PSCE-256 - Add create-cd GitHub Action (#68)

* feat: adds create-cd GitHub action with updated documentation Signed-off-by: Jennifer Power <[email protected]> * fix: fixes action.yml and updates README for create-cd Signed-off-by: Jennifer Power <[email protected]> * fix: fixes create-cd entrypoint typo Signed-off-by: Jennifer Power <[email protected]> * docs: updates REAMDE.md with information about the create-cd action Signed-off-by: Jennifer Power <[email protected]> * build(deps): Bumps pydantic to 1.10.3 Signed-off-by: Jennifer Power <[email protected]> * docs: updates custom rules dir snippet in rules-transform README.md Signed-off-by: Jennifer Power <[email protected]> --------- Signed-off-by: Jennifer Power <[email protected]>
RedHatProductSecurity · Oct 26, 2023 · 8cae7bc · 8cae7bc
1 parent 7a73162
commit 8cae7bc
Show file tree

Hide file tree

Showing 12 changed files with 534 additions and 293 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -25,20 +25,20 @@ ENV PYTHONUNBUFFERED=1 \
     PYSETUP_PATH="/trestle-bot" \
     VENV_PATH="/trestle-bot/.venv"
 
+LABEL maintainer="Red Hat Product Security" \
+      summary="Trestle Bot"
+
 
 # prepend poetry and venv to path
 ENV PATH="$POETRY_HOME/bin:$VENV_PATH/bin:$PATH"
 
 RUN microdnf update -y \
-    && microdnf install -y python3.9 \
+    && microdnf install -y python3.9 git \
     && microdnf clean all \
     && rm -rf /var/lib/apt/lists/*
 
 FROM python-base as dependencies
 
-RUN microdnf update -y \
-    && microdnf install -y git
-
 # install poetry - respects $POETRY_VERSION & $POETRY_HOME
 RUN  python3.9 -m pip install --no-cache-dir --upgrade pip \
     && pip install --no-cache-dir poetry=="$POETRY_VERSION"
@@ -47,13 +47,10 @@ RUN  python3.9 -m pip install --no-cache-dir --upgrade pip \
 WORKDIR "/build"
 COPY . "/build"
 
-# Install runtime deps
+# Install runtime deps and install the project in non-editable mode.
 RUN python -m venv $VENV_PATH && \
   . $VENV_PATH/bin/activate && \
-  poetry install --without tests,dev --no-root
-
-# install the root project in non-editable mode
-RUN . $VENV_PATH/bin/activate && \
+  poetry install --without tests,dev --no-root && \
   poetry build -f wheel -n && \
   pip install --no-cache-dir --no-deps dist/*.whl && \
   rm -rf dist *.egg-info
@@ -63,17 +60,11 @@ FROM python-base as final
 
 COPY --from=dependencies $PYSETUP_PATH $PYSETUP_PATH
 
-RUN microdnf install -y git \
-    && microdnf clean all \
-    && rm -rf /var/lib/apt/lists/*
-
 # Add wrappers for entrypoints that provide support the actions
 COPY ./actions/autosync/auto-sync-entrypoint.sh /
-RUN chmod +x /auto-sync-entrypoint.sh
-
 COPY ./actions/rules-transform/rules-transform-entrypoint.sh /
-RUN chmod +x /rules-transform-entrypoint.sh
+COPY ./actions/create-cd/create-cd-entrypoint.sh /
+RUN chmod +x /auto-sync-entrypoint.sh /rules-transform-entrypoint.sh /create-cd-entrypoint.sh
 
 ENTRYPOINT ["python3.9", "-m" , "trestlebot"]
 CMD ["--help"]
-
diff --git a/README.md b/README.md
@@ -12,7 +12,9 @@ For detailed documentation on how to use each action, see the README.md in each
 
 The `autosync` action will sync trestle-generated Markdown files to OSCAL JSON files in a trestle workspace. All content under the provided markdown directory when the action is run will be transformed. This action supports all top-level models [supported by compliance-trestle for authoring](https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/).
 
