Fix internet exposure rules #977
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pr-tests | |
on: | |
push: | |
branches: [ master, main ] | |
pull_request: | |
types: [ opened, synchronize, reopened, ready_for_review ] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
REGO_ARTIFACT_KEY_NAME: rego_artifact | |
REGO_ARTIFACT_PATH: releaseDev | |
GH_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
jobs: | |
# main job of testing and building the env. | |
test_pr_checks: | |
permissions: | |
pull-requests: write | |
uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main | |
with: | |
GO_VERSION: '1.21' | |
BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/... | |
secrets: inherit | |
build-and-rego-test: | |
name: Build and test rego artifacts | |
runs-on: ubuntu-latest | |
if: | | |
${{ (always() && | |
(contains(needs.*.result, 'success')) && | |
!(contains(needs.*.result, 'skipped')) && | |
!(contains(needs.*.result, 'failure')) && | |
!(contains(needs.*.result, 'cancelled'))) }} | |
outputs: | |
REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }} | |
REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }} | |
steps: | |
- uses: actions/checkout@v4 | |
name: checkout repo content | |
with: | |
token: ${{ env.GH_ACCESS_TOKEN }} | |
# Test using Golang OPA hot rule compilation | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '1.21' | |
# testing rego library | |
- name: Test Regoes | |
working-directory: testrunner | |
run: | | |
for i in {1..5}; do | |
sudo apt update && break || sleep 15; | |
done | |
for i in {1..5}; do | |
sudo apt install -y cmake && break || sleep 15; | |
done | |
echo "Using Go path: $(which go)" | |
GOPATH=$(go env GOPATH) make | |
- name: Set up Regal | |
uses: StyraInc/[email protected] | |
with: | |
version: v0.10.1 | |
- name: Lint Rego | |
run: regal lint --format github rules | |
- name: setup python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.10.6 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install requests | |
# validate control-ID duplications | |
- run: python ./scripts/validations.py | |
# generating subsections ids | |
- name: Update frameworks subsections | |
run: python ./scripts/generate_subsections_ids.py | |
# run export script to generate regolibrary artifacts | |
# releaseDev clean up is for old compatability. should be removed at end of 2023. | |
- name: Run export script | |
run: | | |
OUTPUT=pre-release python ./scripts/export.py | |
rm -r -f releaseDev | |
cp -R pre-release releaseDev | |
- name: Set outputs | |
id: set_outputs | |
run: | | |
echo "REGO_ARTIFACT_KEY_NAME=${{ env.REGO_ARTIFACT_KEY_NAME }}" >> $GITHUB_OUTPUT | |
echo "REGO_ARTIFACT_PATH=${{ env.REGO_ARTIFACT_PATH }}" >> $GITHUB_OUTPUT | |
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/[email protected] | |
name: Upload artifact | |
with: | |
name: ${{ env.REGO_ARTIFACT_KEY_NAME }} | |
path: ${{ env.REGO_ARTIFACT_PATH }}/ | |
if-no-files-found: error | |
# test kubescape with regolibrary artifacts | |
ks-and-rego-test: | |
uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main | |
if: | | |
${{ (always() && | |
(contains(needs.*.result, 'success')) && | |
!(contains(needs.*.result, 'skipped')) && | |
!(contains(needs.*.result, 'failure')) && | |
!(contains(needs.*.result, 'cancelled'))) }} | |
needs: [build-and-rego-test] | |
with: | |
DOWNLOAD_ARTIFACT_KEY_NAME: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_KEY_NAME }} | |
BINARY_TESTS: '[ "scan_nsa", | |
"scan_mitre", | |
"scan_with_exceptions", | |
"scan_repository", | |
"scan_local_file", | |
"scan_local_glob_files", | |
"scan_nsa_and_submit_to_backend", | |
"scan_mitre_and_submit_to_backend", | |
"scan_local_repository_and_submit_to_backend", | |
"scan_repository_from_url_and_submit_to_backend", | |
"host_scanner", | |
"scan_local_list_of_files", | |
"scan_compliance_score" | |
]' | |
DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }} | |
secrets: inherit | |
clean-up: | |
name: Remove pre-release folder and clean up | |
runs-on: ubuntu-latest | |
needs: [ks-and-rego-test] | |
steps: | |
- uses: actions/checkout@v4 | |
name: checkout repo content | |
with: | |
token: ${{ env.GH_ACCESS_TOKEN }} | |
- name: Remove pre-release folder | |
run: rm -r -f pre-release |