From 774f5e080524dde461ee1ee50e22bc1a376c716e Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Sat, 1 Feb 2025 12:01:46 +0100 Subject: [PATCH 1/5] wip --- .github/workflows/ci.yaml | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/ci.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 00000000..a7b157d6 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,50 @@ +name: CI + +on: + workflow_dispatch: {} + pull_request: + branches: + - "**" + +jobs: + update-nginx-datadog: + runs-on: ubuntu-latest + permissions: + actions: read # read secrets + contents: write # Creates a branch + pull-requests: write # Creates a PR + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - uses: actions/checkout@v4 + with: + repository: 'DataDog/appsec-event-rules' + - name: Checkout nginx-datadog + uses: actions/checkout@v4 + with: + repository: 'DataDog/nginx-datadog' + path: 'nginx-datadog' + - run: cp build/recommended.json nginx-datadog/src/security/recommended.json + - name: Set git branch name + run: | + echo "branch_id=deps/appsec-rules-${GITHUB_SHA::7}" >> "$GITHUB_ENV" + echo "tag_id=${GITHUB_REF##*/}" >> "$GITHUB_ENV" + - name: Create Branch + working-directory: nginx-datadog + run: | + git config --local user.name "github-actions[bot]" + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git remote set-url --push origin https://your_username:$GITHUB_TOKEN@github.com/DataDog/nginx-datadog + git checkout -b ${branch_id} + git add src/security/recommended.json + git commit -m "deps(appsec): bump rules to ${tag_id}" + git push + # - name: Create Pull Request + # run: | + # curl -L \ + # -X POST \ + # -H "Accept: application/vnd.github+json" \ + # -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + # -H "X-GitHub-Api-Version: 2022-11-28" \ + # https://api.github.com/repos/DataDog/nginx-datadog/pulls \ + # -d '{"title":"deps: bump rules to ${tag_id}","body":"Updates appsec rules!","head":"${branch}","base":"master"}' From 69d0cf3bb25bd38d84bf9d2b81e6e7dfc00e4689 Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Sat, 1 Feb 2025 12:06:03 +0100 Subject: [PATCH 2/5] [skip ci] wip --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a7b157d6..6143b6dc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,7 +7,7 @@ on: - "**" jobs: - update-nginx-datadog: + update-rules: runs-on: ubuntu-latest permissions: actions: read # read secrets From 820df949bcf8414cb392ed1ad85cdcb712c7b9ef Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Sat, 1 Feb 2025 12:06:59 +0100 Subject: [PATCH 3/5] wip --- .circleci/continue_config.yml | 128 -------------------- .circleci/src/workflows/build-and-test.yml | 132 --------------------- 2 files changed, 260 deletions(-) diff --git a/.circleci/continue_config.yml b/.circleci/continue_config.yml index 28056c3d..ec2d270e 100644 --- a/.circleci/continue_config.yml +++ b/.circleci/continue_config.yml @@ -418,134 +418,6 @@ workflows: build-and-test: jobs: - check-ci-definition - - format: - name: Verify formatting - requires: - - check-ci-definition - - shellcheck: - name: run shellcheck on shell scripts - requires: - - check-ci-definition - - build: - matrix: - parameters: - arch: - - amd64 - - arm64 - nginx-version: - - 1.22.1 - - 1.24.0 - - 1.25.4 - - 1.27.3 - waf: - - "ON" - - "OFF" - name: build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> - - build_openresty: - matrix: - parameters: - arch: - - amd64 - - arm64 - resty-version: - - 1.27.1.1 - waf: - - "ON" - - "OFF" - name: build openresty << matrix.resty-version >> on << matrix.arch >> WAF << matrix.waf >> - - build_ingress_nginx_module: - matrix: - parameters: - arch: - - amd64 - - arm64 - version: - - 1.12.0 - name: build ingress-nginx-<< matrix.version >> on << matrix.arch >> - - coverage: - name: Coverage on 1.27.0 with WAF ON - - test: - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - nginx:1.27.3-alpine - - nginx:1.27.3 - nginx-version: - - 1.27.3 - waf: - - "ON" - - "OFF" - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> - - test-openresty: - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - openresty/openresty:1.27.1.1-alpine - resty-version: - - 1.27.1.1 - waf: - - "ON" - - "OFF" - name: test openresty << matrix.resty-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build openresty << matrix.resty-version >> on << matrix.arch >> WAF << matrix.waf >> - - test: - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - amazonlinux:2.0.20230418.0 - nginx-version: - - 1.22.1 - waf: - - "ON" - - "OFF" - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> - - test: - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - amazonlinux:2023.3.20240219.0 - nginx-version: - - 1.24.0 - waf: - - "ON" - - "OFF" - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> - - test_ingress: - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - registry.k8s.io/ingress-nginx/controller - nginx-version: - - 1.12.0 - name: test ingress-nginx-<< matrix.nginx-version >> on << matrix.arch >> - requires: - - build ingress-nginx-<< matrix.nginx-version >> on << matrix.arch >> - - system_tests: - name: Run