mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
davida-ps
9fd3059271
* fix(traffic): use a traffic-capable PAT for the archive workflow The daily Archive GitHub Traffic run has failed since creation: the TRAFFIC_ARCHIVE_TOKEN secret was never provisioned, so the workflow fell back to github.token, which GitHub categorically rejects on traffic endpoints (403 "Resource not accessible by integration"). - Fall back to the existing POLL_NVD_CVES_PAT automation token instead of github.token, keeping TRAFFIC_ARCHIVE_TOKEN as the preferred override once provisioned. - Fail fast with an actionable error when no traffic-capable token is configured. - Explain token requirements in the script's 401/403 errors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(traffic): require dedicated TRAFFIC_ARCHIVE_TOKEN, drop expired PAT fallback A live dispatch confirmed POLL_NVD_CVES_PAT is expired (401 Bad credentials), so falling back to it only trades one daily failure for another. Require the dedicated secret and fail fast with setup instructions instead. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
87 lines
2.8 KiB
YAML
87 lines
2.8 KiB
YAML
name: Archive GitHub Traffic
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '17 3 * * *'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
concurrency:
|
|
group: traffic-archive
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
TRAFFIC_ARCHIVE_BRANCH: traffic-archive
|
|
TRAFFIC_ARCHIVE_DIR: ../traffic-archive/traffic
|
|
|
|
jobs:
|
|
archive:
|
|
name: Capture traffic snapshot
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout source
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
|
|
- name: Prepare archive branch
|
|
env:
|
|
ARCHIVE_PUSH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
git config --global user.name "github-actions[bot]"
|
|
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
|
|
server="${GITHUB_SERVER_URL#https://}"
|
|
archive_remote="https://x-access-token:${ARCHIVE_PUSH_TOKEN}@${server}/${GITHUB_REPOSITORY}.git"
|
|
|
|
if git ls-remote --exit-code --heads "${archive_remote}" "${TRAFFIC_ARCHIVE_BRANCH}" >/dev/null 2>&1; then
|
|
git clone --branch "${TRAFFIC_ARCHIVE_BRANCH}" --depth 1 "${archive_remote}" ../traffic-archive
|
|
else
|
|
git init -b "${TRAFFIC_ARCHIVE_BRANCH}" ../traffic-archive
|
|
git -C ../traffic-archive remote add origin "${archive_remote}"
|
|
fi
|
|
|
|
mkdir -p "${TRAFFIC_ARCHIVE_DIR}"
|
|
|
|
- name: Collect traffic
|
|
env:
|
|
# Traffic endpoints reject the Actions GITHUB_TOKEN ("Resource not
|
|
# accessible by integration") — a PAT from a user with push access
|
|
# is required: classic with repo scope, or fine-grained with read
|
|
# access to Administration on this repository.
|
|
GH_TRAFFIC_TOKEN: ${{ secrets.TRAFFIC_ARCHIVE_TOKEN }}
|
|
GITHUB_REPOSITORY: ${{ github.repository }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
if [ -z "${GH_TRAFFIC_TOKEN}" ]; then
|
|
echo "::error::No traffic-capable token configured. Set the TRAFFIC_ARCHIVE_TOKEN secret to a PAT with push access (classic: repo scope; fine-grained: Administration read)."
|
|
exit 1
|
|
fi
|
|
|
|
node scripts/archive-github-traffic.mjs --archive-dir "${TRAFFIC_ARCHIVE_DIR}"
|
|
|
|
- name: Commit archive
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
cd ../traffic-archive
|
|
git add traffic/archive.json traffic/summary.json
|
|
git rm --ignore-unmatch traffic/README.md
|
|
|
|
if git diff --cached --quiet; then
|
|
echo "No traffic archive changes."
|
|
exit 0
|
|
fi
|
|
|
|
git commit -m "chore(traffic): archive repository traffic $(date -u +%F)"
|
|
git push origin HEAD:${TRAFFIC_ARCHIVE_BRANCH}
|