-The `rules-transform` actions can be used when managing [OSCAL Component Definitions](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will transform rules defined in the rules YAML view to an OSCAL Component Definition JSON file.
+The `rules-transform` action can be used when managing [OSCAL Component Definitions](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will transform rules defined in the rules YAML view to an OSCAL Component Definition JSON file.
+
+The `create-cd` action can be used to create a new [OSCAL Component Definition](https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/) in a trestle workspace. The action will create a new Component Definition JSON file and corresponding directories that contain rules YAML files and trestle-generated Markdown files. This action prepares the workspace for use with the `rules-transform` and `autosync` actions.
 
 ### GitLab CI
 

diff --git a/actions/autosync/action.yml b/actions/autosync/action.yml
@@ -4,7 +4,7 @@ description: "An action to perform automatic synchronization of Trestle markdown
 
 inputs:
   markdown_path: 
-    description: Path relative to the repository path where the Trestle markdown files are located. See project README.md for more information.
+    description: Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information.
     required: true
   oscal_model:
     description: OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp.
@@ -28,7 +28,7 @@ inputs:
     description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `profile_x,profile_y*,`."
     required: false
   ssp_index_path:
-    description: Path relative to the repository path where the ssp index is located. See project README.md for information about the ssp index.
+    description: Path relative to the repository path where the ssp index is located. See action README.md for information about the ssp index.
     required: false
     default: "ssp-index.json"
   commit_message:

diff --git a/actions/autosync/auto-sync-entrypoint.sh b/actions/autosync/auto-sync-entrypoint.sh
@@ -15,7 +15,7 @@ fi
 if [ -z ${INPUT_REPOSITORY+x} ]; then
     echo "Skipping setting working directory as safe directory"
 else
-   echo "Setting git safe.directory default: $INPUT_REPOSITORY..."
+   echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
    git config --global --add safe.directory "$INPUT_REPOSITORY"
 fi
 

