Skip to content

[aws][feat] Reimplement SSM Compliance resource collection (#2280) #865

[aws][feat] Reimplement SSM Compliance resource collection (#2280)

[aws][feat] Reimplement SSM Compliance resource collection (#2280) #865

Workflow file for this run

name: Publish
on:
push:
tags:
- "*.*.*"
branches:
- main
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.run_id }}
cancel-in-progress: true
jobs:
edge:
name: Update edge docs
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Check out someengineering/docs.fix.security
uses: actions/checkout@v4
with:
repository: someengineering/docs.fix.security
path: docs.fix.security
token: ${{ secrets.SOME_CI_PAT }}
- name: Install dependencies
working-directory: ./docs.fix.security
run: |
yarn install --frozen-lockfile
- name: Wait for AWS policies to be uploaded
if: github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: aws
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update AWS policy JSON
shell: bash
working-directory: ./docs.fix.security/iam/aws
run: |
wget -qO FixOrgList.json https://cdn.some.engineering/fix/aws/edge/FixOrgList.json
wget -qO FixCollect.json https://cdn.some.engineering/fix/aws/edge/FixCollect.json
- name: Wait for GCP policies to be uploaded
if: github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: gcp
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update GCP policy JSON
shell: bash
working-directory: ./docs.fix.security/iam/gcp
run: |
wget -qO fix_access.json https://cdn.some.engineering/fix/gcp/edge/fix_access.json
- name: Clean existing Kroki images
shell: bash
working-directory: ./docs.fix.security/static/img/kroki
run: |
find . -type f -name "*.svg" -prune -exec rm {} \+
- name: Wait for Docker images to build
if: github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: Build split Docker images
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update resource data models
continue-on-error: true
shell: bash
run: |
yq '.services.fixcore.environment += "FIXCORE_MODEL_FROM_PLUGINS=true"' docker-compose.yaml > docker-compose-model-gen.yaml
PSK= FIXCORE_ANALYTICS_OPT_OUT=true docker-compose -f docker-compose-model-gen.yaml up -d
cd ${{ github.workspace }}/docs.fix.security/docs/resources
python3 ${{ github.workspace }}/docs.fix.security/tools/export_models.py
- name: Build
continue-on-error: true
working-directory: ./docs.fix.security
run: |
yarn build
- name: Optimize and format
working-directory: ./docs.fix.security
run: |
yarn optimize
yarn format
- name: Create someengineering/docs.fix.security pull request
uses: peter-evans/create-pull-request@v6
env:
HUSKY: 0
with:
path: docs.fix.security
commit-message: "chore: update documentation"
title: "chore: update documentation"
body: |
Updates documentation to reflect changes in [`${{ github.sha }}`](https://github.com/someengineering/fixinventory/commit/${{ github.sha }}).
labels: |
🤖 bot
branch: some-ci # stable branch name so any additional commits to main update the existing PR instead of creating a new one
delete-branch: true
token: ${{ secrets.SOME_CI_PAT }}
committer: C.K. <[email protected]>
author: C.K. <[email protected]>
- name: Check out someengineering/inventory.fix.security
uses: actions/checkout@v3
with:
repository: someengineering/inventory.fix.security
path: inventory.fix.security
token: ${{ secrets.SOME_CI_PAT }}
- name: Install dependencies
working-directory: ./inventory.fix.security
run: |
yarn install --frozen-lockfile
- name: Update fixcore API YAML
shell: bash
run: |
yq '.servers[0].url = "https://{host}:{port}" | .servers[0].variables.host.default="localhost" | .servers[0].variables.port.default="8900" | del(.servers[0].description)' fixcore/fixcore/static/api-doc.yaml > inventory.fix.security/openapi/fixcore-edge.yml
- name: Regenerate API docs
working-directory: ./inventory.fix.security
run: |
yarn gen-api-docs
- name: Update AWS policy JSON
shell: bash
working-directory: ./inventory.fix.security/iam/aws/edge
run: |
wget -qO FixOrgList.json https://cdn.some.engineering/fix/aws/edge/FixOrgList.json
wget -qO FixCollect.json https://cdn.some.engineering/fix/aws/edge/FixCollect.json
wget -qO FixMutate.json https://cdn.some.engineering/fix/aws/edge/FixMutate.json
- name: Wait for GCP policies to be uploaded
