Skip to content
Rules

fix(ci): build temporary plugins required for release-time validation #84

Sign in to view logs

fix(ci): build temporary plugins required for release-time validation

fix(ci): build temporary plugins required for release-time validation #84

Workflow file for this run

.github/workflows/rules.yaml at 38a8b81
name: Rules
on:
pull_request:
branches:
- master
# Checks if any concurrent jobs under the same pull request or branch are being executed
# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
concurrency:
group: rules-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
FALCO_VERSION: 0.35.1
jobs:
get-changed-plugins:
uses: ./.github/workflows/reusable_get_changed_plugins.yaml
build-rules-tool:
needs: [get-changed-plugins]
if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
uses: ./.github/workflows/reusable_build_rules_tool.yaml
with:
output: rules-checker
repository: falcosecurity/rules
check-version:
needs: [get-changed-plugins, build-rules-tool]
if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
strategy:
fail-fast: false
matrix:
plugin: ${{ fromJson(needs.get-changed-plugins.outputs.changed-plugins) }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install system dependencies
run: pip install yq
- name: Setup plugin config and rules
id: get-config
run: ./.github/setup-plugin-config-rules.sh ${{ matrix.plugin }}
- name: Get latest tag
id: get-tag
run: ./.github/get-latest-plugin-version.sh ${{ matrix.plugin }}
- name: Download rules tool
uses: actions/download-artifact@v3
with:
name: rules-tool.tar.gz
- name: Compare changed files with previous versions
id: compare
if: steps.get-tag.outputs.version != '0.0.0'
run: |
rules_dir=${{ steps.get-config.outputs.rules_dir }}
if [ -d "$rules_dir" ]; then
rules_files=$(ls $rules_dir/*)
for rules_file in $rules_files; do
./.github/compare-rule-files.sh \
"$rules_file" \
${{ steps.get-config.outputs.config_file }} \
${{ matrix.plugin }} \
rule_result.txt \
./rules-checker \
"falcosecurity/falco-no-driver:$FALCO_VERSION" \
${{ steps.get-tag.outputs.ref }}
if [ -s rule_result.txt ]; then
if [ ! -s result.txt ]; then
touch result.txt
fi
cat rule_result.txt >> result.txt
fi
done
fi
if [ -s result.txt ]; then
echo "comment_file=result.txt" >> $GITHUB_OUTPUT
fi
- name: Save PR info
if: steps.compare.outputs.comment_file != ''
run: |
mkdir -p ./pr
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }}
- name: Upload PR info as artifact
uses: actions/upload-artifact@v2
if: steps.compare.outputs.comment_file != ''
with:
name: pr-${{ strategy.job-index }}
path: pr/
retention-days: 1
upload-pr-info:
needs: [get-changed-plugins, check-version]
if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
runs-on: ubuntu-latest
steps:
- name: Download PR infos
uses: actions/download-artifact@v3
with:
path: tmp-artifacts
- name: Save PR info
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# Rules files suggestions" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
files=$(find ./tmp-artifacts/)
for file in $files; do
if [[ $file =~ "COMMENT" ]]; then
cat $file >> ./pr/COMMENT
fi
done
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@v2
with:
name: pr
path: pr/
retention-days: 1