From d33fb374b71485ffc0a3a9089820a26e2c67bbd7 Mon Sep 17 00:00:00 2001
From: Cameron Dunn <cameron@sublimesecurity.com>
Date: Mon, 2 Oct 2023 14:47:06 -0700
Subject: [PATCH] MQL Mimic: Change to PR CI, detect changes (#828)

---
 .github/workflows/mql-mimic-tests.yml | 40 ---------------------
 .github/workflows/rule-validate.yml   | 51 +++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 40 deletions(-)
 delete mode 100644 .github/workflows/mql-mimic-tests.yml

diff --git a/.github/workflows/mql-mimic-tests.yml b/.github/workflows/mql-mimic-tests.yml
deleted file mode 100644
index de506e94e80..00000000000
--- a/.github/workflows/mql-mimic-tests.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: MQL Mimic Tests
-
-on:
-  push:
-    branches: [ "**" ]
-
-concurrency:
-  group: ${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  trigger-via-zapier:
-    name: Trigger Test Run
-    runs-on: ubuntu-20.04
-    permissions:
-      checks: write
-
-    steps:
-
-      - name: "Trigger MQL Mimic Tests"
-        env:
-          trigger_url: '${{ secrets.MQL_MOCK_TRIGGER }}'
-          branch: '${{ github.ref_name }}'
-          repo: '${{ github.repository }}'
-          token: '${{ secrets.GITHUB_TOKEN }}'
-          sha: '${{ github.sha }}'
-        run: |
-          curl -X POST $trigger_url  \
-            -H 'Content-Type: application/json' \
-            -d '{"branch":"'$branch'","repo":"'$repo'","token":"'$token'","sha":"'$sha'"}'
-
-      - name: Wait for check to be completed
-        uses: fountainhead/action-wait-for-check@v1.1.0
-        id: wait-for-build
-        # Wait for results so that the token remains valid while the test suite is executing and posting a check here.
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          checkName: "MQL Mimic Tests"
-          ref: ${{ github.sha }}
-          timeoutSeconds: 3600
diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml
index 78efe60f6dc..dc15f63eeba 100644
--- a/.github/workflows/rule-validate.yml
+++ b/.github/workflows/rule-validate.yml
@@ -30,6 +30,7 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          depth: 0
 
       - uses: actions/setup-python@v4
         with:
@@ -92,6 +93,45 @@ jobs:
         id: get_head
         run: echo "##[set-output name=HEAD;]$(git rev-parse HEAD)"
 
+      - name: Get changed detection-rules
+        id: changed-files
+        uses: tj-actions/changed-files@v39
+        with:
+          files: "detection-rules/**"
+          recover_deleted_files: true
+
+      - name: "Find updated rule IDs"
+        id: find_ids
+        run: |
+          for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do
+            echo "$file was changed"
+            rule_id=$(yq '.id' $file)
+          
+            echo "$file has rule ID $rule_id"
+            altered_rule_ids=$(echo "$rule_id"" ""$altered_rule_ids")
+          done
+          
+          echo "Altered Ruled IDs: [$altered_rule_ids]"
+          echo "##[set-output name=rule_ids;]$(echo $altered_rule_ids)"
+          # TODO: This doesn't solve for a modified rule_id. We could merge with any files known on 'main', but changing
+          # a rule ID is a separate problem.
+
+      - name: "Trigger MQL Mimic Tests"
+        env:
+          trigger_url: '${{ secrets.MQL_MOCK_TRIGGER }}'
+          branch: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
+          repo: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          sha: '${{ steps.get_head.outputs.HEAD }}'
+          only_rule_ids: '${{ steps.find_ids.outputs.rule_ids }}'
+        run: |
+          body='{"branch":"'$branch'","repo":"'$repo'","token":"'$token'","sha":"'$sha'","only_rule_ids":"'$only_rule_ids'"}'
+          echo $body
+          
+          curl -X POST $trigger_url  \
+            -H 'Content-Type: application/json' \
+            -d "$body"
+
       # When we add a commit, GitHub won't trigger actions on the auto commit, so we're missing a required check on the
       # HEAD commit.
       # Various alternatives were explored, but all run into issues when dealing with forks. This sets a "Check" for
@@ -126,3 +166,14 @@ jobs:
                 text: "Rule Tests and ID Updated",
               },
             });
+
+      - name: Wait for MQL Mimic check to be completed
+        uses: fountainhead/action-wait-for-check@v1.1.0
+        id: wait-for-build
+        # Wait for results so that the token remains valid while the test suite is executing and posting a check here.
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: "MQL Mimic Tests"
+          ref: ${{ steps.get_head.outputs.HEAD }}
+          timeoutSeconds: 3600
+