-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathaction.yaml
More file actions
176 lines (151 loc) · 7.35 KB
/
action.yaml
File metadata and controls
176 lines (151 loc) · 7.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: "Workflow Config Loader (JSON)"
description: "Loads and parses JSON workflow configuration file"
author: "Solace"
inputs:
config_file:
description: "Path to JSON configuration file"
required: true
config_type:
description: "Type of configuration to parse (container_scanning, sca_scanning, etc.)"
required: true
outputs:
config_json:
description: "Raw configuration JSON"
value: ${{ steps.load.outputs.config_json }}
vault_url:
description: "Vault URL (from vars.GCP_VAULT_ADDR)"
value: ${{ steps.parse.outputs.vault_url }}
vault_secret_path:
description: "Vault secret path"
value: ${{ steps.parse.outputs.vault_secret_path }}
vault_role:
description: "Vault JWT authentication role"
value: ${{ steps.parse.outputs.vault_role }}
vault_aws_role:
description: "Vault AWS STS role path for ECR authentication"
value: ${{ steps.parse.outputs.vault_aws_role }}
vault_secret_mappings:
description: "Formatted string of Vault secret mappings for hashicorp/vault-action"
value: ${{ steps.parse.outputs.vault_secret_mappings }}
slack_channel:
description: "Slack notification channel"
value: ${{ steps.parse.outputs.slack_channel }}
fossa_licensing_mode:
description: "FOSSA licensing check mode (BLOCK or REPORT)"
value: ${{ steps.parse.outputs.fossa_licensing_mode }}
fossa_licensing_block_on:
description: "Comma-separated list of licensing issues to block on"
value: ${{ steps.parse.outputs.fossa_licensing_block_on }}
fossa_vulnerability_mode:
description: "FOSSA vulnerability check mode (BLOCK or REPORT)"
value: ${{ steps.parse.outputs.fossa_vulnerability_mode }}
fossa_vulnerability_block_on:
description: "Comma-separated list of vulnerability severities to block on"
value: ${{ steps.parse.outputs.fossa_vulnerability_block_on }}
fossa_project_id:
description: "FOSSA project ID override"
value: ${{ steps.parse.outputs.fossa_project_id }}
fossa_team:
description: "FOSSA team name"
value: ${{ steps.parse.outputs.fossa_team }}
fossa_labels:
description: "Comma-separated FOSSA project labels"
value: ${{ steps.parse.outputs.fossa_labels }}
runs:
using: "composite"
steps:
- name: Load Configuration File
id: load
shell: bash
run: |
CONFIG_FILE="${{ inputs.config_file }}"
echo "📂 Loading configuration from: $CONFIG_FILE"
if [ ! -f "$CONFIG_FILE" ]; then
echo "❌ Configuration file not found: $CONFIG_FILE"
exit 1
fi
if ! CONFIG_JSON=$(jq -c '.' "$CONFIG_FILE" 2>&1); then
echo "❌ Invalid JSON syntax in $CONFIG_FILE"
echo "Error: $CONFIG_JSON"
exit 1
fi
{
echo "config_json<<EOF"
echo "$CONFIG_JSON"
echo "EOF"
} >> $GITHUB_OUTPUT
echo "✅ Configuration loaded successfully"
- name: Parse Configuration
id: parse
shell: bash
run: |
CONFIG='${{ steps.load.outputs.config_json }}'
CONFIG_TYPE="${{ inputs.config_type }}"
echo "📋 Parsing configuration for type: $CONFIG_TYPE"
# Parse vault URL from config (required in config file)
VAULT_URL=$(echo "$CONFIG" | jq -r ".secrets.vault.url // .${CONFIG_TYPE}.secrets.vault.url // \"\"")
echo "vault_url=${VAULT_URL}" >> $GITHUB_OUTPUT
# Parse vault secret path
VAULT_PATH=$(echo "$CONFIG" | jq -r ".secrets.vault.secret_path // .${CONFIG_TYPE}.secrets.vault.secret_path // \"/path/to/secret\"")