diff --git a/actions/create-cd/README.md b/actions/create-cd/README.md
@@ -0,0 +1,69 @@
+# trestlebot Create Component Definition Action
+
+## Basic Configuration
+
+```yaml
+
+name: Example Workflow
+...
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run trestlebot
+        id: trestlebot
+        uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
+        with:
+          markdown_path: "markdown/components"
+          profile_name: "profile"
+          component_definition_name: "component-definition"
+          component_title: "My Component Title"
+          component_description: "My Component Description"
+```
+
+## Inputs and Outputs
+
+Checkout [`action.yml`](./action.yml) for a full list of supported inputs and outputs.
+
+### Additional information on workflow inputs
+
+- `markdown_path`: This is the location for Markdown generated by the `trestle author <model>-generate` commands.
+
+## Action Behavior
+
+The purpose of this action is to create a new component definition and commit changes back to the branch or submit a pull request (if desired). Below are the main use-cases/workflows available:
+
+- The default behavior of this action is to create a new component definition and commit the changes back to the branch the workflow ran from ( `github.ref_name` ). The branch can be changed by setting the field `branch`. If no changes exist or the changes do not exist with the file pattern set, no changes will be made and the action will exit successfully.
+
+```yaml
+  steps:
+    - uses: actions/checkout@v3
+    - name: Run trestlebot
+      id: trestlebot
+      uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
+      with:
+        markdown_path: "markdown/components"
+        profile_name: "profile"
+        component_definition_name: "component-definition"
+        component_title: "My Component Title"
+        component_description: "My Component Description"
+        branch: "another-branch"
+```
+
+- If the `target_branch` field is set, a pull request will be made using the `target_branch` as the base branch and `branch` as the head branch.
+
+```yaml
+  steps:
+    - uses: actions/checkout@v3
+    - name: Run trestlebot
+      id: trestlebot
+      uses: RedHatProductSecurity/trestle-bot/actions/create-cd@main
+      with:
+        markdown_path: "markdown/components"
+        profile_name: "profile"
+        component_definition_name: "component-definition"
+        component_title: "My Component Title"
+        component_description: "My Component Description"
+        branch: "create-cd-${{ github.run_id }}"
+        target_branch: "main"
+        github_token: ${{ secret.GITHUB_TOKEN }}
+```
diff --git a/actions/create-cd/action.yml b/actions/create-cd/action.yml
@@ -0,0 +1,92 @@
+name: "trestle-bot-create-cd"
+author: "Red Hat Product Security"
+description: "An action for component definition bootstrapping"
+
+inputs:
+  markdown_path: 
+    description: Path relative to the repository path to create markdown files. See action README.md for more information.
+    required: true
+  profile_name:
+    description: Name of the Trestle profile to use for the component definition
+    required: true
+  component_definition_name:
+    description: Name of the component definition to create
+    required: true
+  component_title:
+    description: Name of the component to create
+    required: true
+  component_type:
+    description: Type of the component to create
+    required: false
+    default: "service"
+  component_description:
+    description: Description of the component to create
+    required: true
+  filter_by_profile:
+    description: Name of the profile in the workspace to filter controls by
+    required: false
+  github_token:
+    description: "GitHub token used to make authenticated API requests"
+    required: false
+  commit_message:
+    description: Commit message
+    required: false
+    default: "Sync automatic updates"
+  pull_request_title:
+    description: Custom pull request title
+    required: false
+    default: "Automatic updates from trestlebot"
+  branch:
+    description: Name of the Git branch to which modifications should be pushed. Required if Action is used on the `pull_request` event.
+    required: false
+    default: ${{ github.ref_name }}
+  target_branch:
+    description: Target branch (or base branch) to create a pull request against. If unset, no pull request will be created. If set, a pull request will be created using the `branch` field as the head branch.
+    required: false
+  file_pattern:
+    description: Comma separated file pattern list used for `git add`. For example `component-definitions/*,*json`. Defaults to (`.`)
+    required: false
+    default: '.'
+  repository:
+    description: Local file path to the git repository. Defaults to the current directory (`.`)
+    required: false
+    default: '.'
+  commit_user_name:
+    description: Name used for the commit user
+    required: false
+    default: github-actions[bot]
+  commit_user_email:
+    description: Email address used for the commit user
+    required: false
+    default: 41898282+github-actions[bot]@users.noreply.github.com
+  commit_author_name:
+    description: Name used for the commit author. Defaults to the username of whoever triggered this workflow run.
+    required: false
+    default: ${{ github.actor }}
+  commit_author_email:
+    description: Email address used for the commit author. Defaults to the email of whoever triggered this workflow run.
+    required: false
+    default: ${{ github.actor }}@users.noreply.github.com
+  verbose:
+    description: Enable verbose logging
+    required: false
+    default: "false"
+
+outputs:
+  changes:
+    description: Value is "true" if changes were committed back to the repository.
+  commit:
+    description: Full hash of the created commit. Only present if the "changes" output is "true".
+  pr_number:
+    description: Number of the submitted pull request. Only present if a pull request is submitted.
+
+runs:
+  using: "docker"
+  image: "../../Dockerfile"
+  entrypoint: "/create-cd-entrypoint.sh"
+  env:
+    GITHUB_TOKEN: ${{ inputs.github_token }}
+
+branding:
+  icon: "check"
+  color: "green"
diff --git a/actions/create-cd/create-cd-entrypoint.sh b/actions/create-cd/create-cd-entrypoint.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -eu
+
+# Manage newest git versions (related to CVE https://github.blog/2022-04-12-git-security-vulnerability-announced/)
+#
+if [ -z ${GITHUB_WORKSPACE+x} ]; then
+  echo "Setting git safe.directory default: /github/workspace ..."
+  git config --global --add safe.directory /github/workspace
+else
+  echo "Setting git safe.directory GITHUB_WORKSPACE: $GITHUB_WORKSPACE ..."
+  git config --global --add safe.directory "$GITHUB_WORKSPACE"
+fi
+
+if [ -z ${INPUT_REPOSITORY+x} ]; then
+    echo "Skipping setting working directory as safe directory"
+else
+   echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
+   git config --global --add safe.directory "$INPUT_REPOSITORY"
+fi
+
+# Initialize the command variable
+command="trestlebot-create-cd \
+        --profile-name=\"${INPUT_PROFILE_NAME}\" \
+        --compdef-name=\"${INPUT_COMPONENT_DEFINITION_NAME}\" \
+        --component-title=\"${INPUT_COMPONENT_TITLE}\" \
+        --component-description=\"${INPUT_COMPONENT_DESCRIPTION}\" \
+        --component-definition-type=\"${INPUT_COMPONENT_TYPE}\" \
+        --markdown-path=\"${INPUT_MARKDOWN_PATH}\" \
+        --commit-message=\"${INPUT_COMMIT_MESSAGE}\" \
+        --filter-by-profile=\"${INPUT_FILTER_BY_PROFILE}\" \
+        --pull-request-title=\"${INPUT_PULL_REQUEST_TITLE}\" \
+        --branch=\"${INPUT_BRANCH}\" \
+        --file-patterns=\"${INPUT_FILE_PATTERN}\" \
+        --committer-name=\"${INPUT_COMMIT_USER_NAME}\" \
+        --committer-email=\"${INPUT_COMMIT_USER_EMAIL}\" \
+        --author-name=\"${INPUT_COMMIT_AUTHOR_NAME}\" \
+        --author-email=\"${INPUT_COMMIT_AUTHOR_EMAIL}\" \
+        --working-dir=\"${INPUT_REPOSITORY}\" \
+        --target-branch=\"${INPUT_TARGET_BRANCH}\""
+
+# Conditionally include flags
+if [[ ${INPUT_VERBOSE} == true ]]; then
+    command+=" --verbose"
+fi
+
+# Only set the token value when is a target branch so pull requests can be created
+if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
+  if [[ -z ${GITHUB_TOKEN} ]]; then
+    echo "Set the GITHUB_TOKEN env variable."
+    exit 1
+  fi
+
+  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
+fi
+
+exec 3>&1
+output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
+
+commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
+
+if [ -n "$commit" ]; then
+    echo "changes=true" >> "$GITHUB_OUTPUT"
+    echo "commit=$commit" >> "$GITHUB_OUTPUT"
+else
+    echo "changes=false" >> "$GITHUB_OUTPUT"
+fi
+
+pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
+
+if [ -n "$pr_number" ]; then 
+   echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+fi
diff --git a/actions/rules-transform/README.md b/actions/rules-transform/README.md
@@ -13,10 +13,20 @@ name: Example Workflow
       - name: Run trestlebot
         id: trestlebot
         uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
-        with:
-          rules_view_path: "rules/"
 ```
 
+With custom rules directory:
+  
+```yaml 
+  steps:
+    - uses: actions/checkout@v3
+    - name: Run trestlebot
+      id: trestlebot
+      uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
+      with:
+        rules_view_path: "custom-rules-dir/"
+  ```
+
 ## Action Behavior
 
