INT-9790: refactor integration

.github/pull_request_template.md

@@ -0,0 +1,53 @@
+# Description
+
+Thank you for contributing to a JupiterOne integration!
+
+Please include a summary of the change and which issue is fixed. Please also
+include relevant motivation and context. List any dependencies that are required
+for this change.
+
+## Summary
+
+<!-- Summary here! -->
+
+## Type of change
+
+Please leave any irrelevant options unchecked.
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to
+      not work as expected)
+- [ ] This change requires a documentation update
+
+## Checklist
+
+### General Development Checklist:
+
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+
+### Integration Development Checklist:
+
+Please leave any irrelevant options unchecked.
+
+- [ ] I have checked for additional permissions required to call any new API
+      endpoints, and have documented any additional permissions in
+      `jupiterone.md`, where necessary.
+- [ ] My changes properly paginate the target service provider's API
+- [ ] My changes properly handle rate limiting of the target service provider's
+      API
+- [ ] My new integration step is instrumented to execute in the correct order
+      using `dependsOn`
+- [ ] I have referred to the
+      [JupiterOne data model](https://github.com/JupiterOne/data-model/tree/main/src/schemas)
+      to ensure that any new entities/relationships, and relevant properties,
+      match the recommended model for this class of data
+- [ ] I have updated the `CHANGELOG.md` file to describe my changes
+- [ ] When changes include modifications to existing graph data ingestion, I've
+      reviewed all existing managed questions referencing the entities,
+      relationships, and their property names, to ensure those questions still
+      function with my changes.

.github/workflows/build.yml

@@ -9,17 +9,18 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: Check out code repository source code
+        uses: actions/checkout@v3
+
       - id: setup-node
         name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
-          node-version: 14.x
-
-      - name: Check out code repository source code
-        uses: actions/checkout@v2
+          node-version: 18.x
+          cache: yarn
 
       - name: Install dependencies
-        run: yarn
+        run: yarn --frozen-lockfile
 
       - name: Run tests
         run: yarn test:ci
@@ -29,65 +30,24 @@ jobs:
 
   # Publishing is done in a separate job to allow
   # for all matrix builds to complete.
-  release:
+  BuildRelease:
     needs: test
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
+    name: Checkout Code
     steps:
-      - name: Setup Node
-        uses: actions/setup-node@v1
-        with:
-          node-version: 14.x
-
       - name: Check out repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
-          fetch-depth: 2
-
-      # Fetch tags and describe the commit before the merge commit
-      # to see if it's a version publish
-      - name: Fetch tags
-        run: |
-          git fetch --tags
-          if git describe --exact-match --match "v*.*.*" HEAD^2
-          then
-            echo "Found version commit tag. Publishing."
-            echo "publish=true" >> $GITHUB_ENV
-            echo "VERSION_NUM=`echo $(git describe --tags --abbrev=0 | sed -e "s/v//gI")`" >> $GITHUB_ENV
-          else
-            echo "Version commit tag not found. Not publishing."
-          fi
-
-      - name: Publish
-        if: env.publish == 'true'
-        env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
-        run: |
-          echo "//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}" > .npmrc
-          yarn
-          yarn build
-          npm publish ./dist
-
-      - name: Get Version Changelog Entry
-        if: env.publish == 'true'
-        id: changelog_reader
-        uses: mindsers/changelog-reader-action@v2
+          fetch-depth: 0
+          token: ${{ secrets.AUTO_GITHUB_PAT_TOKEN }}
+      - name: Setup Node
+        uses: actions/setup-node@v3
         with:
-          version: ${{ env.VERSION_NUM }}
-          path: ./CHANGELOG.md
-        continue-on-error: true
-
-      - name: Create Release
-        if: env.publish == 'true'
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          node-version: 18.x
+          cache: yarn
+      - name: Build and Release
+        uses: jupiterone/action-npm-build-release@v1
         with:
-          tag_name: ${{ steps.changelog_reader.outputs.version }}
-          release_name: Release ${{ steps.changelog_reader.outputs.version }}
-          body: ${{ steps.changelog_reader.outputs.changes }}
-          prerelease:
-            ${{ steps.changelog_reader.outputs.status == 'prereleased' }}
-          draft: ${{ steps.changelog_reader.outputs.status == 'unreleased' }}
-        continue-on-error: true
+          npm_auth_token: ${{ secrets.NPM_AUTH_TOKEN }}
+          gh_token: ${{ secrets.AUTO_GITHUB_PAT_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -9,15 +9,15 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ['main']
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
-    
+    branches: ['main']
+
 jobs:
   analyze:
     name: Analyze
@@ -30,41 +30,40 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
+        language: ['javascript']
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        queries: security-extended,security-and-quality
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: security-extended,security-and-quality
 
