chore: Adds a schedule trigger to update-upstreams and updates Actions to use the trestlebot container image

.github/workflows/create-new.yml

@@ -21,6 +21,8 @@ jobs:
   create-profile:
     name: Create profile
     runs-on: ubuntu-latest
+    container:
+      image: quay.io/continuouscompliance/trestle-bot:0.5.0
     steps:
       - name: Generate app token
         uses: tibdex/[email protected]
@@ -34,12 +36,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ steps.get_installation_token.outputs.token }}
-      - name: Set up Python 3.8
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.8
-      - name: Install Trestlebot
-        run: python3 -m pip install --upgrade pip setuptools && python3 -m pip install -r requirements.txt
       - name: Create new profile with imports
         run: |
           python3 scripts/set_default_profile.py --import_path "${IMPORT_TYPE}s/${IMPORT_NAME}/${IMPORT_TYPE}.json" \
@@ -48,19 +44,27 @@ jobs:
           OUTPUT:  ${{ github.event.inputs.output }}
           IMPORT_NAME: ${{ github.event.inputs.import_name }}
           IMPORT_TYPE: ${{ github.event.inputs.import_type }}
+      - name: Configure git to trust the github workspace
+        run: |
+          git config --global --add safe.directory "${GITHUB_WORKSPACE}"
       - name: Generate and PR new profile
         id: generate-profile
-        uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
-        with:
-          markdown_path: "markdown/profiles"
-          oscal_model: "profile"
-          branch: "profile-create-${{ github.run_id }}"
-          target_branch: "main"
-          file_pattern: "*.json,markdown/*"
-          skip_items: "fedramp_rev5_high"
-          skip_assemble: true
-          commit_user_name: "trestle-bot[bot]"
-          commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
-          commit_message: "adds profile ${{ github.event.inputs.output }}"
-          pull_request_title: "Add profile ${{ github.event.inputs.output }}"
-          github_token: ${{ steps.get_installation_token.outputs.token }}
+        run: |
+          trestlebot-autosync \
+          --markdown-path="markdown/profiles" \
+          --oscal-model="profile" \
+          --commit-message="adds profile ${OUTPUT}" \
+          --pull-request-title="Add profile ${OUTPUT}" \
+          --branch="profile-create-${{ github.run_id }}" \
+          --file-patterns="*.json,markdown/*" \
+          --committer-name="trestle-bot[bot]" \
+          --committer-email="136850459+trestle-bot[bot]@users.noreply.github.com" \
+          --author-name="${{ github.actor }}" \
+          --author-email="${{ github.actor }}@users.noreply.github.com" \
+          --target-branch="main" \
+          --skip-items="fedramp_rev5_high" \
+          --skip-assemble \
+          --with-token - <<<"${GITHUB_TOKEN}"
+        env:
+          GITHUB_TOKEN: ${{ steps.get_installation_token.outputs.token }}
+          OUTPUT: ${{ github.event.inputs.output }}

.github/workflows/update-upstream.yml

@@ -1,17 +1,23 @@
 name: Update content from upstream (NIST and FedRAMP)
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+  # Schedule every Sunday at 5:00
+  schedule:
+    - cron: "0 5 * * 0"
 
 env:
   FEDRAMP_PROFILE_NAME: "fedramp_rev5_high"
   NIST_CATALOG_NAME: "nist_rev5_800_53"
-  FEDRAMP_REPO_REF: "master"
+  FEDRAMP_REPO_REF: "d9cbac30174fa9d52540eba34425bdb5c18ff4d8"
   NIST_REPO_REF: "690f517daaf3a6cbb4056d3cde6eae2756765620"
 
 jobs:
   update:
     name: Update content
     runs-on: ubuntu-latest
+    container:
+      image: quay.io/continuouscompliance/trestle-bot:0.5.0
     steps:
       - name: Generate app token
         uses: tibdex/[email protected]
@@ -25,12 +31,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ steps.get_installation_token.outputs.token }}
-      - name: Set up Python 3.8
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.8
-      - name: Install Trestle
-        run: python3 -m pip install --upgrade pip setuptools && python3 -m pip install -r requirements.txt
       - name: Update catalogs
         run: |
           rm -rf "catalogs/${NIST_CATALOG_NAME}"
@@ -40,16 +40,24 @@ jobs:
           rm -rf "profiles/${FEDRAMP_PROFILE_NAME}"
           trestle import -f "https://raw.githubusercontent.com/GSA/fedramp-automation/${FEDRAMP_REPO_REF}/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json" -o "${FEDRAMP_PROFILE_NAME}"
           trestle href --name "${FEDRAMP_PROFILE_NAME}" -hr "trestle://catalogs/${NIST_CATALOG_NAME}/catalog.json"
+      - name: Configure git to trust the github workspace
+        run: |
+          git config --global --add safe.directory "${GITHUB_WORKSPACE}"
       - name: Update content
-        uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
+        uses: peter-evans/[email protected]
         with:
-          markdown_path: "markdown/profiles"
-          oscal_model: "profile"
-          file_pattern: "*.json"
-          branch: "autoupdate-${{ github.run_id }}"
-          target_branch: "main"
-          skip_assemble: true
-          skip_regenerate: true
-          commit_user_name: "trestle-bot[bot]"
-          commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"
-          github_token: ${{ steps.get_installation_token.outputs.token }}
+          base: main
+          branch: "oscal-update-${{ github.run_id }}"
+          delete-branch: true
+          commit-message: "Update OSCAL content from upstream"
+          title: "Update upstream OSCAL content from usnistogv and GSA"
+          token: ${{ steps.get_installation_token.outputs.token }}
+          body: |
+            Updates upstream OSCAL content
+            - usnistgov NIST 800-53
+            - GSA FedRAMP OSCAL profiles
+
+            Auto-generated by the `update-upstream` workflow.
+          add-paths: |
+            "catalogs/${NIST_CATALOG_NAME}"
+            "profiles/${FEDRAMP_PROFILE_NAME}"