elastic-renovate-prod[bot]
39b6f19eb9
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
97 lines
3.3 KiB
YAML
97 lines
3.3 KiB
YAML
name: lock-versions
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
branches:
|
|
description: 'List of branches to lock versions (ordered, comma separated)'
|
|
required: true
|
|
# 7.17 was intentionally skipped because it was added late and was bug fix only
|
|
default: '8.18,8.19,9.0,9.1'
|
|
|
|
jobs:
|
|
pr:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Validate the source branch
|
|
uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
|
|
with:
|
|
script: |
|
|
if ('refs/heads/main' !== '${{github.event.ref}}') {
|
|
core.setFailed('Forbidden branch, expected "main"')
|
|
}
|
|
|
|
- name: Checkout detection-rules
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python 3.12
|
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip cache purge
|
|
pip install .[dev]
|
|
|
|
- name: Build release package with navigator files
|
|
run: |
|
|
python -m detection_rules dev build-release --generate-navigator
|
|
|
|
- name: Set github config
|
|
run: |
|
|
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
|
|
git config --global user.name "protectionsmachine"
|
|
|
|
- name: Update navigator gist files and docs-dev/ATT&CK-coverage.md file.
|
|
env:
|
|
GITHUB_TOKEN: "${{ secrets.WRITE_TRADEBOT_GIST_TOKEN }}"
|
|
run: |
|
|
python -m detection_rules dev update-navigator-gists --update-coverage
|
|
git add docs-dev/"ATT\&CK-coverage.md"
|
|
|
|
- name: Lock the versions
|
|
env:
|
|
BRANCHES: "${{github.event.inputs.branches}}"
|
|
run: |
|
|
./detection_rules/etc/lock-multiple.sh $BRANCHES
|
|
git add detection_rules/etc/version.lock.json
|
|
|
|
- name: Create Pull Request
|
|
id: cpr
|
|
uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
|
|
with:
|
|
assignees: '${{github.actor}}'
|
|
delete-branch: true
|
|
branch: "version-lock"
|
|
commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
|
|
branch-suffix: "short-commit-hash"
|
|
title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
|
|
body: |
|
|
Lock versions for releases: ${{github.event.inputs.branches}}.
|
|
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md
|
|
|
|
- Autogenerated from job `lock-versions: pr`.
|
|
labels: "backport: auto"
|
|
|
|
- name: Archive production artifacts
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: release-files
|
|
path: |
|
|
releases
|
|
|
|
- name: Check Double Bumps
|
|
id: check_double_bumps
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
python -m detection_rules dev check-version-lock --pr-number ${{ steps.cpr.outputs.pull-request-number }} --comment
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Double bumps detected, failing the job"
|
|
exit 1
|
|
fi
|