[Test] this is a test for sync_oscal_cac workflow #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync OSCAL content to CAC content | |
| permissions: | |
| contents: write | |
| pull-requests: read | |
| on: | |
| #push: | |
| # branches: | |
| # - master | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| check-oscal-content-update-sync-to-cac: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Step 1: Set up Python 3 | |
| - name: Set up Python 3 | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: '3.9' | |
| # Step 2: Install Git | |
| - name: Install Git | |
| run: sudo apt-get update && sudo apt-get install -y git | |
| # Step 3: Checkout OSCAL repo | |
| - name: Checkout OSCAL repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: ${{ github.repository }} | |
| path: oscal-content | |
| - name: Get the commit message and PR number | |
| run: | | |
| # cd oscal-content | |
| # # Get the latest commit message | |
| # COMMIT_MSG=$(git log -1 --pretty=%B) | |
| # # Extract the PR number from the commit message (if it's a merge commit) | |
| # PR_NUMBER=$(echo "$COMMIT_MSG" | grep -oP '#\K\d+') | |
| # if [ -n "$PR_NUMBER" ]; then | |
| # echo "Found PR number: $PR_NUMBER" | |
| # echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV | |
| # echo "SKIP=false" >> $GITHUB_ENV | |
| # PR_INFO=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/${PR_NUMBER}") | |
| # # Extract PR title from the response | |
| # PR_TITLE=$(echo "$PR_INFO" | jq -r .title) | |
| # echo "PR Title: $PR_TITLE" | |
| # if [[ "$PR_TITLE" == *"Auto-generated PR from CAC"* ]]; then | |
| # echo "The PR comes from CAC content. The workflow of Sync OSCAL content to CAC will exit." | |
| # echo "Skipping further checks." | |
| # echo "SKIP=true" >> $GITHUB_ENV | |
| # fi | |
| # fi | |
| echo "PR_NUMBER=33" >> $GITHUB_ENV | |
| echo "SKIP=false" >> $GITHUB_ENV | |
| # Step 4: Get the access token for content write permission to CAC content | |
| - name: Get GitHub app token | |
| if: ${{ env.SKIP == 'false' }} | |
| uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 | |
| id: app-token | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: | | |
| content | |
| oscal-content | |
| # Step 6: Dectect the updates of OSCAL content | |
| - name: Detect the changed files of the PR | |
| id: changed-files | |
| run: | | |
| repo=${{ github.repository }} | |
| # Fetch all pages of the files for the pull request | |
| url="repos/$repo/pulls/${{ env.PR_NUMBER }}/files" | |
| response=$(gh api "$url" --paginate) | |
| echo "$response" | jq -r '.[].filename' > filenames.txt | |
| echo "OUTPUT_SIZE=$(stat --printf="%s" filenames.txt)" >> $GITHUB_OUTPUT | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| - name: Checkout CAC repo | |
| if: ${{ steps.changed-files.outputs.OUTPUT_SIZE != '0' }} | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: ComplianceAsCode/content | |
| path: cac-content | |
| token: ${{ steps.app-token.outputs.token }} | |
| fetch-depth: 0 | |
| - name: Checkout complyscribe repo | |
| if: ${{ steps.changed-files.outputs.OUTPUT_SIZE != '0' }} | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: complytime/complyscribe | |
| path: complyscribe | |
| - name: Setup trestlebot | |
| if: ${{ steps.changed-files.outputs.OUTPUT_SIZE != '0' }} | |
| run: | | |
| cd complyscribe && python3 -m venv venv && source venv/bin/activate | |
| python3 -m pip install --no-cache-dir "poetry==1.7.1" | |
| poetry install | |
| # Step 8: Sync OSCAL content to CAC content | |
| - name: Sync OSCAL content to CAC content | |
| if: ${{ steps.changed-files.outputs.OUTPUT_SIZE != '0' }} | |
| run: | | |
| pr_number="${{ github.event.pull_request.number }}" | |
| cat filenames.txt | |
| cd complyscribe && source venv/bin/activate | |
| while IFS= read -r line; do | |
| if [[ "$line" == *catalogs* ]]; then | |
| policy_id=$(echo "$line" | cut -f2 -d"/") | |
| echo "sync oscal catalogs according to update of $line" | |
| echo "poetry run complyscribe sync-oscal-content catalog --repo-path ../oscal-content --committer-email "openscap-ci@gmail.com" --committer-name "openscap-ci" --branch "sync_oscal_pr$pr_number" --cac-content-root "$GITHUB_WORKSPACE/cac-content" --cac-policy-id "$policy_id"" | |
| elif [[ "$line" == "profiles"* ]]; then | |
| policy_id=$(echo $line | cut -f2 -d"/" | cut -f2 -d"-") | |
| product=$(echo "$line" | cut -f2 -d"/" | cut -f1 -d"-") | |
| echo "sync oscal profiles according to update of $line" | |
| echo "poetry run complyscribe sync-oscal-content profile --repo-path ../oscal-content --committer-email "openscap-ci@gmail.com" --committer-name "openscap-ci" --branch "sync_oscal_pr$pr_number" --cac-content-root "$GITHUB_WORKSPACE/cac-content" --cac-policy-id "$policy_id" --product "$product"" | |
| elif [[ "$line" == "component-definitions"* ]]; then | |
| product=$(echo "$line" | cut -f2 -d"/") | |
| profile=$(echo "$line" | cut -f3 -d"/" | cut -f2 -d"-") | |
| echo "sync oscal component-definitions according to update of $line" | |
| echo "poetry run complyscribe sync-oscal-content component-definition --repo-path ../oscal-content --committer-email "openscap-ci@gmail.com" --committer-name "openscap-ci" --branch "sync_oscal_pr$pr_number" --cac-content-root "$GITHUB_WORKSPACE/cac-content" --cac-policy-id "$policy_id" --product "$product" --oscal-profile "$profile"" | |
| fi | |
| done < ../filenames.txt | |
| # Step 9: Create PR to CAC content | |
| - name: Create a Pull Request to OSCAL content | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: | | |
| cd cac-content | |
| BRANCH_NAME="sync_oscal_pr${{ env.PR_NUMBER }}" | |
| OWNER="ComplianceAsCode" | |
| REPO="content" | |
| if [[ "$(git branch --show-current)" == "$BRANCH_NAME" ]]; then | |
| # Check if the PR exists | |
| PR_EXISTS=$(gh pr list --repo $OWNER/$REPO \ | |
| --head $BRANCH_NAME --state open --json id \ | |
| | jq length) | |
| # Get commits between main and branch | |
| commits=$(git log master..$BRANCH_NAME --oneline) | |
| # If the PR does not exist and there are commits in the branch, | |
| # then create a PR for this branch. | |
| if [ "$PR_EXISTS" -gt 0 ]; then | |
| echo "PR $BRANCH_NAME already exists. Skipping PR creation." | |
| elif [ -z "$commits" ]; then | |
| echo "No commits between main and $BRANCH_NAME. Skipping PR creation." | |
| else | |
| echo "Creating PR for new branch: $BRANCH_NAME" | |
| gh pr create --repo $OWNER/$REPO \ | |
| --title "Auto-generated PR from OSCAL ${{ env.PR_NUMBER }}" \ | |
| --head "$BRANCH_NAME" \ | |
| --base "master" \ | |
| --body "This is an auto-generated PR from OSCAL ${{ env.PR_NUMBER }} updates" | |
| fi | |
| else | |
| echo "No branch $BRANCH_NAME. Skipping PR creation." | |
| fi | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |