nuclei-templates/.github/workflows/cve-enhancement.yml

name: 🔧 CVE Enhancement

on:
  push:
    branches:
      - main
    paths:
      - '**/cves/**/*.yaml'
  workflow_dispatch:

jobs:
  enhance:
    runs-on: ubuntu-latest
    if: github.repository == 'projectdiscovery/nuclei-templates'
    permissions:
      contents: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: pip install requests

      - name: Get changed CVE files
        id: files
        run: |
          # Get files changed in the last commit
          FILES=$(git diff --name-only HEAD~1 HEAD | grep 'cves/.*\.yaml$' || echo "")
          if [ -n "$FILES" ]; then
            echo "changed=true" >> $GITHUB_OUTPUT
            echo "$FILES" > /tmp/cve_files.txt
            echo "Changed CVE files:"
            cat /tmp/cve_files.txt
          else
            echo "changed=false" >> $GITHUB_OUTPUT
          fi

      - name: Enhance CVE templates
        if: steps.files.outputs.changed == 'true'
        run: |
          while read file; do
            [ -f "$file" ] && python .github/scripts/enhance-cve-fields.py "$file"
          done < /tmp/cve_files.txt

      - name: Commit changes
        if: steps.files.outputs.changed == 'true'
        run: |
          if ! git diff --quiet; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add -A
            git commit -m "chore: add impact and remediation fields 🤖"
            git pull origin $GITHUB_REF --rebase
            git push origin $GITHUB_REF
          fi