mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-09 04:46:31 +00:00
Add hourly enrichment workflow with resume and timeout support
- Add --existing-db flag to enrich command to skip already-enriched advisories - Add --timeout-secs flag to stop processing after a time budget - Create .github/workflows/enrich.yml that runs hourly on a 55-minute budget - Workflow commits enriched vuln_db.json to repo, checkpointing progress - Each run picks up where the last left off, progressively enriching the backlog https://claude.ai/code/session_01Pp3k3jGUtnTTqvMMr1uP4Y
This commit is contained in:
parent
df0064c90c
commit
e797dadbad
3 changed files with 146 additions and 13 deletions
68
.github/workflows/enrich.yml
vendored
Normal file
68
.github/workflows/enrich.yml
vendored
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
name: Enrich Vulnerability Database
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Run every hour
|
||||
- cron: '0 * * * *'
|
||||
workflow_dispatch: {}
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
concurrency:
|
||||
group: enrich-vuln-db
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
enrich:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 60
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Install Rust
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
|
||||
- name: Cache cargo registry & build
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: |
|
||||
~/.cargo/registry
|
||||
~/.cargo/git
|
||||
target
|
||||
key: ${{ runner.os }}-cargo-enrich-${{ hashFiles('**/Cargo.lock') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-cargo-enrich-
|
||||
|
||||
- name: Build
|
||||
run: cargo build --release
|
||||
|
||||
- name: Run enrichment (55 min budget)
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
# Use existing DB if present, otherwise start fresh
|
||||
EXISTING_FLAG=""
|
||||
if [ -f vuln_db.json ]; then
|
||||
EXISTING_FLAG="--existing-db vuln_db.json"
|
||||
fi
|
||||
|
||||
cargo run --release -- enrich \
|
||||
--limit 999999 \
|
||||
--timeout-secs 3300 \
|
||||
$EXISTING_FLAG \
|
||||
--output vuln_db.json
|
||||
|
||||
- name: Commit and push if changed
|
||||
run: |
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "github-actions[bot]@users.noreply.github.com"
|
||||
git add vuln_db.json
|
||||
if git diff --cached --quiet; then
|
||||
echo "No changes to vuln_db.json, skipping commit."
|
||||
else
|
||||
TOTAL=$(jq '.entries | length' vuln_db.json)
|
||||
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
|
||||
git commit -m "chore: enrich vuln db (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
|
||||
git push
|
||||
fi
|
||||
Loading…
Add table
Add a link
Reference in a new issue