Skip to content

update: split falco_rules.yaml according to the rules maturity #165

update: split falco_rules.yaml according to the rules maturity

update: split falco_rules.yaml according to the rules maturity #165

Workflow file for this run

name: Rules
on:
pull_request:
branches:
- main
- release/*
push:
branches:
- main
jobs:
# retrieves the changed rules files and the Falco versions to be used
get-values:
runs-on: ubuntu-latest
outputs:
changed-files: ${{ steps.set-changed-files.outputs.changed-files }}
falco-versions: ${{ steps.set-falco-versions.outputs.versions }}
steps:
- name: Checkout rules
uses: actions/checkout@v3
- name: Get changed files
id: changed-files
if: github.event_name == 'pull_request'
uses: Ana06/[email protected]
with:
format: space-delimited
token: ${{ secrets.GITHUB_TOKEN }}
- name: Find changed rules files
id: set-changed-files
run: |
# if we skip changed-files because we're not in a pull-request,
# then we consider all the rules contained in the repo
all_files="${{ steps.changed-files.outputs.all }}"
values=""
if [ -z $all_files ]; then
values=$(ls rules/*.yaml)
else
for changed_file in $all_files; do
if [[ ${changed_file} =~ ^rules/.* ]]; then
values="${values}${changed_file}"
fi
done
fi
echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
- name: Read Falco versions
id: set-falco-versions
run: |
values=""
while read -r line
do
values="${values}${line}"$'\n'
done < "./.github/FALCO_VERSIONS"
echo "versions=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
validate:
if: needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
needs: get-values
strategy:
fail-fast: false
matrix:
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }}
falco-version: ${{ fromJson(needs.get-values.outputs.falco-versions) }}
runs-on: ubuntu-latest
steps:
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '1.19.0'
- name: Checkout rules
uses: actions/checkout@v3
- name: Build checker tool
working-directory: build/checker
run: go build -o rules-check
- name: Test checker tool
working-directory: build/checker
run: go test ./... -cover
- name: Validate rules file
run: |
build/checker/rules-check \
validate \
--falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \
-r ${{ matrix.rules-file }}
check-version:
if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
needs: get-values
env:
# note(jasondellaluce): using the most recent targeted Falco version
FALCO_VERSION: ${{ fromJson(needs.get-values.outputs.falco-versions)[0] }}
strategy:
fail-fast: false
matrix:
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }}
runs-on: ubuntu-latest
steps:
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '1.19.0'
- name: Checkout rules
uses: actions/checkout@v3
- name: Get all git tags
run: git fetch --tags origin
- name: Get changed files
uses: Ana06/[email protected]
id: changed
with:
format: space-delimited
token: ${{ secrets.GITHUB_TOKEN }}
- name: Build checker tool
working-directory: build/checker
run: go build -o rules-check
- name: Test checker tool
working-directory: build/checker
run: go test ./... -cover
- name: Compare changed files with previous versions
id: compare
run: |
./.github/compare-rule-files.sh \
${{ matrix.rules-file }} \
result.txt \
build/checker/rules-check \
"falcosecurity/falco-no-driver:$FALCO_VERSION"
if [ -s result.txt ]; then
echo "comment_file=result.txt" >> $GITHUB_OUTPUT
fi
- name: Save PR info
if: steps.compare.outputs.comment_file != ''
run: |
mkdir -p ./pr
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }}
- name: Upload PR info as artifact
uses: actions/upload-artifact@v2
if: steps.compare.outputs.comment_file != ''
with:
name: pr-${{ strategy.job-index }}
path: pr/
retention-days: 1
upload-pr-info:
needs: [get-values, check-version]
if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
runs-on: ubuntu-latest
steps:
- name: Download PR infos
uses: actions/download-artifact@v3
with:
path: tmp-artifacts
- name: Save PR info
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# Rules files suggestions" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
files=$(find ./tmp-artifacts/)
for file in $files; do
if [[ $file =~ "COMMENT" ]]; then
cat $file >> ./pr/COMMENT
fi
done
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@v2
with:
name: pr
path: pr/
retention-days: 1