 The purpose of this action is to sync the rules view data in YAML to OSCAL with `compliance-trestle` and commit changes back to the branch or submit a pull request (if desired). Below are the main use-cases/workflows available:
@@ -30,7 +40,6 @@ The purpose of this action is to sync the rules view data in YAML to OSCAL with
       id: trestlebot
       uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
       with:
-        rules_view_path: "rules/"
         branch: "another-branch"
 ```
 
@@ -43,7 +52,6 @@ The purpose of this action is to sync the rules view data in YAML to OSCAL with
       id: trestlebot
       uses: RedHatProductSecurity/trestle-bot/actions/rules-transform@main
       with:
-        rules_view_path: "rules/"
         branch: "transform-${{ github.run_id }}"
         target_branch: "main"
         github_token: ${{ secret.GITHUB_TOKEN }}

diff --git a/actions/rules-transform/action.yml b/actions/rules-transform/action.yml
@@ -4,13 +4,14 @@ description: "A rules transform action to convert trestle rules in YAML format t
 
 inputs:
   rules_view_path: 
-    description: Path relative to the repository path where the Trestle markdown files are located. See project README.md for more information.
-    required: true
+    description: Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`.
+    required: false
+    default: "rules/"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false
   skip_items:
-    description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `profile_x,profile_y*,`."
+    description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`."
     required: false
   commit_message:
     description: Commit message