Skip to content

Update blockers meta #5

Update blockers meta

Update blockers meta #5

name: Update Taxonomy
on:
push:
paths:
- "scenarios/**.yaml"
- "scenarios/**.yml"
- "appsec-rules/**.yaml"
- "appsec-rules/**.yml"
- "scripts/**.py"
- ".github/workflows/update_taxonomy.yaml"
- "scripts/.scenariosignore"
jobs:
update-taxonomy:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v4
with:
python-version: "3.10"
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
run: |
changed_files=$(git diff-tree --no-commit-id --name-only -r $GITHUB_SHA | tr '\n' ',' | sed 's/,$/\n/')
echo "changed_files=${changed_files}" >> $GITHUB_ENV
- name: Create local changes
env:
AUTHOR: ${{ github.actor }}
run: |
pip install requests pyyaml mdutils
python ./scripts/mitre_db.py -o taxonomy/mitre_attack.json
python ./scripts/scenario_taxonomy.py --hub ./ -b taxonomy/behaviors.json -m taxonomy/mitre_attack.json -o taxonomy/scenarios.json -e taxonomy/scenario_taxonomy_errors.md
[ -f "taxonomy/scenario_taxonomy_errors.md" ] && echo "taxonomy_errors=1" >> $GITHUB_ENV || echo "taxonomy_errors=0" >> $GITHUB_ENV
- uses: jwalton/gh-find-current-pr@v1
id: findPr
with:
state: open
- name: Comment PR if errors
if: ${{ (env.taxonomy_errors == '1') && (github.event_name == 'push') && (github.ref != 'refs/heads/master') }}
uses: thollander/actions-comment-pull-request@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
filePath: taxonomy/scenario_taxonomy_errors.md
pr_number: ${{ steps.findPr.outputs.pr }}
- uses: nelonoel/branch-name@v1.0.1
- name: Commit files
if: ${{ github.event_name == 'push'}}
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
(git add taxonomy/ && git commit -m "Update taxonomy" && git pull --rebase origin ${BRANCH_NAME}) || exit 0
- name: Push changes
if: ${{ github.event_name == 'push'}}
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
invalidate-cache:
runs-on: ubuntu-latest
needs: update-taxonomy
#Only invalidate cache on master or vX branches
#Branches that don't match this pattern are only used for dev, so we can manually invalidate if needed
#We should avoid naming dev branches with something starting with v :D
if: |
startsWith('refs/heads/v', github.ref) || github.ref == 'refs/heads/master'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.CF_AWS_ROLE }}
role-session-name: github-action
aws-region: eu-west-1
- name: Get branch name
run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
- name: Invalidate cache
run: |
aws cloudfront create-invalidation --distribution-id ${{ secrets.CF_DISTRIBUTION_ID }} --paths "/${{ env.version }}/taxonomy/*"