chore: fix ruleset updater workflow not working (#140)

RomainMuller · web-flow · commit 337af39e19d4 · 2025-07-15T11:41:27.000+02:00
diff --git a/.github/workflows/default-ruleset.yml b/.github/workflows/default-ruleset.yml
@@ -11,8 +11,8 @@ jobs:
   update:
     runs-on: ubuntu-latest
     name: Update
-    outputs:
-      mutation-happened: ${{ steps.detect.outputs.mutation-happened }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -21,7 +21,7 @@ jobs:
         with:
           go-version: oldstable
           cache-dependency-path: _tools/ruleset-updater/go.mod
-      - name: Generate a GitHub token
+      - name: Generate a GitHub token (DataDog/appsec-event-rules)
         id: generate-token
         uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         with:
@@ -31,67 +31,51 @@ jobs:
           repositories: appsec-event-rules
           permission-contents: read
       - name: Update Default Ruleset
-        run: go -C _tools/ruleset-updater run . -output=${{ github.workspace }}/internal/ruleset/recommended.json.gz
+        id: ruleset
+        run: |-
+          go -C _tools/ruleset-updater run . -output="${{ github.workspace }}/internal/ruleset/recommended.json.gz"
+          echo "version=$(jq -r '.metadata.rules_version' <(gunzip --to-stdout ${GITHUB_WORKSPACE}/internal/ruleset/recommended.json.gz))" >> "${GITHUB_OUTPUT}"
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
       - name: Detect Mutation
         id: detect
         run: |-
           git add .
-          git diff --staged --patch --exit-code > ${{ runner.temp }}/repo.patch || echo "mutation-happened=true" >> "${GITHUB_OUTPUT}"
-      - name: Upload Patch
-        if: steps.detect.outputs.mutation_happened
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: repo.patch
-          path: ${{ runner.temp }}/repo.patch
-
-  pr:
-    runs-on: ubuntu-latest
-    name: Create PR
-    needs: update
-    if: needs.update.outputs.mutation-happened
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Download Patch
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: repo.patch
-          path: ${{ runner.temp }}
-      - name: Apply Patch
-        id: apply
-        run: |-
-          git apply ${{ runner.temp }}/repo.patch
-          echo "version=$(jq -r '.metadata.rules_version' < ./appsec/rules.json)" >> $GITHUB_OUTPUT
+          git diff --staged --patch --exit-code || echo "mutation-happened=true" >> "${GITHUB_OUTPUT}"
 
+      ##########################################################################
+      # Creating a PR with the changes if there are any
       - name: Create PR Branch
+        if: fromJson(steps.detect.outputs.mutation-happened)
         id: create-branch
         run: |-
           branch="automation/default-ruleset-update/${VERSION}"
-          git push origin "${{ github.sha }}":"refs/heads/${branch}"
+          git push --force origin "${{ github.sha }}":"refs/heads/${branch}"
           echo "branch=${branch}" >> "${GITHUB_OUTPUT}"
           git fetch origin "${branch}"
         env:
-          VERSION: ${{ steps.apply.outputs.version }}
-      - name: Generate a GitHub token
-        id: generate-token
+          VERSION: ${{ steps.ruleset.outputs.version }}
+      - name: Generate a GitHub token (${{ github.repository_owner }}/go-libddwaf)
+        if: fromJson(steps.detect.outputs.mutation-happened)
+        id: generate-token-pr
         uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         with:
           app-id: ${{ vars.DD_K9_LIBRARY_GO_APP_ID }}
           private-key: ${{ secrets.DD_K9_LIBRARY_GO_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: go-libddwaf
       # We use ghcommit to create signed commits directly using the GitHub API
       - name: Create Commit on PR Branch
+        if: fromJson(steps.detect.outputs.mutation-happened)
         uses: planetscale/ghcommit-action@6a383e778f6620afde4bf4b45069d3c6983c1ae2 # v0.2.15
         with:
-          commit_message: "chore: update default ruleset to ${{ steps.apply.outputs.version }}"
+          commit_message: "chore: update default ruleset to ${{ steps.ruleset.outputs.version }}"
           branch: ${{ steps.create-branch.outputs.branch }}
           repo: ${{ github.repository }}
         env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate-token-pr.outputs.token }}
       - name: Create PR
+        if: fromJson(steps.detect.outputs.mutation-happened)
         run: |-
           git fetch origin "${{ steps.create-branch.outputs.branch }}"
           git reset --hard HEAD
@@ -100,5 +84,5 @@ jobs:
                         --body "Updated default ruleset to ${VERSION}." \
                         --head="${{ steps.create-branch.outputs.branch }}"
         env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          VERSION: ${{ steps.apply.outputs.version }}
+          GITHUB_TOKEN: ${{ steps.generate-token-pr.outputs.token }}
+          VERSION: ${{ steps.ruleset.outputs.version }}
