add rule templates sync workflow #2012
Conversation
|
This pull request does not have a backport label. Could you fix it @orouz? 🙏
|
📊 Allure Report - 💚 No failures were reported.
|
orouz
force-pushed
the
rule_templates_auto
branch
2 times, most recently
from
5b9fb1e
to
d856e33
Compare
There was a problem hiding this comment.
added new utility functions to bump an integration version. the version bump dispatch workflow also does this and later on it will use these functions
There was a problem hiding this comment.
this file is currently excluded from shellcheck and introduces 2 new errors:
In scripts/common.sh line 93:
local second_version="$(echo "${major2}.${minor2}.x" | xargs)"
^------------^ SC2155 (warning): Declare and assign separately to avoid masking return values.
In scripts/common.sh line 124:
sed -i '' -e '3i\'$'\n'"$next_entry" "$changelog_path"
^-- SC1003 (info): Want to escape a single quote? echo 'This is how it'\''s done'.it works without resolving them and they don't seem critical. someday later on we'll remove this file from the excluded paths and fix all errors.
| # bumps existing preview version: 1.0.0-preview01 -> 1.0.0-preview02, or | ||
| # creates a new preview version: 1.0.0 -> 1.1.0-preview01, and | ||
| # updates the manifest and changelog files | ||
| bump_integration_version() { |
There was a problem hiding this comment.
a PR to an integration must include a changelog and manifest update. depending on when the PR is made, the current integration version may be one of the following:
- some preview version, like
1.0.0-preview01, in which case the preview suffix will be incremented. see example PR for actual changes made - some version, like
1.0.0, in which case the changes will result in this example diff:
+++ b/packages/cloud_security_posture/changelog.yml
@@ -1,5 +1,6 @@
# newer versions go on top
# version map:
+# 1.10.x - 8.15.x
# 1.9.x - 8.14.x
# 1.8.x - 8.13.x
# 1.7.x - 8.12.x
@@ -8,6 +9,11 @@
# 1.4.x - 8.9.x
# 1.3.x - 8.8.x
# 1.2.x - 8.7.x
+- version: 1.10.0-preview01
+ changes:
+ - description: Bump version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/9328
- version: "1.9.0"
changes:
- description: Convert fields to secrets
diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml
index bda29ce3e..aaa4fcca8 100644
--- a/packages/cloud_security_posture/manifest.yml
+++ b/packages/cloud_security_posture/manifest.yml
@@ -1,7 +1,7 @@
format_version: 3.0.0
name: cloud_security_posture
title: "Security Posture Management"
-version: "1.9.0"
+version: "1.10.0-preview01"
source:
license: "Elastic-2.0"
description: "Identify & remediate configuration risks in your Cloud infrastructure"
@@ -11,7 +11,7 @@ categories:
- cloudsecurity_cdr
conditions:
kibana:
- version: "^8.14.0"
+ version: "^8.15.0"
elastic:
subscription: basic
capabilities:
There was a problem hiding this comment.
this script does the following:
- checkout a new branch from
mainor the existing branch, with hard reset tomain- reset is done to avoid conflicts (in manifest/changelog), or outdated branch if a previous PR was closed and not merged, for some reason
- checking out existing branch instead of deleting to avoid closing an existing PR
- generate the rule templates from cloudbeat's main
- this means that if for example, PR-1 merged a rule and triggered a workflow to open a PR to integrations, then PR-2 was merged to cloudbeat's main with another rule, the generation will include both rules
- commit new rule templates (PR will always have only 2 commits: adding templates and bumping version)
- if a PR is not opened, open it and assign labels.
- bump integration version
- edit the PR body with a nice markdown table with links to added rule templates
There was a problem hiding this comment.
gh api is used instead of gh pr because the latter is buggy
| -f "labels[]=Team:Cloud Security" -f "labels[]=enhancement" | ||
| fi | ||
|
|
||
| pr_url=$(gh api $repo/pulls -q ".[] | select(.head.ref == \"$branch_name\" and .state == \"open\") | .html_url") |
There was a problem hiding this comment.
we need to open a PR and update it so we can use the PR link for the changelog.yml entry and the PR body table links
| git push origin "$branch_name" | ||
|
|
||
| # create PR body | ||
| rows="$(git diff --name-only origin/main -- "$templates_path" | while read -r file; do jq --arg a "$pr_url/files#diff-$(echo -n "$file" | openssl dgst -sha256 | awk '{print $2}')" -r '.attributes.metadata.benchmark | "\(.id): \(.rule_number): \($a)"' "$file"; done | awk '{split($0, a, ": "); b[a[1]] = (b[a[1]] == "" ? "" : b[a[1]] ", ") "["a[2]"]""("a[3]")"} END {for (i in b) printf("| %s | %s |\n", i, b[i])}')" |
There was a problem hiding this comment.
this abomination creates rows with benchmark.id in the 1st column and all of its rules' benchmark.rule_number in the 2nd column. table does look cool though..
orouz
force-pushed
the
rule_templates_auto
branch
from
d856e33
to
0afbdf4
Compare
orouz
force-pushed
the
rule_templates_auto
branch
from
bfea20a
to
030059e
Compare
| - name: Checkout Integrations repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }} |
There was a problem hiding this comment.
why do we need a token for checkout?
There was a problem hiding this comment.
because we need access to push/open PR to the integrations too
| - name: Install Poetry | ||
| working-directory: cloudbeat | ||
| run: | | ||
| curl -sSL https://install.python-poetry.org | python3 - |
There was a problem hiding this comment.
We usually install it using a package manager like pip/pipx in other workflows, any reason to install it directly?
| curl -sSL https://install.python-poetry.org | python3 - | |
| pipx install poetry |
There was a problem hiding this comment.
looks like most workflows install in via curl. hardly an issue IMO
| git push origin "$branch_name" | ||
|
|
||
| # create PR body | ||
| rows="$(git diff --name-only origin/main -- "$templates_path" | while read -r file; do jq --arg a "$pr_url/files#diff-$(echo -n "$file" | openssl dgst -sha256 | awk '{print $2}')" -r '.attributes.metadata.benchmark | "\(.id): \(.rule_number): \($a)"' "$file"; done | awk '{split($0, a, ": "); b[a[1]] = (b[a[1]] == "" ? "" : b[a[1]] ", ") "["a[2]"]""("a[3]")"} END {for (i in b) printf("| %s | %s |\n", i, b[i])}')" |
Summary of your changes
adds a new workflow that triggers on:
mainsecurity-policies/bundle/compliance/**/rules/**/data.yamlfile changes/added.when ran, the script will:
Screenshot/Data
Related Issues