From ff05aa6002a8fa68d7c880581c7319d1f1908913 Mon Sep 17 00:00:00 2001 From: sayakpaul Date: Tue, 19 May 2026 15:06:54 +0530 Subject: [PATCH] feat: mention maintainers in the slack security auditing. --- .github/workflows/security-audit.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index e7f35185..be26f32c 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -138,12 +138,32 @@ jobs: COMMIT_URL: ${{ github.event.head_commit.url }} COMMIT_MESSAGE: ${{ github.event.head_commit.message }} COMMIT_AUTHOR: ${{ github.event.head_commit.author.username || github.event.head_commit.author.name }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} + shell: bash run: | FINDINGS=$(cat /tmp/audit_result.txt) COMMIT_TITLE=$(printf '%s\n' "$COMMIT_MESSAGE" | head -n1) - printf -v HEADER '*Security Audit Finding*\n*Commit:* <%s|%s>\n*Author:* %s\n\n---\n\n' \ - "$COMMIT_URL" "$COMMIT_TITLE" "$COMMIT_AUTHOR" + # GitHub username -> Slack member ID. Entries here are only tagged + # when the GitHub API confirms the user currently has the admin or + # maintain role on this repo, so stale entries are inert. + declare -A SLACK_IDS=( + ["danieldk"]="U072206PXLK" + ["drbh"]="U06C9TW7RDY" + ["sayakpaul"]="U03AU4E7DJB" + ) + + MENTION="" + if [ -n "${SLACK_IDS[$COMMIT_AUTHOR]:-}" ]; then + ROLE=$(gh api "repos/${REPO}/collaborators/${COMMIT_AUTHOR}/permission" --jq '.role_name' 2>/dev/null || true) + if [ "$ROLE" = "admin" ] || [ "$ROLE" = "maintain" ]; then + MENTION="<@${SLACK_IDS[$COMMIT_AUTHOR]}> " + fi + fi + + printf -v HEADER '%s*Security Audit Finding*\n*Commit:* <%s|%s>\n*Author:* %s\n\n---\n\n' \ + "$MENTION" "$COMMIT_URL" "$COMMIT_TITLE" "$COMMIT_AUTHOR" jq -n \ --arg text "${HEADER}${FINDINGS}" \