-
Notifications
You must be signed in to change notification settings - Fork 162
84 lines (81 loc) · 3.27 KB
/
update_taxonomy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Update Taxonomy
on:
push:
paths:
- "scenarios/**.yaml"
- "scenarios/**.yml"
- "appsec-rules/**.yaml"
- "appsec-rules/**.yml"
- "scripts/**.py"
- ".github/workflows/update_taxonomy.yaml"
- "scripts/.scenariosignore"
jobs:
update-taxonomy:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v4
with:
python-version: "3.10"
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
run: |
changed_files=$(git diff-tree --no-commit-id --name-only -r $GITHUB_SHA | tr '\n' ',' | sed 's/,$/\n/')
echo "changed_files=${changed_files}" >> $GITHUB_ENV
- name: Create local changes
env:
AUTHOR: ${{ github.actor }}
run: |
pip install requests pyyaml mdutils
python ./scripts/mitre_db.py -o taxonomy/mitre_attack.json
python ./scripts/scenario_taxonomy.py --hub ./ -b taxonomy/behaviors.json -m taxonomy/mitre_attack.json -o taxonomy/scenarios.json -e taxonomy/scenario_taxonomy_errors.md
[ -f "taxonomy/scenario_taxonomy_errors.md" ] && echo "taxonomy_errors=1" >> $GITHUB_ENV || echo "taxonomy_errors=0" >> $GITHUB_ENV
- uses: jwalton/gh-find-current-pr@v1
id: findPr
with:
state: open
- name: Comment PR if errors
if: ${{ (env.taxonomy_errors == '1') && (github.event_name == 'push') && (github.ref != 'refs/heads/master') }}
uses: thollander/actions-comment-pull-request@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
filePath: taxonomy/scenario_taxonomy_errors.md
pr_number: ${{ steps.findPr.outputs.pr }}
- uses: nelonoel/[email protected]
- name: Commit files
if: ${{ github.event_name == 'push'}}
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
(git add taxonomy/ && git commit -m "Update taxonomy" && git pull --rebase origin ${BRANCH_NAME}) || exit 0
- name: Push changes
if: ${{ github.event_name == 'push'}}
uses: ad-m/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
invalidate-cache:
runs-on: ubuntu-latest
needs: update-taxonomy
#Only invalidate cache on master or vX branches
#Branches that don't match this pattern are only used for dev, so we can manually invalidate if needed
#We should avoid naming dev branches with something starting with v :D
if: |
startsWith('refs/heads/v', github.ref) || github.ref == 'refs/heads/master'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.CF_AWS_ROLE }}
role-session-name: github-action
aws-region: eu-west-1
- name: Get branch name
run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Invalidate cache
run: |
aws cloudfront create-invalidation --distribution-id ${{ secrets.CF_DISTRIBUTION_ID }} --paths "/${{ env.version }}/taxonomy/*"