feat: updates workflow approach for trestlebot testing (#93)

* feat: updates workflow approach for testlebot testing Signed-off-by: Jennifer Power <[email protected]> * chore: restore linters.yml workflow Signed-off-by: Jennifer Power <[email protected]> * chore: updates component markdown location Signed-off-by: Jennifer Power <[email protected]> * fix: fixes linting errors in YAML Signed-off-by: Jennifer Power <[email protected]> --------- Signed-off-by: Jennifer Power <[email protected]>
RedHatProductSecurity · Sep 13, 2024 · b042f01 · b042f01
1 parent d471a45
commit b042f01
Show file tree

Hide file tree

Showing 12 changed files with 197 additions and 158 deletions.
diff --git a/.github/workflows/autofix-cd.yml b/.github/workflows/autofix-cd.yml
diff --git a/.github/workflows/create-new.yml b/.github/workflows/create-new.yml
@@ -38,7 +38,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Create new component definition
         id: create-cd
-        uses: RedHatProductSecurity/trestle-bot/actions/create-cd@v0.10.1
+        uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
         with:
           markdown_path: "markdown/components"
           profile_name: ${{ github.event.inputs.import_name }}

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -1,11 +1,12 @@
 ---
+
 name: MegaLinter
 
 on:
   push:
   pull_request:
     branches:
-    - main
+      - main
 
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}

diff --git a/.github/workflows/manual-autofix.yml b/.github/workflows/manual-autofix.yml
diff --git a/.github/workflows/manual-transform.yml b/.github/workflows/manual-transform.yml
diff --git a/.github/workflows/transform-rules.yml → .github/workflows/push-to-main.yml b/.github/workflows/transform-rules.yml → .github/workflows/push-to-main.yml
@@ -1,20 +1,22 @@
-name: Transform Rules
-
+name: Push to main
 on:
-  workflow_call:
-    inputs:
-      branch:
-        required: true
-        type: string
+  push:
+    branches:
+      - main
+    paths:
+      - 'profiles/**'
+      - 'catalogs/**'
+      - 'component-definitions/**'
+      - 'markdown/components/**'
+      - 'rules/**'
 
-# Using concurrency to ensure any branch-modifying workflows are not run at the same time.
 concurrency:
-  group: sync-${{ inputs.branch }}
+  group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
 jobs:
-  transform-rules:
-    name: Transform rules content
+  transform-and-sync:
+    name: Automatically Sync Content
     runs-on: ubuntu-latest
     steps:
       - name: Generate app token
@@ -28,25 +30,28 @@ jobs:
       - name: Clone
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.branch }}
           token: ${{ steps.get_installation_token.outputs.token }}
-      - name: Transform rules
-        id: transform
-        uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
+      - name: AutoSync
+        id: autosync
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
-          file_pattern: "*.json,rules/*"
-          branch: ${{ inputs.branch }}
-          commit_message: "Transform rules to OSCAL [skip ci]"
+          markdown_path: "markdown/components"
+          oscal_model: "compdef"
+          commit_message: "Autosync component definition content [skip ci]"
           commit_user_name: "trestle-bot[bot]"
           commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
-      - name: Regenerate component definitions
-        uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            rules:
+              - 'rules/**'
+      - name: Transform
+        if: steps.changes.outputs.rules == 'true'
+        id: transform
+        uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
         with:
           markdown_path: "markdown/components"
-          oscal_model: "compdef"
-          file_pattern: "markdown/*"
-          branch: ${{ inputs.branch }}
-          skip_assemble: true
-          commit_message: "Generate markdown changes [skip ci]"
+          commit_message: "Auto-transform rules [skip ci]"
           commit_user_name: "trestle-bot[bot]"
           commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version'
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate app token
+        uses: tibdex/[email protected]
+        id: get_installation_token
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          permissions: >-
+            {"contents": "write"}
+      - name: Clone
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.get_installation_token.outputs.token }}
+      - name: Autosync
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
+        with:
+          markdown_path: "markdown/components"
+          oscal_model: "compdef"
+          commit_message: "Update content for release [skip ci]"
+          commit_user_name: "trestle-bot[bot]"
+          commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
+          version: ${{ github.event.inputs.version }}
+      - name: Create and push tags
+        env:
+          VERSION: ${{ github.event.inputs.version }}
+        run: |
+            git tag "${VERSION}"
+            git push origin "${VERSION}"
+      - name: Create Release
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.get_installation_token.outputs.token }}
+          script: |
+            await github.rest.repos.createRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: '${{ github.event.inputs.version }}',
+              name: 'Release v${{ github.event.inputs.version }}',
+              generate_release_notes: true,
+            })
diff --git a/.github/workflows/transform-on-push.yml b/.github/workflows/transform-on-push.yml
diff --git a/.github/workflows/update-external-components.yml b/.github/workflows/update-external-components.yml
@@ -0,0 +1,74 @@
+name: Transform and update OSCAL content
+
+on:
+  workflow_dispatch:
+    inputs:
+      cac-reference:
+        description: 'Compliance as Code git reference'
+        required: true
+        default: 'master'
+
+jobs:
+  create:
+    name: Create content
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+    steps:
+      -   name: Install Deps
+          run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel
+      -   name: Checkout
+          uses: actions/checkout@v4
+          with:
+            repository: ComplianceAsCode/content
+            ref: ${{ github.event.inputs.cac-reference }}
+      -   name: Install deps python
+          run: pip install pcre2 -r requirements.txt -r test-requirements.txt
+      -   name: Build
+          run: |-
+              ./build_product ocp4
+              ./utils/rule_dir_json.py
+              ./utils/oscal/build_cd_from_policy.py -o build/ocp4.json -p fedramp_rev5_high -pr ocp4 -c nist_ocp4:high
+          env:
+            PYTHONPATH: ${{ github.workspace }}
+      - name: Create artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: trestle-content
+          path: build/ocp4.json
+
+  update:
+    name: Update content
+    needs: create
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    container:
+      image: quay.io/continuouscompliance/trestle-bot:v0.10.1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: trestle-content
+          path: /tmp
+      - name: Import Trestle content
+        run: |
+            rm -rf component-definitions/ocp4/
+            trestle import -f /tmp/ocp4.json -o ocp4
+      - name: Update content
+        uses: peter-evans/[email protected]
+        with:
+          base: main
+          branch: "oscal-update-${{ github.run_id }}"
+          delete-branch: true
+          commit-message: "Update OSCAL content from CaC"
+          title: "Update OSCAL content from CaC"
+          body: |
+            Updates to transformed OCP4 component definitions from CaC.
+
+            Auto-generated by GitHub Actions.
+          add-paths: |
+            component-definitions/
diff --git a/.github/workflows/update-profiles.yml b/.github/workflows/update-profiles.yml
@@ -27,7 +27,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Update from upstream repo
         id: sync_upstreams
-        uses: RedHatProductSecurity/trestle-bot/actions/sync-upstreams@v0.10.1
+        uses: RedHatProductSecurity/trestle-bot/actions/sync-upstreams@main
         with:
           branch: "sync-upstream-${{ github.run_id }}"
           target_branch: "main"
@@ -40,7 +40,7 @@ jobs:
             https://github.com/RedHatProductSecurity/oscal-profiles@${{ github.event.inputs.ref }}
       - name: Regenerate component definitions
         if: ${{ steps.sync_upstreams.outputs.commit }}
-        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.10.1
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
           markdown_path: "markdown/components"
           oscal_model: "compdef"
@@ -50,4 +50,3 @@ jobs:
           commit_message: "Generate markdown changes [skip ci]"
           commit_user_name: "trestle-bot[bot]"
           commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
-