updated to jira ent (#139518)

Co-authored-by: araya <[email protected]> Co-authored-by: Brax Excell <[email protected]>
Enterprise-CMCS · Nov 17, 2023 · 8dd8c5a · 8dd8c5a
1 parent 154d104
commit 8dd8c5a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 20 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -23,9 +23,9 @@ jobs:
     env:
       SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline
     steps:
-      - name: set branch_name
+      - name: set branch_name # Some integrations (Dependabot & Snyk) build very long branch names. This is a switch to make long branch names shorter.
         run: |
-          if [[ "$GITHUB_REF" =~ ^refs/heads/dependabot/.* ]]; then # Dependabot builds very long branch names.  This is a switch to make it shorter.
+          if [[ "$GITHUB_REF" =~ ^refs/heads/dependabot/.* ]] || [[ "$GITHUB_REF" =~ ^refs/remotes/origin/snyk-upgrade-* ]] || [[ "$GITHUB_REF" =~ ^refs/remotes/origin/snyk-fix-* ]]; then
             echo "branch_name=`echo ${GITHUB_REF#refs/heads/} | md5sum | head -c 10 | sed 's/^/x/'`" >> $GITHUB_ENV
           else
             echo "branch_name=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV

diff --git a/.github/workflows/scan_security-hub-jira-integration.yml b/.github/workflows/scan_security-hub-jira-integration.yml
@@ -1,4 +1,4 @@
-name: Sync Security Hub findings and Jira issues
+name: Scan and Open Jira Tickets (AWS Security Hub)
 
 on:
   workflow_dispatch: # for testing and manual runs
@@ -23,12 +23,11 @@ jobs:
       - name: Sync Security Hub and Jira
         uses: Enterprise-CMCS/[email protected]
         with:
-          jira-token: ${{ secrets.JIRA_SERVICE_USER_TOKEN }}
-          jira-username: ${{ secrets.JIRA_SERVICE_USERNAME }}
-          jira-host: qmacbis.atlassian.net
-          jira-project-key: MDCT
-          jira-epic-key: MDCT-2280
+          jira-username: "mdct_github_service_account"
+          jira-token: ${{ secrets.JIRA_ENT_USER_TOKEN }}
+          jira-host: jiraent.cms.gov
+          jira-project-key: CMDCT
           jira-ignore-statuses: Done, Closed, Canceled
-          jira-custom-fields: '{ "customfield_14154" : [{"id": "16955", "value": "CARTS"}] }'
+          jira-custom-fields: '{ "customfield_10100": "CMDCT-2280", "customfield_26700" : [{"id": "40101", "value": "CARTS"}] }'
           aws-severities: CRITICAL, HIGH, MEDIUM
-          assign-jira-ticket-to: ${{ secrets.ACCOUNT_ID_REHMAN }}
+          assign-jira-ticket-to: "MWTW"
diff --git a/.github/workflows/scan_snyk-jira-integration.yml b/.github/workflows/scan_snyk-jira-integration.yml
@@ -1,4 +1,4 @@
-name: Snyk Scan and Report
+name: Scan and Open Jira Tickets (Snyk)
 
 on:
   pull_request:
@@ -14,7 +14,6 @@ jobs:
     name: Snyk Run (for PR and push)
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
-
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -42,17 +41,17 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
       - name: use the custom github  action to parse Snyk output
-        uses: Enterprise-CMCS/[email protected].0
+        uses: Enterprise-CMCS/[email protected].4
         with:
-          jira-username: ${{ secrets.JIRA_SERVICE_USERNAME }}
-          jira-token: ${{ secrets.JIRA_SERVICE_USER_TOKEN }}
-          jira-host: "qmacbis.atlassian.net"
-          jira-project-key: "MDCT"
+          jira-username: "mdct_github_service_account"
+          jira-token: ${{ secrets.JIRA_ENT_USER_TOKEN }}
+          jira-host: "jiraent.cms.gov"
+          jira-project-key: "CMDCT"
           jira-issue-type: "Task"
-          jira-custom-field-key-value: '{ "customfield_10007" : "MDCT-2280", "customfield_14154" : [{"id": "16955", "value": "CARTS"}] }'
+          jira-custom-field-key-value: '{ "customfield_10100": "CMDCT-2280", "customfield_26700" : [{"id": "40101", "value": "CARTS"}] }'
           jira-labels: "CARTS,snyk"
           jira-title-prefix: "[CARTS] - Snyk :"
-          is_jira_enterprise: false
-          assign-jira-ticket-to: ${{ secrets.ACCOUNT_ID_REHMAN }}
+          is_jira_enterprise: true
+          assign-jira-ticket-to: "MWTW"
           scan-output-path: "snyk_output.txt"
           scan-type: "snyk"
diff --git a/.github/workflows/snyk-auto-merge.yml b/.github/workflows/snyk-auto-merge.yml
@@ -0,0 +1,29 @@
+# Adapted from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+name: Snyk auto-merge
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'mdct-github-service-account' }}
+    steps:
+      - name: Snyk Gather Metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+      - name: Approve a PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Enable auto-merge for Snyk PRs
+        if: ${{ steps.metadata.outputs.update-type != 'version-update:semver-major'}}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}