Run `rake sync_github_advisories` as a scheduled workflow

[ddalcino]

I noticed that a significant fraction of the commit history of this project looks like automated changes on the part of the rake sync_github_advisories task. Yesterday, while the maintainers were dealing with #536, I had the impression that running this task manually was a burdensome chore. I think that this task could be made easier using a Github Actions workflow.

If you are interested, I can contribute a PR for a workflow that will automatically run the rake task and submit a PR if any new advisories were added. This workflow could be triggered manually by clicking a button in the Github UI, or it could run on a schedule like a cron job.

Please let me know what you think.

[reedloden]

Please feel free to contribute a workflow. I will note that the current script isn't as easy as it might seem. Still a lot of manual work to take the output and get the advisories in order.

[ddalcino]

I've attempted to get this working in https://github.com/ddalcino/ruby-advisory-db/tree/sync_github_advisories, but I keep running into credential problems. I can run the rake sync_github_advisories task locally, using the same github API token that I'm using in the workflow, and the task runs successfully. However, in a GitHub workflow, I get Github GraphQL credential problems. I don't understand what's going on here, and I'm not sure what to look for in the documentation.

Here's the stack trace from this build: https://github.com/ddalcino/ruby-advisory-db/actions/runs/4109381580/jobs/7091810877

Run bundle exec rake sync_github_advisories
  bundle exec rake sync_github_advisories
  shell: /usr/bin/bash -e {0}
  env:
    GH_API_TOKEN: 
rake aborted!
GitHub::GraphQLAPIClient::GitHubGraphQLAPIError: GitHub GraphQL request to https://api.github.com/graphql failed: {"message":"Bad credentials","documentation_url":"https://docs.github.com/graphql"}
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:77:in `github_graphql_query'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:114:in `block in retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `times'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:95:in `all_rubygem_advisories'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:19:in `sync'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/Rakefile:18:in `block in <top (required)>'
/opt/hostedtoolcache/Ruby/3.2.0/x64/bin/bundle:25:in `load'
/opt/hostedtoolcache/Ruby/3.2.0/x64/bin/bundle:25:in `<main>'
Tasks: TOP => sync_github_advisories

[reedloden]

Try using ${{ secrets.GITHUB_TOKEN }}. The default token should have privileges enough.

[ddalcino]

I have added the secrets.GITHUB_TOKEN, so the sync step is now:

      - name: Sync with Github Advisories
        env:
          GH_API_TOKEN: ${{ secrets.GH_API_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec rake sync_github_advisories

... and I'm still seeing the same 'Bad credentials' error:

Run bundle exec rake sync_github_advisories
  bundle exec rake sync_github_advisories
  shell: /usr/bin/bash -e {0}
  env:
    GH_API_TOKEN: 
    GITHUB_TOKEN: ***
rake aborted!
GitHub::GraphQLAPIClient::GitHubGraphQLAPIError: GitHub GraphQL request to https://api.github.com/graphql failed: {"message":"Bad credentials","documentation_url":"https://docs.github.com/graphql"}
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:77:in `github_graphql_query'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:114:in `block in retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `times'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:95:in `all_rubygem_advisories'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:19:in `sync'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/Rakefile:18:in `block in <top (required)>'
/opt/hostedtoolcache/Ruby/3.2.1/x64/bin/bundle:25:in `load'
/opt/hostedtoolcache/Ruby/3.2.1/x64/bin/bundle:25:in `<main>'
Tasks: TOP => sync_github_advisories
(See full trace by running task with --trace)
Getting page 1 of GitHub Vulnerabilities
Executing GraphQL request: RUBYGEM_VULNERABILITIES_WITH_GITHUB_ADVISORIES. Request variables:
---
first: 100
gem_name: 

Initializing GitHub API connection to URL: https://api.github.com/graphql
Got response code: 401

[reedloden]

I meant this:

      - name: Sync with Github Advisories
        env:
          GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec rake sync_github_advisories

GH_API_TOKEN is needed here:

ruby-advisory-db/lib/github_advisory_sync.rb

Lines 172 to 181 in 38305c6

	def github_api_token
	unless ENV["GH_API_TOKEN"]
	raise(
	GitHubApiTokenMissingError,
	"Unable to make API requests. Must define 'GH_API_TOKEN' environment variable."
	)
	end
	ENV["GH_API_TOKEN"]
	end

But the value will come from secrets.GITHUB_TOKEN.