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/integration-deployment.yml

@@ -0,0 +1,32 @@
+name: J1 Integration deployment
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  j1-integration-deployment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get integration name
+        id: get-integration-name
+        shell: bash
+        run: |
+          NAME=${{ github.event.repository.name }}
+          echo "integrationName=${NAME#graph-}" >> $GITHUB_OUTPUT
+      - name: Get version number
+        id: get-version-number
+        shell: bash
+        run: |
+          TAG=${{ github.event.release.tag_name }}
+          echo "versionNumber=${TAG#v}" >> $GITHUB_OUTPUT
+      - name: Bump integration deployment version
+        uses: JupiterOne/integration-github-actions/[email protected]
+        with:
+          integrationName:
+            ${{ steps.get-integration-name.outputs.integrationName }}
+          releaseNotes: ${{ github.event.release.body }}
+          version: ${{ steps.get-version-number.outputs.versionNumber }}
+          githubToken: ${{ secrets.AUTO_GITHUB_PAT_TOKEN }}
+          npmAuthToken: ${{ secrets.NPM_AUTH_TOKEN }}

.github/workflows/peril.yml

@@ -0,0 +1,90 @@
+name: 'Peril'
+
+on:
+  pull_request:
+
+env:
+  TRANSPONDER_DOCKER_IMAGE: 081157560428.dkr.ecr.us-east-1.amazonaws.com/transponder:1
+  SECURITY_SCAN_IMAGE: ghcr.io/jupiterone/security-scan:latest
+
+jobs:
+  Peril:
+    name: Peril
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Node
+        uses: actions/setup-node@v1
+        with:
+          node-version: 18.x
+
+      - name: Run build
+        run: yarn install
+
+      - name: Get Variables
+        id: get-vars
+        run: |
+          if [[ "${GITHUB_REF}" == 'ref/head/main' && "${GITHUB_EVENT_NAME}" == 'push' ]];
+          then
+            echo "aws-oidc-role=arn:aws:iam::081157560428:role/github-main-role" >> $GITHUB_OUTPUT
+          else
+            echo "aws-oidc-role=arn:aws:iam::081157560428:role/github-pull-request-role" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ steps.get-vars.outputs.aws-oidc-role }}
+          role-session-name: pr-role-session
+          aws-region: us-east-1
+
+      - name: ECR login
+        uses: aws-actions/amazon-ecr-login@v1
+        id: amazon-ecr-login
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PACKAGE_TOKEN }}
+
+      - name: Pull security-scan
+        run: |
+          docker pull $SECURITY_SCAN_IMAGE
+
+      - name: Run security-scan
+        run: |
+          docker run \
+          --user root \
+          -v /var/run/docker.sock:/var/run/docker.sock \
+          -v `pwd`:`pwd` \
+          -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \
+          -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \
+          -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \
+          -e GITHUB_REPOSITORY=$GITHUB_REPOSITORY \
+          -e GITHUB_REF_NAME=$GITHUB_REF_NAME \
+          -e GITHUB_RUN_NUMBER=$GITHUB_RUN_NUMBER \
+          -e GITHUB_SERVER_URL=$GITHUB_SERVER_URL \
+          -e GITHUB_RUN_ID=$GITHUB_RUN_ID \
+          -e MODE=ci \
+          -w `pwd` $SECURITY_SCAN_IMAGE
+
+      - name: Pull transponder
+        run: |
+          docker pull $TRANSPONDER_DOCKER_IMAGE
+
+      - name: Run transponder
+        run: |
+          docker run --rm -v `pwd`:`pwd` -w `pwd` \
+          -e J1_API_KEY=${{ secrets.J1_API_KEY_TRANSPONDER }} \
+          -e J1_API_DOMAIN=${{ secrets.J1_API_DOMAIN_TRANSPONDER }} \
+          -e J1_ACCOUNT_ID=${{ secrets.J1_ACCOUNT_ID_TRANSPONDER }} \
+          $TRANSPONDER_DOCKER_IMAGE