malcontent/.github/workflows/third-party.yaml at 4ff508bae6281c8b9a85e1e0dcec34f0af7eaade · chainguard-dev/malcontent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# Copyright 2024 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0

name: Update third-party rules

on:
  workflow_dispatch:
  schedule:
    - cron: "0 */12 * * *"

env:
  GO_RELEASE: "go-1.26"
  YARA_X_RELEASE: "1.14.0"

permissions: {}

jobs:
  update:
    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
    runs-on: ubuntu-latest-arm-16-core
    container:
      image: cgr.dev/chainguard/wolfi-base:latest
      options: >-
        --cap-add DAC_OVERRIDE
        --cap-add SETGID
        --cap-add SETUID
        --cap-drop ALL
        --cgroupns private
        --cpu-shares=16384
        --memory-swappiness=0
        --security-opt no-new-privileges
        --ulimit core=0
        --ulimit nofile=65535:65535
        --ulimit nproc=65535:65535
    permissions:
      contents: write
      id-token: write
      pull-requests: write
    steps:
      - name: Install dependencies
        run: |
          apk update
          apk add bash curl findutils gh git gnutar ${{ env.GO_RELEASE }} nodejs perl upx xz yara-x~${{ env.YARA_X_RELEASE }}
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Trust repository
        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"

      - name: Get Go cache paths
        id: go-env
        run: |
          echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
          echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"

      - name: Cache Go dependencies
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ${{ steps.go-env.outputs.modcache }}
            ${{ steps.go-env.outputs.cache }}
          key: go-${{ hashFiles('go.sum') }}
          restore-keys: go-

      - name: Get samples commit
        id: samples
        run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"

      - name: Cache malcontent samples
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: out/chainguard-sandbox/malcontent-samples
          key: samples-${{ steps.samples.outputs.commit }}

      - name: Prepare samples
        run: make samples

      - uses: chainguard-dev/actions/setup-gitsign@de68b87302e6266db5fb5220246f8aa46fe94b67
      - name: Set up Octo-STS
        uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
        id: octo-sts
        with:
          scope: chainguard-dev/malcontent
          identity: third-party

      - name: Run make update-third-party
        run: |
          make update-third-party
      - name: Run make refresh-test-data
        run: |
          make refresh-sample-testdata
      - name: Commit changes and create PR
        env:
          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
        run: |
          if [[ -n $(git status -s) ]]; then
            DATE=$(date +%F)
            BRANCH="third-party-rule-update-${DATE}"
            git checkout -b "${BRANCH}"
            git add .
            git commit -m "Update third-party rules as of ${DATE}"
            git push origin "${BRANCH}"

            gh pr create -t "Update third-party rules as of ${DATE}" -b "${DATE} third-party rule update for malcontent." -B main -H "${BRANCH}"
          fi
        shell: bash