Compare DS #12257
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Compare DS | |
| on: | |
| workflow_run: | |
| workflows: ["Compare DS Build"] | |
| types: | |
| - completed | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| jobs: | |
| build-content: | |
| name: Generate Diff | |
| runs-on: ubuntu-latest | |
| container: | |
| image: fedora:latest | |
| steps: | |
| - name: Install Deps | |
| run: dnf install -y cmake make openscap-utils python3-pyyaml python3-setuptools python3-jinja2 git python3-deepdiff python3-requests jq python3-pip python3-setuptools | |
| - name: Install deps python | |
| run: pip install gitpython xmldiff | |
| - name: Checkout master | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 | |
| with: | |
| repo: ComplianceAsCode/content | |
| ref: master | |
| fetch-depth: 0 | |
| # https://github.com/actions/checkout/issues/766 | |
| - name: Set git safe directory | |
| run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Find forking point | |
| env: | |
| BASE_BRANCH: ${{ github.base_ref }} | |
| run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT | |
| id: fork_point | |
| - name: Checkout (CTF) | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 | |
| with: | |
| repository: ComplianceAsCode/content-test-filtering | |
| path: ctf | |
| - name: Detect content changes in the PR | |
| run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json | |
| - name: Test if there are no content changes | |
| run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT | |
| id: ctf | |
| - name: Print changes to content detected if any | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: cat output.json | |
| - name: Get product attribute | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| id: product | |
| uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0 | |
| with: | |
| path: 'output.json' | |
| prop_path: 'product' | |
| - name: Download built product ${{ github.base_ref }} (${{ steps.fork_point.outputs.FORK_POINT }}) | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: pr-artifacts-${{ github.event.workflow_run.head_sha }} | |
| path: pr_artifacts | |
| - name: Unpack built artifacts | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: tar -xvzf pr_artifacts/artifacts.tar.gz -C pr_artifacts/unpacked_artifacts | |
| - name: Build product | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: ./build_product ${{steps.product.outputs.prop}} --datastream-only | |
| - name: Compare datastreams | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: utils/compare_ds.py pr_artifacts/unpacked_artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log | |
| env: | |
| PYTHONPATH: ${{ github.workspace }} | |
| - name: Test if there are datastream changes | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: echo "COMPARE_DS_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT | |
| id: compare_ds | |
| - name: Print datastream changes if any | |
| if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}} | |
| run: cat diff.log | |
| - name: Get diff.log | |
| if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}} | |
| id: diff | |
| run: | | |
| body=$(cat diff.log) | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "log<<$EOF" >> "$GITHUB_OUTPUT" | |
| echo "${body:0:65000}" >> "$GITHUB_OUTPUT" | |
| echo "$EOF" >> "$GITHUB_OUTPUT" | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 | |
| id: fc | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: This datastream diff is auto generated by the check | |
| - name: Create or update comment | |
| if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0' && steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE <= 65000 }} | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4 | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| This datastream diff is auto generated by the check `Compare DS/Generate Diff` | |
| <details> | |
| <summary>Click here to see the full diff</summary> | |
| ```diff | |
| ${{ steps.diff.outputs.log }} | |
| ``` | |
| </details> | |
| edit-mode: replace | |
| - name: Create or update a trimmed comment | |
| if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE > 65000 }} | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4 | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| This datastream diff is auto generated by the check `Compare DS/Generate Diff`. | |
| Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit. | |
| <details> | |
| <summary>Click here to see the trimmed diff</summary> | |
| ```diff | |
| ${{ steps.diff.outputs.log }} | |
| ... The diff is trimmed here ... | |
| ``` | |
| </details> | |
| edit-mode: replace | |
| - name: Delete existing comment in case new commits trigger no changes in Compare DS tool | |
| if: ${{ (steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.fc.outputs.comment-id != 0 }} | |
| uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 | |
| with: | |
| type: delete | |
| comment_id: ${{ steps.fc.outputs.comment-id }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Compare Ansible playbook shell commands | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: utils/ansible_shell_diff.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log | |
| env: | |
| PYTHONPATH: ${{ github.workspace }} | |
| - name: Test if there are Ansible shell module changes | |
| if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} | |
| run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT | |
| id: ansible_shell_diff | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 | |
| id: shell_diff | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: Change in Ansible 'shell' module found. | |
| - name: Create comment | |
| if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }} | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4 | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| Change in Ansible `shell` module found. | |
| Please consider using more suitable Ansible module than `shell` if possible. | |
| - name: Delete existing comment in case new commits trigger no changes in Ansible shell module | |
| if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }} | |
| uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1 | |
| with: | |
| type: delete | |
| comment_id: ${{ steps.shell_diff.outputs.comment-id }} | |
| token: ${{ secrets.GITHUB_TOKEN }} |