echo "vault_secret_path=${VAULT_PATH}" >> $GITHUB_OUTPUT
# Parse vault JWT authentication role
VAULT_ROLE=$(echo "$CONFIG" | jq -r ".secrets.vault.role // .${CONFIG_TYPE}.secrets.vault.role // \"\"")
echo "vault_role=${VAULT_ROLE}" >> $GITHUB_OUTPUT
# Parse vault AWS role (for ECR authentication)
VAULT_AWS_ROLE=$(echo "$CONFIG" | jq -r ".secrets.vault.aws_role // .${CONFIG_TYPE}.secrets.vault.aws_role // \"\"")
echo "vault_aws_role=${VAULT_AWS_ROLE}" >> $GITHUB_OUTPUT
# Parse vault secret mappings
# Extract secret_mappings array
SECRET_MAPPINGS=$(echo "$CONFIG" | jq -c ".secrets.vault.secret_mappings // .${CONFIG_TYPE}.secrets.vault.secret_mappings // empty")
if [ -n "$SECRET_MAPPINGS" ] && [ "$SECRET_MAPPINGS" != "null" ]; then
# Check if it's an array
if echo "$SECRET_MAPPINGS" | jq -e 'type == "array"' > /dev/null; then
# Join array elements with space + semicolon + newline (vault-action format)
MAPPINGS_STRING=$(echo "$SECRET_MAPPINGS" | jq -r 'join(" ;\n")')
# Use heredoc to preserve newlines in GitHub Actions output
{
echo "vault_secret_mappings<<EOF"
echo "$MAPPINGS_STRING"
echo "EOF"
} >> $GITHUB_OUTPUT
else
echo "⚠️ secret_mappings found but not an array, ignoring."
echo "vault_secret_mappings=" >> $GITHUB_OUTPUT
fi
else
echo "vault_secret_mappings=" >> $GITHUB_OUTPUT
fi
# Parse slack channel (from root or default)
SLACK=$(echo "$CONFIG" | jq -r '.slack_channel // "#your-slack-channel"')
echo "slack_channel=${SLACK}" >> $GITHUB_OUTPUT
# Parse FOSSA configuration
FOSSA_LIC_MODE=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.policy.mode // \"REPORT\"")
echo "fossa_licensing_mode=${FOSSA_LIC_MODE}" >> $GITHUB_OUTPUT
FOSSA_LIC_BLOCK=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.policy.block_on // [\"policy_conflict\"] | join(\",\")")
echo "fossa_licensing_block_on=${FOSSA_LIC_BLOCK}" >> $GITHUB_OUTPUT
FOSSA_VULN_MODE=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.vulnerability.mode // \"REPORT\"")
echo "fossa_vulnerability_mode=${FOSSA_VULN_MODE}" >> $GITHUB_OUTPUT
FOSSA_VULN_BLOCK=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.vulnerability.block_on // [\"critical\",\"high\"] | join(\",\")")
echo "fossa_vulnerability_block_on=${FOSSA_VULN_BLOCK}" >> $GITHUB_OUTPUT
# Parse FOSSA project ID
FOSSA_PROJECT=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.project_id // \"\"")
echo "fossa_project_id=${FOSSA_PROJECT}" >> $GITHUB_OUTPUT
# Parse FOSSA team
FOSSA_TEAM=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.team // \"\"")
echo "fossa_team=${FOSSA_TEAM}" >> $GITHUB_OUTPUT
# Parse FOSSA labels (convert array to comma-separated string)
FOSSA_LABELS=$(echo "$CONFIG" | jq -r ".${CONFIG_TYPE}.fossa.labels // [] | join(\",\")")
echo "fossa_labels=${FOSSA_LABELS}" >> $GITHUB_OUTPUT
echo "✅ Configuration parsed successfully"
echo ""
echo "Parsed values:"
echo " - Vault URL: ${VAULT_URL:-<not set>}"
echo " - Vault secret path: ${VAULT_PATH}"
echo " - Vault role: ${VAULT_ROLE:-<not set>}"
echo " - Vault AWS role: ${VAULT_AWS_ROLE:-<not set>}"
echo " - Slack channel: ${SLACK}"
echo " - FOSSA licensing: ${FOSSA_LIC_MODE} (block on: ${FOSSA_LIC_BLOCK})"
echo " - FOSSA vulnerability: ${FOSSA_VULN_MODE} (block on: ${FOSSA_VULN_BLOCK})"
echo " - FOSSA project ID: ${FOSSA_PROJECT:-<default>}"
echo " - FOSSA team: ${FOSSA_TEAM:-<not set>}"
echo " - FOSSA labels: ${FOSSA_LABELS:-<not set>}"