-
Notifications
You must be signed in to change notification settings - Fork 83
122 lines (109 loc) · 4.35 KB
/
reusable_suggest_rules_version.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# This is a reusable workflow used by the PR CI
on:
workflow_call:
inputs:
plugin:
description: Name of the plugin that needs to be validated
required: true
type: string
falco-image:
description: Docker image of Falco to be used for validation
required: true
type: string
plugins-artifact:
description: Name of the plugin artifact containing the dev builds
required: true
type: string
rules-checker:
description: Path of the rules checker tool built from falcosecurity/rules
required: true
type: string
arch:
description: Architecture of the plugins artifacts (x86_64 or aarch64)
required: true
type: string
job-index:
description: If used in a matrix, the value of strategy.job-index
required: false
default: 0
type: number
jobs:
# note: we don't need anything else than x86_64 since we're validating rules
check-version:
if: github.event_name == 'pull_request' && inputs.arch == 'x86_64'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Install system dependencies
run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
- name: Setup plugin config and rules
id: get-config
run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }}
- name: Get latest tag
id: get-tag
run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }}
- name: Download rules tool
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: rules-tool.tar.gz
# note: here we're loading the locally-built plugins, whereas another
# solution would be to pull them with falcoctl. The flaw with this
# approach is that we load the same plugin for both the "old" and the
# "new" rulesets. The issue would be that the job would fail whenever
# the two rulesets depend on plugins with different majors.
# todo(jasondellaluce): fix this corner case in the future
- name: Download plugins
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ inputs.plugins-artifact }}
path: /tmp/plugins-${{ inputs.arch }}
- name: Extract plugins
run: |
for archive in /tmp/plugins-*/*.tar.gz; do
echo Extracting archive "$archive"...
mkdir -p tmpdir && pushd tmpdir
tar -xvf $archive
sudo mkdir -p /usr/share/falco/plugins
sudo cp -r *.so /usr/share/falco/plugins || true
popd && rm -fr tmpdir
done
- name: Compare changed files with previous versions
id: compare
if: steps.get-tag.outputs.version != '0.0.0'
run: |
rules_dir=${{ steps.get-config.outputs.rules_dir }}
if [ -d "$rules_dir" ]; then
./.github/compare-rule-files.sh \
"$rules_dir" \
${{ steps.get-config.outputs.config_file }} \
${{ inputs.plugin }} \
rule_result.txt \
${{ inputs.rules-checker }} \
${{ inputs.falco-image }} \
${{ steps.get-tag.outputs.ref }}
if [ -s rule_result.txt ]; then
if [ ! -s result.txt ]; then
touch result.txt
fi
cat rule_result.txt >> result.txt
fi
fi
if [ -s result.txt ]; then
echo "comment_file=result.txt" >> $GITHUB_OUTPUT
fi
- name: Save PR info
if: steps.compare.outputs.comment_file != ''
run: |
mkdir -p ./pr
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }}
- name: Upload PR info as artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: steps.compare.outputs.comment_file != ''
with:
name: pr-${{ inputs.job-index }}
path: pr/
retention-days: 1