toml poetry.lock
+git commit -m "chore: update dependencies $(date +%Y-%m-%d)"
+git push "https://oauth2:${GITLAB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" "$BRANCH"
+
+# build MR description from summary file
+DESCRIPTION=$(cat "$SUMMARY_FILE")
+
+# create MR via GitLab API
+curl --fail --silent --show-error \
+    --request POST \
+    --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" \
+    --header "Content-Type: application/json" \
+    --data "{
+        \"source_branch\": \"${BRANCH}\",
+        \"target_branch\": \"main\",
+        \"title\": \"chore: dependency updates $(date +%Y-%m-%d)\",
+        \"description\": $(echo "$DESCRIPTION" | python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))'),
+        \"labels\": \"dependencies\",
+        \"remove_source_branch\": true
+    }" \
+    "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests"
+
+echo "Merge request created for branch: $BRANCH"
--- a/scripts/dependency_update.sh
+++ b/scripts/dependency_update.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+set -e
+
+SUMMARY_FILE="/tmp/update_summary.md"
+CHANGES_FOUND=0
+
+echo "## Dependency update summary" > "$SUMMARY_FILE"
+echo "" >> "$SUMMARY_FILE"
+echo "Generated: $(date -u '+%Y-%m-%d %H:%M UTC')" >> "$SUMMARY_FILE"
+echo "" >> "$SUMMARY_FILE"
+
+# ── pip-audit: vulnerability scan ───────────────────────────────────────────
+echo "### Vulnerability scan" >> "$SUMMARY_FILE"
+echo "" >> "$SUMMARY_FILE"
+
+set +e
+poetry run pip-audit --format markdown -o /tmp/audit_output.md 2>&1
+AUDIT_EXIT=$?
+set -e
+
+if [ $AUDIT_EXIT -ne 0 ]; then
+    echo "Vulnerabilities found:" >> "$SUMMARY_FILE"
+    cat /tmp/audit_output.md >> "$SUMMARY_FILE"
+    CHANGES_FOUND=1
+else
+    echo "No vulnerabilities found." >> "$SUMMARY_FILE"
+fi
+
+echo "" >> "$SUMMARY_FILE"
+
+# ── poetry update: check for outdated packages ──────────────────────────────
+echo "### Outdated packages" >> "$SUMMARY_FILE"
+echo "" >> "$SUMMARY_FILE"
+
+# capture current lock file checksum before update
+BEFORE=$(sha256sum poetry.lock | cut -d' ' -f1)
+
+poetry update --without pi 2>&1
+
+AFTER=$(sha256sum poetry.lock | cut -d' ' -f1)
+
+if [ "$BEFORE" != "$AFTER" ]; then
+    echo "The following packages were updated:" >> "$SUMMARY_FILE"
+    echo "" >> "$SUMMARY_FILE"
+    # diff the lock files to summarise what changed
+    git diff poetry.lock | grep '^[+-].*version' | grep -v '^---\|^+++' \
+        | sed 's/^+/Updated: /;s/^-/Was: /' >> "$SUMMARY_FILE" || true
+    CHANGES_FOUND=1
+else
+    echo "All packages are up to date." >> "$SUMMARY_FILE"
+fi
+
+# exit code signals to the pipeline whether an MR is needed
+exit $CHANGES_FOUND