ci: publish OSV data to dedicated branch #78
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The osv.dev project will be enhanced to ingest OSV data from our advisory database. One of the convenient formats for them is to track a Git branch containing the raw OSV data. To facilitate this, add a CI step that exports the OSV data to the `generated/osv-export` branch. This step only runs upon a push to `main`. It exports all the advisories as OSV JSON files, sorted into directories by year. Then it snapshots this content onto the `generated/osv-export` branch and pushes it. The commit message contains a UTC timestamp, and the hash of the corresponding commit on `main`. No commit is made unless the OSV content has changed. The `generated/osv-export` target branch must already exist. The GitHub Actions token needs write permissions in the repository, so that it can push the updated OSV data branch.
blackheaven
approved these changes
Jun 29, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
note: the PR's CI job won't publish the advisories. This is by design. Only pushes to
mainwill trigger the publish step.The osv.dev project will be enhanced to ingest OSV data from our advisory database. One of the convenient formats for them is to track a Git branch containing the raw OSV data.
To facilitate this, add a CI step that exports the OSV data to the
generated/osv-exportbranch. This step only runs upon a push tomain. It exports all the advisories as OSV JSON files, sorted into directories by year. Then it snapshots this content onto thegenerated/osv-exportbranch and pushes it. The commit message contains a UTC timestamp, and the hash of the corresponding commit onmain.No commit is made unless the OSV content has changed. The
generated/osv-exporttarget branch must already exist.The GitHub Actions token needs write permissions in the repository, so that it can push the updated OSV data branch.
hsec-tools