-
Notifications
You must be signed in to change notification settings - Fork 4
129 lines (110 loc) · 3.48 KB
/
rl-scanner.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Post-Release Scan
on:
push:
branches:
- hjet/add-rl-scan
workflow_call:
inputs:
version_tag:
type: string
description: "Release version to scan"
required: true
default: "v0.5.3"
secrets:
RLSECURE_LICENSE:
required: true
RLSECURE_SITE_KEY:
required: true
SIGNAL_HANDLER_TOKEN:
required: true
PRODSEC_TOOLS_USER:
required: true
PRODSEC_TOOLS_TOKEN:
required: true
PRODSEC_TOOLS_ARN:
required: true
env:
VERSION_TAG: ${{ inputs.version_tag || 'v0.5.3' }}
jobs:
verify-release:
runs-on: ubuntu-latest
outputs:
zips: ${{ steps.gather-zips.outputs.zips }}
steps:
- name: Confirm gh CLI is installed
run: |
which gh
gh --version
- name: Download latest release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download $VERSION_TAG \
--repo "${{ github.repository }}" \
--clobber
echo "Downloaded all release files:"
ls -l || echo "No files downloaded."
- name: Verify checksums
run: |
CHECKSUM_FILE=$(ls -1 *_SHA256SUMS 2>/dev/null || true)
if [ -z "$CHECKSUM_FILE" ]; then
echo "No SHA256SUMS file found; failing the job..."
exit 1
fi
echo "Verifying checksums with $CHECKSUM_FILE..."
sha256sum --check "$CHECKSUM_FILE"
- name: Gather zip files
id: gather-zips
run: |
ZIPS=$(ls -1 *.zip 2>/dev/null)
if [ -z "$ZIPS" ]; then
echo "No ZIP files found to scan; failing..."
exit 1
fi
echo "Found ZIP files:"
echo "$ZIPS"
ZIPS_JSON=$(echo "$ZIPS" | jq -R . | jq -s -c .)
echo "zips=$ZIPS_JSON" >> $GITHUB_OUTPUT
- name: Upload ZIP artifacts
uses: actions/upload-artifact@v4
with:
name: zips
path: "*.zip"
- name: Debug gather step
run: echo ${{ steps.gather-zips.outputs.zips }}
scan-artifacts:
needs: verify-release
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
zip-file: ${{ fromJson(needs.verify-release.outputs.zips) }}
steps:
- name: Debug scan step
run: echo "Now scanning ${{ matrix.zip-file }}"
- name: Download ZIP artifacts
uses: actions/download-artifact@v4
with:
name: zips
path: "."
- name: Checkout repo
uses: actions/checkout@v4
- name: List files
run: ls -l
- name: Run RL Scanner
id: rl-scan-conclusion
uses: ./.github/actions/rl-scanner
with:
artifact-path: "$(pwd)/${{ matrix.zip-file }}"
version: "${{ env.VERSION_TAG }}"
env:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
- name: Output scan result
run: |
# Store the RL Scanner outcome in the GITHUB_ENV with a unique key per zip file
echo "scan-status-${{ matrix.zip-file }}=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV