Update content from upstream (NIST and FedRAMP) #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update content from upstream (NIST and FedRAMP) | |
| on: workflow_dispatch | |
| env: | |
| FEDRAMP_PROFILE_NAME: "fedramp_rev5_high" | |
| NIST_CATALOG_NAME: "nist_rev5_800_53" | |
| jobs: | |
| update: | |
| name: Update content | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Generate app token | |
| uses: tibdex/github-app-token@v1 | |
| id: get_installation_token | |
| with: | |
| app_id: ${{ secrets.APP_ID }} | |
| private_key: ${{ secrets.PRIVATE_KEY }} | |
| permissions: >- | |
| {"contents": "write", "pull_requests": "write"} | |
| - name: Clone | |
| uses: actions/checkout@v3 | |
| with: | |
| token: ${{ steps.get_installation_token.outputs.token }} | |
| - name: Set up Python 3.8 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.8 | |
| - name: Install Trestle | |
| run: make trestle-install | |
| - name: Update catalogs | |
| run: | | |
| rm -rf "catalogs/${NIST_CATALOG_NAME}" | |
| trestle import -f https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json -o "${NIST_CATALOG_NAME}" | |
| - name: Update profiles | |
| run: | | |
| rm -rf "profiles/${FEDRAMP_PROFILE_NAME}" | |
| trestle import -f https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json -o "${FEDRAMP_PROFILE_NAME}" | |
| trestle href --name "${FEDRAMP_PROFILE_NAME}" -hr "trestle://catalogs/${NIST_CATALOG_NAME}/catalog.json" | |
| - name: Update content | |
| uses: RedHatProductSecurity/[email protected] | |
| with: | |
| markdown_path: "markdown/profiles" | |
| oscal_model: "profile" | |
| file_pattern: "*.json" | |
| branch: "autoupdate-${{ github.run_id }}" | |
| target_branch: "main" | |
| skip_assemble: true | |
| skip_regenerate: true | |
| commit_user_name: "trestle-bot[bot]" | |
| commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com" | |
| github_token: ${{ steps.get_installation_token.outputs.token }} |