if: github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: gcp
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update GCP policy JSON
shell: bash
working-directory: ./inventory.fix.security/iam/gcp/edge
run: |
wget -qO fix_access.json https://cdn.some.engineering/fix/gcp/edge/fix_access.json
wget -qO fix_mutate.json https://cdn.some.engineering/fix/gcp/edge/fix_mutate.json
- name: Clean existing Kroki images
if: github.event_name == 'workflow_dispatch' # only when triggered manually
shell: bash
working-directory: ./inventory.fix.security/static/img/kroki
run: |
find . -type f -name "*.svg" -prune -exec rm {} \+
- name: Update resource data models
continue-on-error: true
shell: bash
run: |
cd ${{ github.workspace }}/inventory.fix.security/docs/reference/unified-data-model
python3 ${{ github.workspace }}/inventory.fix.security/tools/export_models.py
- name: Build
continue-on-error: true
working-directory: ./inventory.fix.security
run: |
yarn build
- name: Optimize and format
working-directory: ./inventory.fix.security
run: |
yarn optimize
yarn format
- name: Create someengineering/inventory.fix.security pull request
uses: peter-evans/create-pull-request@v6
env:
HUSKY: 0
with:
path: inventory.fix.security
commit-message: "chore: update edge documentation"
title: "chore: update edge documentation"
body: |
Updates `edge` documentation to reflect changes in [`${{ github.sha }}`](https://github.com/someengineering/fixinventory/commit/${{ github.sha }}).
labels: |
🤖 bot
branch: edge # stable branch name so any additional commits to main update the existing PR instead of creating a new one
delete-branch: true
token: ${{ secrets.SOME_CI_PAT }}
committer: C.K. <[email protected]>
author: C.K. <[email protected]>
release:
name: Update stable docs & create release
if: github.ref_type == 'tag' # on tagging of releases and prereleases
runs-on: ubuntu-latest
steps:
- name: Get release tag and type
id: release
shell: bash
run: |
GITHUB_REF="${{ github.ref }}"
tag=${GITHUB_REF##*/}
echo "tag=${tag}" >> $GITHUB_OUTPUT
if [[ ${{ github.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "prerelease=false" >> $GITHUB_OUTPUT
echo "docsVersion=$(cut -d '.' -f 1 <<< ${GITHUB_REF##*/}).X" >> $GITHUB_OUTPUT
else
echo "prerelease=true" >> $GITHUB_OUTPUT
fi
- name: Check out repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check out someengineering/inventory.fix.security
if: steps.release.outputs.prerelease == 'false'
uses: actions/checkout@v3
with:
repository: someengineering/inventory.fix.security
path: inventory.fix.security
token: ${{ secrets.SOME_CI_PAT }}
- name: Install dependencies
if: steps.release.outputs.prerelease == 'false'
working-directory: ./inventory.fix.security
run: |
yarn install --frozen-lockfile
- name: Tag docs version
if: steps.release.outputs.prerelease == 'false'
continue-on-error: true # versioned doc may already exist
working-directory: ./inventory.fix.security
run: |
yarn run docusaurus docs:version "${{ steps.release.outputs.docsVersion }}"
- name: Generate release notes
if: steps.release.outputs.prerelease == 'false'
id: release_notes
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
GITHUB_REF="${{ github.ref }}"
tag=${GITHUB_REF##*/}
version_major=$(cut -d '.' -f 1 <<< ${GITHUB_REF##*/})
prev_release=$(echo $(gh api repos/someengineering/fixinventory/releases) | jq -r "map(select(.tag_name | startswith(\"${version_major}.\")) | select(.prerelease == false))[0].tag_name")
[ -n "$prev_release" ] && prev_release=$(echo $(gh api repos/someengineering/fixinventory/releases/latest) | jq -r '.tag_name')
dir="inventory.fix.security/releases/${{ steps.release.outputs.tag }}"
mkdir -p $dir
file="${dir}/index.mdx"
python3 tools/release_notes.py ${prev_release} ${{ steps.release.outputs.tag }} > $file
link="/releases/${{ steps.release.outputs.tag }}"
echo $(jq '.["${{ steps.release.outputs.docsVersion }}"]="${{ steps.release.outputs.tag }}"' inventory.fix.security/latestRelease.json) > inventory.fix.security/latestRelease.json
echo "tag=${{ steps.release.outputs.tag }}" >> $GITHUB_OUTPUT
echo "file=$file" >> $GITHUB_OUTPUT
echo "link=$link" >> $GITHUB_OUTPUT
- name: Update API YAML
if: steps.release.outputs.prerelease == 'false'
shell: bash
run: |
