workflows: add dependabump

.github/workflows/dependabump.yml

@@ -0,0 +1,108 @@
+# GENERATED FILE - DO NOT EDIT DIRECTLY.
+# Source: workflows/dependabump/dependabump.yml
+# Edit the source under workflows/, then regenerate.
+
+name: dependabump
+
+on:
+  workflow_call:
+    secrets:
+      SLACK_TOKEN:
+        required: true
+      SLACK_CHANNEL_ID:
+        required: true
+    inputs:
+      severity:
+        required: false
+        type: string
+        default: 'critical,high'
+      post-bump-command:
+        required: false
+        type: string
+
+permissions: { }
+
+jobs:
+  dependabump:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+      security-events: read
+      vulnerability-alerts: read
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+
+      - name: Install tools
+        run: |
+          go install github.com/jmank88/gomods@ec230e90e89d4310b21fdeeba0d1290a3821a901 && \ # v0.1.7
+          go install github.com/smartcontractkit/chainlink-common/script/cmd/dependabot@70b55abaf6e19d887c219b497046838d6113f22c
+        continue-on-error: true
+
+      - name: Bump Dependencies
+        run: |
+          gh api --paginate -H "Accept: application/vnd.github+json" --method GET \
+            '/repos/smartcontractkit/chainlink-common/dependabot/alerts?state=open&ecosystem=Go&severity=${{ inputs.severity }}' \
+            --jq '.[] | select(.security_vulnerability.first_patched_version != null) | .dependency.manifest_path |= rtrimstr("go.mod") | "./\(.dependency.manifest_path) \(.security_vulnerability.package.name) \(.security_vulnerability.first_patched_version.identifier)"' | \
+            dependabot && gomods tidy
+        continue-on-error: true
+
+      - name: Post-bump Command
+        if: ${ inputs.post-bump-command != '' }
+        env:
+          POST_BUMP_COMMAND: ${{ inputs.post-bump-command }}
+        run: eval "${POST_BUMP_COMMAND}"
+
+      - name: Notify Failure
+        if: failure()
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Failed to check for vulnerabilities in `${{ github.repository.name }}`: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run>"
+
+      - if: failure()
+        run: exit 1
+
+      - name: Create Pull Request
+        id: pr
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          branch: bot/dependabump
+          commit-message: "bump dependencies"
+          title: "dependabump"
+          body: "Upgrading vulnerable dependencies."
+          sign-commits: true
+        continue-on-error: true
+
+      - name: Notify PR Failure
+        if: failure()
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Vulnerabilities detected in `${{ github.repository.name }}`, but failed to create PR: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run>"
+
+      - if: failure()
+        run: exit 1
+
+      - name: Notify PR Created
+        if: steps.pr.outputs.pull-request-operation == 'created' || steps.pr.outputs.pull-request-operation == 'updated'
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Vulnerabilities detected in `${{ github.repository.name }}` - upgrading dependencies: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run> - <${{ steps.pr.outputs.pull-request-url }}|PR> :review-time:"

workflows/dependabump/README.md

@@ -0,0 +1,30 @@
+# Dependabump
+
+This workflow inspects dependenabot vulnerabilities, and opens pull requests to update dependencies.
+
+## Recommended usage
+Example workflow:
+```yaml
+name: dependabump
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 1-5' # every week-day at midnight
+
+permissions: { }
+
+jobs:
+  dependabump:
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+      security-events: read
+      vulnerability-alerts: read
+    uses: smartcontractkit/.github/workflows/dependabump.yml@main
+    secrets:
+      SLACK_TOKEN: ${{ secrets.DEPENDABUMP_SLACK_API_KEY }}
+      SLACK_CHANNEL_ID: ${{ secrets.DEPENDABUMP_SLACK_CHANNEL_ID }}
+
+```

workflows/dependabump/dependabump.yml

@@ -0,0 +1,104 @@
+name: dependabump
+
+on:
+  workflow_call:
+    secrets:
+      SLACK_TOKEN:
+        required: true
+      SLACK_CHANNEL_ID:
+        required: true
+    inputs:
+      severity:
+        required: false
+        type: string
+        default: 'critical,high'
+      post-bump-command:
+        required: false
+        type: string
+
+permissions: { }
+
+jobs:
+  dependabump:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+      security-events: read
+      vulnerability-alerts: read
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+
+      - name: Install tools
+        run: |
+          go install github.com/jmank88/gomods@ec230e90e89d4310b21fdeeba0d1290a3821a901 && \ # v0.1.7
+          go install github.com/smartcontractkit/chainlink-common/script/cmd/dependabot@70b55abaf6e19d887c219b497046838d6113f22c
+        continue-on-error: true
+
+      - name: Bump Dependencies
+        run: |
+          gh api --paginate -H "Accept: application/vnd.github+json" --method GET \
+            '/repos/smartcontractkit/chainlink-common/dependabot/alerts?state=open&ecosystem=Go&severity=${{ inputs.severity }}' \
+            --jq '.[] | select(.security_vulnerability.first_patched_version != null) | .dependency.manifest_path |= rtrimstr("go.mod") | "./\(.dependency.manifest_path) \(.security_vulnerability.package.name) \(.security_vulnerability.first_patched_version.identifier)"' | \
+            dependabot && gomods tidy
+        continue-on-error: true
+
+      - name: Post-bump Command
+        if: ${ inputs.post-bump-command != '' }
+        env:
+          POST_BUMP_COMMAND: ${{ inputs.post-bump-command }}
+        run: eval "${POST_BUMP_COMMAND}"
+
+      - name: Notify Failure
+        if: failure()
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Failed to check for vulnerabilities in `${{ github.repository.name }}`: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run>"
+
+      - if: failure()
+        run: exit 1
+
+      - name: Create Pull Request
+        id: pr
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          branch: bot/dependabump
+          commit-message: "bump dependencies"
+          title: "dependabump"
+          body: "Upgrading vulnerable dependencies."
+          sign-commits: true
+        continue-on-error: true
+
+      - name: Notify PR Failure
+        if: failure()
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Vulnerabilities detected in `${{ github.repository.name }}`, but failed to create PR: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run>"
+
+      - if: failure()
+        run: exit 1
+
+      - name: Notify PR Created
+        if: steps.pr.outputs.pull-request-operation == 'created' || steps.pr.outputs.pull-request-operation == 'updated'
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CHANNEL_ID}}
+            text: "Vulnerabilities detected in `${{ github.repository.name }}` - upgrading dependencies: <${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }}|Run> - <${{ steps.pr.outputs.pull-request-url }}|PR> :review-time:"

workflows/dependabump/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "dependabump",
+  "version": "0.0.0",
+  "description": "",
+  "private": true,
+  "scripts": {},
+  "keywords": [],
+  "author": "@smartcontractkit",
+  "license": "MIT",
+  "packageManager": "pnpm@10.29.3"
+}