Upload Changed Rules to SIEMRULES #130
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upload Changed Rules to SIEMRULES | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| run_staging: | |
| description: "Run staging upload" | |
| required: true | |
| type: boolean | |
| default: true | |
| run_production: | |
| description: "Run production upload" | |
| required: true | |
| type: boolean | |
| default: true | |
| start_commit: | |
| description: "Start commit SHA (defaults to last production commit or empty tree if not available)" | |
| required: false | |
| type: string | |
| end_commit: | |
| description: "End commit SHA (defaults to HEAD if not provided)" | |
| required: false | |
| type: string | |
| schedule: | |
| - cron: "0 0 * * *" | |
| jobs: | |
| resolve-range: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| start_commit: ${{ steps.range.outputs.start_commit }} | |
| end_commit: ${{ steps.range.outputs.end_commit }} | |
| matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download production commit artifact | |
| if: ${{ !github.event.inputs.start_commit }} | |
| uses: dawidd6/action-download-artifact@v6 | |
| with: | |
| name: last-production-commit-sha | |
| path: artifacts_production/ | |
| workflow: upload-to-siemrules.yml | |
| workflow_conclusion: success | |
| if_no_artifact_found: ignore | |
| allow_forks: false | |
| - name: Download staging commit artifact | |
| if: ${{ !github.event.inputs.start_commit }} | |
| uses: dawidd6/action-download-artifact@v6 | |
| with: | |
| name: last-staging-commit-sha | |
| path: artifacts_staging/ | |
| workflow: upload-to-siemrules.yml | |
| workflow_conclusion: success | |
| if_no_artifact_found: ignore | |
| allow_forks: false | |
| - name: Generate upload matrix | |
| id: generate-matrix | |
| env: | |
| RUN_STAGING: ${{ github.event.inputs.run_staging }} | |
| RUN_PRODUCTION: ${{ github.event.inputs.run_production }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| END_COMMIT: ${{ github.event.inputs.end_commit }} | |
| START_COMMIT: ${{ github.event.inputs.start_commit }} | |
| run: | | |
| python -c " | |
| import json, os | |
| from pathlib import Path | |
| matrix = [ | |
| ] | |
| EMPTY_TREE_SHA = '4b825dc642cb6eb9a060e54bf8d69288fbee4904' | |
| START_COMMIT = os.getenv('START_COMMIT') | |
| END_COMMIT = os.getenv('END_COMMIT') or 'HEAD' | |
| prod_commit_path = Path('artifacts_production/last_commit.txt') | |
| staging_commit_path = Path('artifacts_staging/last_commit.txt') | |
| summary_file = open(os.getenv('GITHUB_STEP_SUMMARY'), 'a') | |
| summary_file.write(f'# SIEMRULES Upload Matrix\n\n') | |
| if os.getenv('RUN_STAGING') == 'true' or os.getenv('EVENT_NAME') == 'schedule': | |
| commit_sha = START_COMMIT | |
| if not commit_sha and staging_commit_path.exists(): | |
| commit_sha = staging_commit_path.read_text().strip() | |
| elif not commit_sha: | |
| commit_sha = EMPTY_TREE_SHA | |
| matrix.append({ | |
| 'target': 'staging', | |
| 'environment': 'siemrules-staging', | |
| 'commit_sha': commit_sha, | |
| 'end_commit': END_COMMIT, | |
| }) | |
| if os.getenv('RUN_PRODUCTION') == 'true' or os.getenv('EVENT_NAME') == 'schedule': | |
| commit_sha = START_COMMIT | |
| if not commit_sha and prod_commit_path.exists(): | |
| commit_sha = prod_commit_path.read_text().strip() | |
| elif not commit_sha: | |
| commit_sha = EMPTY_TREE_SHA | |
| matrix.append({ | |
| 'target': 'production', | |
| 'environment': 'siemrules-production', | |
| 'commit_sha': commit_sha, | |
| 'end_commit': END_COMMIT, | |
| }) | |
| path = Path(os.getenv('GITHUB_OUTPUT')) | |
| path.write_text('matrix=' + json.dumps(matrix)) | |
| summary_file.write(f'| Target | Start Commit | End Commit |\n') | |
| summary_file.write(f'| --- | --- | --- |\n') | |
| for entry in matrix: | |
| summary_file.write(f'''| {entry['target']} | {entry['commit_sha']} | {entry['end_commit']} |\n''') | |
| summary_file.close() | |
| " | |
| upload: | |
| name: Upload to ${{ matrix.target }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - resolve-range | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.resolve-range.outputs.matrix) }} | |
| environment: ${{ matrix.environment }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| - name: Upload changed rules to ${{ matrix.target }} | |
| env: | |
| SIEMRULES_BASE_URL: ${{ secrets.SIEMRULES_BASE_URL }} | |
| SIEMRULES_API_KEY: ${{ secrets.SIEMRULES_API_KEY }} | |
| DETECTION_PACK_ID: ${{ vars.DETECTION_PACK_ID }} | |
| MAX_WORKERS: "10" | |
| STATUS_CHECK_INTERVAL: "5" | |
| MAX_STATUS_CHECKS: "60" | |
| run: | | |
| python actions/uploader.py \ | |
| --start-commit "${{ matrix.commit_sha }}" \ | |
| --end-commit "${{ matrix.end_commit }}" | |
| - name: Upload ${{ matrix.target }} artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: siemrules-${{ matrix.target }}-results | |
| path: artifacts/ | |
| retention-days: 7 | |
| - name: Upload badges | |
| if: always() && matrix.target == 'production' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: siemrules-badges | |
| path: artifacts/badges.json | |
| retention-days: 90 | |
| overwrite: true | |
| - name: Upload last commit SHA | |
| if: success() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: last-${{ matrix.target }}-commit-sha | |
| path: artifacts/last_commit.txt | |
| retention-days: 90 | |
| overwrite: true |