shashank-elastic
153 lines
5.9 KiB
YAML
153 lines
5.9 KiB
YAML
name: lock-versions
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
branches:
|
|
description: 'List of branches to lock versions (ordered, comma separated)'
|
|
required: true
|
|
# 7.17 was intentionally skipped because it was added late and was bug fix only
|
|
default: '8.19,9.0,9.1,9.2'
|
|
|
|
jobs:
|
|
pr:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Validate the source branch
|
|
uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
|
|
with:
|
|
script: |
|
|
if ('refs/heads/main' !== '${{github.event.ref}}') {
|
|
core.setFailed('Forbidden branch, expected "main"')
|
|
}
|
|
|
|
- name: Checkout detection-rules
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python 3.12
|
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip cache purge
|
|
pip install .[dev]
|
|
|
|
- name: Check out container repository
|
|
env:
|
|
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
|
|
DR_API_KEY: ${{ secrets.dr_api_key }}
|
|
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
|
|
with:
|
|
path: elastic-container
|
|
repository: peasead/elastic-container
|
|
|
|
- name: Build and run containers
|
|
env:
|
|
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
|
|
DR_API_KEY: ${{ secrets.dr_api_key }}
|
|
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
|
|
run: |
|
|
cd elastic-container
|
|
GENERATED_PASSWORD=$(openssl rand -base64 16)
|
|
sed -i "s|changeme|$GENERATED_PASSWORD|" .env
|
|
echo "::add-mask::$GENERATED_PASSWORD"
|
|
echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
|
|
set -x
|
|
bash elastic-container.sh start
|
|
|
|
- name: Get API Key and setup auth
|
|
env:
|
|
DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
|
|
DR_API_KEY: ${{ secrets.dr_api_key }}
|
|
DR_ELASTICSEARCH_URL: "https://localhost:9200"
|
|
ES_USER: "elastic"
|
|
ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
|
|
if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
|
|
run: |
|
|
cd detection-rules
|
|
response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
|
|
"name": "tmp-api-key",
|
|
"expiration": "1d"
|
|
}' "$DR_ELASTICSEARCH_URL/_security/api_key")
|
|
|
|
DR_API_KEY=$(echo "$response" | jq -r '.encoded')
|
|
echo "::add-mask::$DR_API_KEY"
|
|
echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
|
|
|
|
- name: Build release package with navigator files
|
|
env:
|
|
DR_REMOTE_ESQL_VALIDATION: "true"
|
|
DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
|
|
DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
|
|
DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
|
|
DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
|
|
DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
|
|
run: |
|
|
python -m detection_rules dev build-release --generate-navigator
|
|
|
|
- name: Set github config
|
|
run: |
|
|
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
|
|
git config --global user.name "protectionsmachine"
|
|
|
|
- name: Update navigator gist files and docs-dev/ATT&CK-coverage.md file.
|
|
env:
|
|
GITHUB_TOKEN: "${{ secrets.WRITE_TRADEBOT_GIST_TOKEN }}"
|
|
run: |
|
|
python -m detection_rules dev update-navigator-gists --update-coverage
|
|
git add docs-dev/"ATT\&CK-coverage.md"
|
|
|
|
- name: Lock the versions
|
|
env:
|
|
BRANCHES: "${{github.event.inputs.branches}}"
|
|
DR_REMOTE_ESQL_VALIDATION: "true"
|
|
DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
|
|
DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
|
|
DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
|
|
DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
|
|
DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
|
|
run: |
|
|
./detection_rules/etc/lock-multiple.sh $BRANCHES
|
|
git add detection_rules/etc/version.lock.json
|
|
|
|
- name: Create Pull Request
|
|
id: cpr
|
|
uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
|
|
with:
|
|
assignees: '${{github.actor}}'
|
|
delete-branch: true
|
|
branch: "version-lock"
|
|
commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
|
|
branch-suffix: "short-commit-hash"
|
|
title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
|
|
body: |
|
|
Lock versions for releases: ${{github.event.inputs.branches}}.
|
|
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md
|
|
|
|
- Autogenerated from job `lock-versions: pr`.
|
|
labels: "backport: auto"
|
|
|
|
- name: Archive production artifacts
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: release-files
|
|
path: |
|
|
releases
|
|
|
|
- name: Check Double Bumps
|
|
id: check_double_bumps
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
python -m detection_rules dev check-version-lock --pr-number ${{ steps.cpr.outputs.pull-request-number }} --comment
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Double bumps detected, failing the job"
|
|
exit 1
|
|
fi
|