Update third-party rules #1135
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2024 Chainguard, Inc. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Update third-party rules | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 */12 * * *" | |
| env: | |
| CGO_ENABLED: "1" | |
| GO_RELEASE: "go-1.26" | |
| YARA_X_RELEASE: "1.17.0" | |
| permissions: {} | |
| jobs: | |
| update: | |
| if: ${{ github.repository == 'chainguard-dev/malcontent' }} | |
| runs-on: ubuntu-latest-arm-16-core | |
| container: | |
| image: cgr.dev/chainguard/wolfi-base:latest@sha256:9a74366aa10eff2bf14dab0948123bd2c51703e1c553a73740ef687f723aecf4 | |
| options: >- | |
| --cap-add DAC_OVERRIDE | |
| --cap-add SETGID | |
| --cap-add SETUID | |
| --cap-drop ALL | |
| --cgroupns private | |
| --cpu-shares=16384 | |
| --memory-swappiness=0 | |
| --security-opt no-new-privileges | |
| --ulimit core=0 | |
| --ulimit nofile=65535:65535 | |
| --ulimit nproc=65535:65535 | |
| permissions: | |
| contents: write | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| apk update | |
| apk add bash curl findutils gcc gh git gnutar "${GO_RELEASE}" make nodejs perl pkgconf upx xz "yara-x~${YARA_X_RELEASE}" | |
| - uses: chainguard-dev/actions/setup-gitsign@05fbd381f7c158bd33c9bbf3a28f67852269fdf8 # main | |
| - name: Set up Octo-STS | |
| uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1 | |
| id: octo-sts | |
| with: | |
| scope: chainguard-dev/malcontent | |
| identity: third-party | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| # zizmor: ignore[artipacked] - credentials needed for git push and gh pr create | |
| with: | |
| token: ${{ steps.octo-sts.outputs.token }} | |
| - name: Trust repository | |
| run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
| - name: Get Go cache paths | |
| id: go-env | |
| run: | | |
| echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" | |
| echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" | |
| - name: Cache Go dependencies | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: | | |
| ${{ steps.go-env.outputs.modcache }} | |
| ${{ steps.go-env.outputs.cache }} | |
| key: go-${{ hashFiles('go.sum') }} | |
| restore-keys: go- | |
| - name: Get samples commit | |
| id: samples | |
| run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT" | |
| - name: Cache malcontent samples | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: out/chainguard-sandbox/malcontent-samples | |
| key: samples-${{ steps.samples.outputs.commit }} | |
| - name: Prepare samples | |
| run: make samples | |
| - name: Run make update-third-party | |
| run: | | |
| make update-third-party | |
| - name: Run make refresh-test-data | |
| run: | | |
| make refresh-sample-testdata | |
| - name: Commit changes and create PR | |
| env: | |
| GH_TOKEN: ${{ steps.octo-sts.outputs.token }} | |
| run: | | |
| if [[ -n $(git status -s) ]]; then | |
| DATE=$(date +%F) | |
| BRANCH="third-party-rule-update-${DATE}" | |
| git checkout -b "${BRANCH}" | |
| git add . | |
| git commit -m "Update third-party rules as of ${DATE}" | |
| git push origin "${BRANCH}" | |
| gh pr create -t "Update third-party rules as of ${DATE}" -b "${DATE} third-party rule update for malcontent." -B main -H "${BRANCH}" | |
| fi | |
| shell: bash |