new(README): add explanation about rules 2.x #247
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rules | |
on: | |
pull_request: | |
branches: | |
- main | |
- release/* | |
push: | |
branches: | |
- main | |
jobs: | |
# retrieves the changed rules files and the Falco versions to be used | |
get-values: | |
runs-on: ubuntu-latest | |
outputs: | |
changed-files: ${{ steps.set-changed-files.outputs.changed-files }} | |
falco-versions: ${{ steps.set-falco-versions.outputs.versions }} | |
steps: | |
- name: Checkout rules | |
uses: actions/checkout@v3 | |
- name: Get changed files | |
id: changed-files | |
if: github.event_name == 'pull_request' | |
uses: Ana06/get-changed-files@v2.2.0 | |
with: | |
format: space-delimited | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Find changed rules files | |
id: set-changed-files | |
run: | | |
# if we skip changed-files because we're not in a pull-request, | |
# then we consider all the rules contained in the repo | |
all_files="${{ steps.changed-files.outputs.all }}" | |
values="" | |
if [ -z "$all_files" ]; then | |
values=$(ls rules/*.yaml) | |
else | |
for changed_file in $all_files; do | |
if [[ "${changed_file}" =~ ^rules/.* ]]; then | |
values=${values}${changed_file}$'\n' | |
fi | |
done | |
fi | |
echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT | |
- name: Read Falco versions | |
id: set-falco-versions | |
run: | | |
values="" | |
while read -r line | |
do | |
values="${values}${line}"$'\n' | |
done < "./.github/FALCO_VERSIONS" | |
echo "versions=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT | |
validate: | |
if: needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' | |
needs: get-values | |
strategy: | |
fail-fast: false | |
matrix: | |
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }} | |
falco-version: ${{ fromJson(needs.get-values.outputs.falco-versions) }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Golang | |
uses: actions/setup-go@v3 | |
with: | |
go-version: "1.19.0" | |
- name: Checkout rules | |
uses: actions/checkout@v3 | |
- name: Build checker tool | |
working-directory: build/checker | |
run: go build -o rules-check | |
- name: Test checker tool | |
working-directory: build/checker | |
run: go test ./... -cover | |
- name: Validate rules file | |
run: | | |
build/checker/rules-check \ | |
validate \ | |
--falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \ | |
-r ${{ matrix.rules-file }} | |
check-version: | |
if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' | |
needs: get-values | |
env: | |
# note(jasondellaluce): using the most recent targeted Falco version | |
FALCO_VERSION: ${{ fromJson(needs.get-values.outputs.falco-versions)[0] }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Golang | |
uses: actions/setup-go@v3 | |
with: | |
go-version: "1.19.0" | |
- name: Checkout rules | |
uses: actions/checkout@v3 | |
- name: Get all git tags | |
run: git fetch --tags origin | |
- name: Get changed files | |
uses: Ana06/get-changed-files@v2.2.0 | |
id: changed | |
with: | |
format: space-delimited | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build checker tool | |
working-directory: build/checker | |
run: go build -o rules-check | |
- name: Test checker tool | |
working-directory: build/checker | |
run: go test ./... -cover | |
- name: Compare changed files with previous versions | |
id: compare | |
run: | | |
./.github/compare-rule-files.sh \ | |
"${{ matrix.rules-file }}" \ | |
result.txt \ | |
build/checker/rules-check \ | |
"falcosecurity/falco-no-driver:$FALCO_VERSION" | |
if [ -s result.txt ]; then | |
echo "comment_file=result.txt" >> $GITHUB_OUTPUT | |
fi | |
- name: Save PR info | |
if: steps.compare.outputs.comment_file != '' | |
run: | | |
mkdir -p ./pr | |
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }} | |
- name: Upload PR info as artifact | |
uses: actions/upload-artifact@v2 | |
if: steps.compare.outputs.comment_file != '' | |
with: | |
name: pr-${{ strategy.job-index }} | |
path: pr/ | |
retention-days: 1 | |
upload-pr-info: | |
needs: [get-values, check-version] | |
if: ${{ !cancelled() && github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download PR infos | |
uses: actions/download-artifact@v3 | |
with: | |
path: tmp-artifacts | |
- name: Save PR info | |
run: | | |
if [ ! -d "./tmp-artifacts/" ]; then | |
echo "No PR info found. Skipping." | |
exit 0 | |
fi | |
mkdir -p ./pr | |
echo ${{ github.event.number }} > ./pr/NR | |
touch ./pr/COMMENT | |
echo "# Rules files suggestions" >> ./pr/COMMENT | |
echo "" >> ./pr/COMMENT | |
files=$(find ./tmp-artifacts/) | |
for file in $files; do | |
if [[ "$file" =~ "COMMENT" ]]; then | |
cat "$file" >> ./pr/COMMENT | |
fi | |
done | |
echo Uploading PR info... | |
cat ./pr/COMMENT | |
echo "" | |
- name: Upload PR info as artifact | |
uses: actions/upload-artifact@v2 | |
with: | |
name: pr | |
path: pr/ | |
retention-days: 1 | |
if-no-files-found: warn |