security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sigma-rules/.github/workflows/release-fleet.yml
T

208 lines
7.6 KiB
YAML
Raw Permalink Blame History

name: Release Fleet
on:
workflow_dispatch:
inputs:
target_repo:
description: 'Target repository to build a PR against'
required: true
default: 'elastic/integrations'
target_branch:
description: 'Target branch for PR base'
required: true
default: 'main'
draft:
type: choice
description: 'Create a PR as draft'
required: false
options:
- "yes"
- "no"
package_maturity:
type: choice
description: 'Package Maturity'
required: true
options:
- "ga"
- "beta"
new_package:
type: choice
description: 'New Package'
required: true
default: "true"
options:
- "true"
- "false"
jobs:
fleet-pr:
name: Build package and create PR to integrations
runs-on: ubuntu-latest
steps:
- name: Validate the source branch
uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
with:
script: |
if ('refs/heads/main' === '${{github.ref}}') {
core.setFailed('Forbidden branch')
}
- name: Checkout detection-rules
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
with:
path: detection-rules
fetch-depth: 0
- name: Extract version lock commit hash
run: |
cd detection-rules
COMMIT_HASH=$(git log --grep='Lock versions for releases' -1 --format='%H')
echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
echo "Extracted commit hash: $COMMIT_HASH"
- name: Checkout commit hash
run: |
cd detection-rules
echo "Current branch is $GITHUB_REF"
echo "Checking out commit hash $COMMIT_HASH"
git checkout $COMMIT_HASH
- name: Checkout elastic/integrations
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
with:
token: ${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }}
repository: ${{github.event.inputs.target_repo}}
path: integrations
fetch-depth: 0
- name: Set up Python 3.12
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: '3.12'
- name: Install Python dependencies
run: |
cd detection-rules
python -m pip install --upgrade pip
pip cache purge
pip install .[dev]
- name: Bump prebuilt rules package version
env:
PACKAGE_MATURITY: "${{github.event.inputs.package_maturity}}"
NEW_PACKAGE: "${{github.event.inputs.new_package}}"
run: |
cd detection-rules
python -m detection_rules dev bump-pkg-versions \
--patch-release \
--new-package $NEW_PACKAGE \
--maturity $PACKAGE_MATURITY
- name: Store release tag
if: github.event.inputs.package_maturity == 'ga'
run: |
cd detection-rules
output=$(cat detection_rules/etc/packages.yaml | grep -oP '(?<=\sversion: )\S+')
echo "pkg_version=$output" >> $GITHUB_ENV
- name: Create release tag
if: github.event.inputs.package_maturity == 'ga'
run: |
cd detection-rules
RELEASE_TAG="integration-v${{ env.pkg_version }}"
echo "Creating release tag: $RELEASE_TAG"
git tag $RELEASE_TAG
git push origin $RELEASE_TAG
- name: Check out container repository
env:
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
DR_API_KEY: ${{ secrets.dr_api_key }}
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
path: elastic-container
repository: peasead/elastic-container
- name: Build and run containers
env:
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
DR_API_KEY: ${{ secrets.dr_api_key }}
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
run: |
cd elastic-container
GENERATED_PASSWORD=$(openssl rand -base64 16)
sed -i "s|changeme|$GENERATED_PASSWORD|" .env
echo "::add-mask::$GENERATED_PASSWORD"
echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
set -x
bash elastic-container.sh update-version
bash elastic-container.sh start
- name: Get API Key and setup auth
env:
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
DR_API_KEY: ${{ secrets.dr_api_key }}
DR_ELASTICSEARCH_URL: "https://localhost:9200"
ES_USER: "elastic"
ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
run: |
cd detection-rules
response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
"name": "tmp-api-key",
"expiration": "1d"
}' "$DR_ELASTICSEARCH_URL/_security/api_key")
DR_API_KEY=$(echo "$response" | jq -r '.encoded')
echo "::add-mask::$DR_API_KEY"
echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
- name: Build release package
env:
DR_REMOTE_ESQL_VALIDATION: "true"
DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
run: |
cd detection-rules
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "178941316+tradebot-elastic@users.noreply.github.com"
git config --global user.name "tradebot-elastic"
- name: Setup go
uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
with:
go-version: '^1.20.1'
check-latest: true
- name: Build elastic-package
run: |
go install github.com/elastic/elastic-package@latest
- name: Create the PR to Integrations
env:
DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}"
TARGET_REPO: "${{github.event.inputs.target_repo}}"
TARGET_BRANCH: "${{github.event.inputs.target_branch}}"
LOCAL_REPO: "../integrations"
GITHUB_TOKEN: "${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }}"
run: |
cd detection-rules
python -m detection_rules dev integrations-pr \
$LOCAL_REPO \
--github-repo $TARGET_REPO \
--base-branch $TARGET_BRANCH \
--assign ${{github.actor}} \
$DRAFT_ARGS
- name: Archive production artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: release-files
path: |
detection-rules/releases
Reference in New Issue View Git Blame Copy Permalink