system tests - requires: - - build 1.25.4 on amd64 WAF ON when: and: - not: << pipeline.git.tag >> diff --git a/.circleci/src/workflows/build-and-test.yml b/.circleci/src/workflows/build-and-test.yml index f09f39d6..d55e02ac 100644 --- a/.circleci/src/workflows/build-and-test.yml +++ b/.circleci/src/workflows/build-and-test.yml @@ -4,135 +4,3 @@ when: - not: << pipeline.parameters.build_all >> jobs: - check-ci-definition -- format: - name: Verify formatting - requires: - - check-ci-definition -- shellcheck: - name: run shellcheck on shell scripts - requires: - - check-ci-definition -- build: - matrix: - parameters: - arch: - - amd64 - - arm64 - nginx-version: - - 1.22.1 - - 1.24.0 - - 1.25.4 - - 1.27.3 - waf: - - 'ON' - - 'OFF' - name: build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> -- build_openresty: - matrix: - parameters: - arch: - - amd64 - - arm64 - resty-version: - - 1.27.1.1 - waf: - - 'ON' - - 'OFF' - name: build openresty << matrix.resty-version >> on << matrix.arch >> WAF << matrix.waf >> -- build_ingress_nginx_module: - name: build ingress-nginx-<< matrix.version >> on << matrix.arch >> - matrix: - parameters: - arch: - - 'amd64' - - 'arm64' - version: - - 1.12.0 -- coverage: - name: Coverage on 1.27.0 with WAF ON -- test: - matrix: - parameters: - arch: - - amd64 - - arm64 - waf: - - 'ON' - - 'OFF' - base-image: - - nginx:1.27.3-alpine - - nginx:1.27.3 - nginx-version: - - 1.27.3 - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch - >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf - >> -- test-openresty: - matrix: - parameters: - arch: - - amd64 - - arm64 - waf: - - 'ON' - - 'OFF' - base-image: - - openresty/openresty:1.27.1.1-alpine - resty-version: - - 1.27.1.1 - name: test openresty << matrix.resty-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build openresty << matrix.resty-version >> on << matrix.arch >> WAF << matrix.waf >> -- test: - matrix: - parameters: - arch: - - amd64 - - arm64 - waf: - - 'ON' - - 'OFF' - base-image: - - amazonlinux:2.0.20230418.0 - nginx-version: - - 1.22.1 - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch - >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf - >> -- test: - matrix: - parameters: - arch: - - amd64 - - arm64 - waf: - - 'ON' - - 'OFF' - base-image: - - amazonlinux:2023.3.20240219.0 - nginx-version: - - 1.24.0 - name: test << matrix.nginx-version >> on << matrix.base-image >>:<< matrix.arch >> WAF << matrix.waf >> - requires: - - build << matrix.nginx-version >> on << matrix.arch >> WAF << matrix.waf >> -- test_ingress: - name: test ingress-nginx-<< matrix.nginx-version >> on << matrix.arch >> - requires: - - build ingress-nginx-<< matrix.nginx-version >> on << matrix.arch >> - matrix: - parameters: - arch: - - amd64 - - arm64 - base-image: - - registry.k8s.io/ingress-nginx/controller - nginx-version: - - 1.12.0 -- system_tests: - name: Run system tests - requires: - - build 1.25.4 on amd64 WAF ON From b632572cd27c71673a9d8fa5bf1025946e45eb16 Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Sat, 1 Feb 2025 12:11:42 +0100 Subject: [PATCH 4/5] wip --- .github/workflows/ci.yaml | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6143b6dc..c15ff1bf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,32 +19,3 @@ jobs: - uses: actions/checkout@v4 with: repository: 'DataDog/appsec-event-rules' - - name: Checkout nginx-datadog - uses: actions/checkout@v4 - with: - repository: 'DataDog/nginx-datadog' - path: 'nginx-datadog' - - run: cp build/recommended.json nginx-datadog/src/security/recommended.json - - name: Set git branch name - run: | - echo "branch_id=deps/appsec-rules-${GITHUB_SHA::7}" >> "$GITHUB_ENV" - echo "tag_id=${GITHUB_REF##*/}" >> "$GITHUB_ENV" - - name: Create Branch - working-directory: nginx-datadog - run: | - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git remote set-url --push origin https://your_username:$GITHUB_TOKEN@github.com/DataDog/nginx-datadog - git checkout -b ${branch_id} - git add src/security/recommended.json - git commit -m "deps(appsec): bump rules to ${tag_id}" - git push - # - name: Create Pull Request - # run: | - # curl -L \ - # -X POST \ - # -H "Accept: application/vnd.github+json" \ - # -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - # -H "X-GitHub-Api-Version: 2022-11-28" \ - # https://api.github.com/repos/DataDog/nginx-datadog/pulls \ - # -d '{"title":"deps: bump rules to ${tag_id}","body":"Updates appsec rules!","head":"${branch}","base":"master"}' From bc1e9bdb1bbc091e8a60d592d0b29afd2b1839ec Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Sat, 1 Feb 2025 12:46:20 +0100 Subject: [PATCH 5/5] wip --- .github/workflows/ci.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c15ff1bf..48c57a5f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,8 @@ name: CI on: + schedule: + - cron: '0 0 * * 0' # Every Sunday at midnight workflow_dispatch: {} pull_request: branches: @@ -19,3 +21,5 @@ jobs: - uses: actions/checkout@v4 with: repository: 'DataDog/appsec-event-rules' + token: ${{ secrets.PAT_APPSEC_ACCESS }} + path: 'appsec-event-rules'