0x5t4l1n/OpenLearnX
1
0
Fork 0
mirror of https://github.com/th30d4y/OpenLearnX.git synced 2026-05-26 19:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add security advisory email notification workflow

Browse Source 
Agent-Logs-Url: https://github.com/th30d4y/OpenLearnX/sessions/0933e001-4da8-4d13-882d-0a845ec776e5

Co-authored-by: 0x5t4l1n <161853795+0x5t4l1n@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-05-04 20:59:18 +00:00
committed by GitHub
parent 1751c8eec0
commit a642d16f89
1 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/advisory-email-notify.yml
+93
View File
@@ -0,0 +1,93 @@
name: Security Advisory Email Notification
on:
repository_advisory:
types: [reported, created, published, submitted, reopened]
permissions:
contents: read
jobs:
notify-owners:
runs-on: ubuntu-latest
steps:
- name: Ensure SMTP secrets are configured
id: check_secrets
env:
MAIL_SERVER: ${{ secrets.ADVISORY_MAIL_SERVER }}
MAIL_USERNAME: ${{ secrets.ADVISORY_MAIL_USERNAME }}
MAIL_PASSWORD: ${{ secrets.ADVISORY_MAIL_PASSWORD }}
MAIL_TO: ${{ secrets.ADVISORY_MAIL_TO }}
run: |
missing=()
[ -z "$MAIL_SERVER" ] && missing+=("ADVISORY_MAIL_SERVER")
[ -z "$MAIL_USERNAME" ] && missing+=("ADVISORY_MAIL_USERNAME")
[ -z "$MAIL_PASSWORD" ] && missing+=("ADVISORY_MAIL_PASSWORD")
[ -z "$MAIL_TO" ] && missing+=("ADVISORY_MAIL_TO")
if [ ${#missing[@]} -gt 0 ]; then
echo "::warning::Missing required secrets: ${missing[*]}. Skipping advisory email notification. Configure these secrets in your repository or organization settings."
echo "skip=true" >> "$GITHUB_OUTPUT"
else
echo "skip=false" >> "$GITHUB_OUTPUT"
fi
- name: Build email body
if: steps.check_secrets.outputs.skip == 'false'
id: build_body
env:
ADVISORY_TITLE: ${{ github.event.repository_advisory.summary }}
ADVISORY_SEVERITY: ${{ github.event.repository_advisory.severity }}
ADVISORY_STATE: ${{ github.event.repository_advisory.state }}
ADVISORY_CVE: ${{ github.event.repository_advisory.cve_id }}
ADVISORY_URL: ${{ github.event.repository_advisory.html_url }}
ADVISORY_DESCRIPTION: ${{ github.event.repository_advisory.description }}
ADVISORY_ACTION: ${{ github.event.action }}
REPO: ${{ github.repository }}
ACTOR: ${{ github.actor }}
run: |
CVE_LINE=""
if [ -n "$ADVISORY_CVE" ]; then
CVE_LINE="CVE ID : $ADVISORY_CVE"$'\n'
fi
BODY="A security advisory has been ${ADVISORY_ACTION} on the repository ${REPO}.
Repository : https://github.com/${REPO}
Action : ${ADVISORY_ACTION}
Title : ${ADVISORY_TITLE}
Severity : ${ADVISORY_SEVERITY}
State : ${ADVISORY_STATE}
${CVE_LINE}Advisory : ${ADVISORY_URL}
Reported by: ${ACTOR}
--- Description ---
${ADVISORY_DESCRIPTION}
---
This notification was sent automatically by GitHub Actions.
Repository: https://github.com/${REPO}
"
# Write to file to avoid multiline env issues
printf '%s' "$BODY" > /tmp/advisory_body.txt
echo "body_file=/tmp/advisory_body.txt" >> "$GITHUB_OUTPUT"
- name: Send email to org owners
if: steps.check_secrets.outputs.skip == 'false'
# dawidd6/action-send-mail v3.12.0 — pinned to exact commit for supply-chain security.
# Verify: https://github.com/dawidd6/action-send-mail/commit/2cea9617b09d83a84e7015b8b4c893f01b028020
uses: dawidd6/action-send-mail@2cea9617b09d83a84e7015b8b4c893f01b028020
with:
server_address: ${{ secrets.ADVISORY_MAIL_SERVER }}
# ADVISORY_MAIL_PORT defaults to 465 (SMTPS / implicit TLS).
# Set the secret to 587 and secure to false if your SMTP server requires STARTTLS instead.
server_port: ${{ secrets.ADVISORY_MAIL_PORT || 465 }}
secure: ${{ secrets.ADVISORY_MAIL_SECURE || true }}
username: ${{ secrets.ADVISORY_MAIL_USERNAME }}
password: ${{ secrets.ADVISORY_MAIL_PASSWORD }}
subject: "[Security Advisory] [${{ github.event.repository_advisory.severity }}] ${{ github.event.repository_advisory.summary }} — ${{ github.repository }}"
to: ${{ secrets.ADVISORY_MAIL_TO }}
from: "GitHub Advisory Bot <${{ secrets.ADVISORY_MAIL_USERNAME }}>"
body: file:///tmp/advisory_body.txt