FIX: sanitize scripts for markdown #317
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update models | |
# Controls when the workflow will run | |
on: | |
# Triggers the workflow on push events for main and dev branches | |
# Exclude | |
push: | |
branches: [ "main", "dev" ] | |
workflow_dispatch: | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup EDAMAME Posture | |
uses: edamametechnologies/edamame_posture_action@v0 | |
with: | |
edamame_user: ${{ vars.EDAMAME_POSTURE_USER }} | |
edamame_domain: ${{ vars.EDAMAME_POSTURE_DOMAIN }} | |
edamame_pin: ${{ secrets.EDAMAME_POSTURE_PIN }} | |
edamame_id: ${{ github.run_id }} | |
auto_remediate: true | |
- name: Checkout threatmodel repo | |
uses: actions/checkout@v4 | |
with: | |
# The token must have the workflow scope | |
token: ${{ secrets.DEV_GITHUB_TOKEN }} | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version: 3.11.3 | |
- name: Get changed threat models | |
id: changed-files-specific | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: ./*.json | |
- name: Validate models | |
id: validate | |
run: | | |
echo "Changed files: ${{ steps.changed-files-specific.outputs.all_changed_files }}" | |
pip install -r requirements.txt | |
echo "Validating all threat models" | |
python3 src/publish/validate-models.py threatmodel-*.json | |
continue-on-error: true | |
- name: Revert last commit if validation fails | |
if: steps.validate.outcome == 'failure' | |
run: | | |
# As we are using a non standard token, we need to set our name and use [skip ci] to avoid infinite loop | |
git config user.email "[email protected]" | |
git config user.name "EDAMAME Dev" | |
git revert -m 1 HEAD --no-edit --no-commit | |
git commit -m "Reverted after threat models validation failed [skip ci]" | |
git push | |
- name: Slack alerts | |
if: steps.validate.outcome == 'failure' | |
uses: slackapi/[email protected] | |
with: | |
channel-id: 'C072J0U9TH7' | |
slack-message: "GitHub threat models (${{ steps.changed-files-specific.outputs.all_changed_files }}) validation on branch ${{ github.ref }} failed, commit has been reverted" | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
- name: Slack reports | |
if: steps.validate.outcome != 'failure' | |
uses: slackapi/[email protected] | |
with: | |
channel-id: 'C07127YECN4' | |
slack-message: "GitHub threat models (${{ steps.changed-files-specific.outputs.all_changed_files }}) validation on branch ${{ github.ref }} successful" | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
- name: Update models hash and date | |
if: steps.validate.outcome == 'success' | |
run: | | |
python3 src/publish/update-models.py ${{ steps.changed-files-specific.outputs.all_changed_files }} | |
# As we are using a non standard token, we need to set our name and use [skip ci] to avoid infinite loop | |
git config user.email "[email protected]" | |
git config user.name "EDAMAME Dev" | |
git commit -a -m "Updated models hash and date [skip ci]" | |
git push |