yq '.servers[0].url = "https://{host}:{port}" | .servers[0].variables.host.default="localhost" | .servers[0].variables.port.default="8900" | del(.servers[0].description)' fixcore/fixcore/static/api-doc.yaml > inventory.fix.security/openapi/fixcore-${{ steps.release.outputs.docsVersion }}.yml
- name: Regenerate API docs
if: steps.release.outputs.prerelease == 'false'
working-directory: ./inventory.fix.security
run: |
yarn gen-api-docs
- name: Wait for AWS policies to be uploaded
if: steps.release.outputs.prerelease == 'false' && github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: aws
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update AWS policy JSON
if: steps.release.outputs.prerelease == 'false'
shell: bash
working-directory: ./inventory.fix.security/iam/aws/${{ steps.release.outputs.docsVersion }}
run: |
wget -qO FixOrgList.json https://cdn.some.engineering/fix/aws/${{ steps.release.outputs.tag }}/FixOrgList.json
wget -qO FixCollect.json https://cdn.some.engineering/fix/aws/${{ steps.release.outputs.tag }}/FixCollect.json
wget -qO FixMutate.json https://cdn.some.engineering/fix/aws/${{ steps.release.outputs.tag }}/FixMutate.json
- name: Wait for GCP policies to be uploaded
if: steps.release.outputs.prerelease == 'false' && github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: gcp
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update GCP policy JSON
if: steps.release.outputs.prerelease == 'false'
shell: bash
working-directory: ./inventory.fix.security/iam/gcp/${{ steps.release.outputs.docsVersion }}
run: |
wget -qO fix_access.json https://cdn.some.engineering/fix/gcp/${{ steps.release.outputs.tag }}/fix_access.json
wget -qO fix_mutate.json https://cdn.some.engineering/fix/gcp/${{ steps.release.outputs.tag }}/fix_mutate.json
- name: Modify Docker Compose YAML
if: steps.release.outputs.prerelease == 'false'
shell: bash
run: |
yq -i '.services.[].image |= sub(":edge", ":${{ steps.release.outputs.tag }}")' docker-compose.yaml
- name: Clean existing Kroki images
if: steps.release.outputs.prerelease == 'false'
shell: bash
working-directory: ./inventory.fix.security/static/img/kroki
run: |
find . -type f -name "*.svg" -prune -exec rm {} \+
- name: Wait for Docker images to build
if: steps.release.outputs.prerelease == 'false' && github.event_name != 'workflow_dispatch'
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: Build split Docker images
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Update resource data models
if: steps.release.outputs.prerelease == 'false'
continue-on-error: true
shell: bash
run: |
yq '.services.fixcore.environment += "FIXCORE_MODEL_FROM_PLUGINS=true"' docker-compose.yaml > docker-compose-model-gen.yaml
PSK= FIXCORE_ANALYTICS_OPT_OUT=true docker-compose -f docker-compose-model-gen.yaml up -d
cd ${{ github.workspace }}/inventory.fix.security/versioned_docs/version-${{ steps.release.outputs.docsVersion }}/reference/unified-data-model
python3 ${{ github.workspace }}/inventory.fix.security/tools/export_models.py
- name: Build
if: steps.release.outputs.prerelease == 'false'
continue-on-error: true
working-directory: ./inventory.fix.security
run: |
yarn build
- name: Optimize and format
if: steps.release.outputs.prerelease == 'false'
working-directory: ./inventory.fix.security
run: |
yarn optimize
yarn format
- name: Create someengineering/inventory.fix.security pull request
if: steps.release.outputs.prerelease == 'false'
uses: peter-evans/create-pull-request@v6
env:
HUSKY: 0
with:
path: inventory.fix.security
commit-message: "chore: ${{ steps.release.outputs.tag }} release"
title: "chore: ${{ steps.release.outputs.tag }} release"
body: |
Adds automatically generated release notes for [`${{ steps.release.outputs.tag }}`](https://github.com/someengineering/fixinventory/releases/tag/${{ steps.release.outputs.tag }}).
Also updates `${{ steps.release.outputs.docsVersion }}` docs.
labels: |
🤖 bot
branch: ${{ steps.release.outputs.tag }}
delete-branch: true
token: ${{ secrets.SOME_CI_PAT }}
committer: C.K. <[email protected]>
author: C.K. <[email protected]>
- name: Write release body
shell: bash
run: |
[ ${{ steps.release.outputs.prerelease }} == 'false' ] && echo -e "### Release Notes\n\nhttps://inventory.fix.security${{ steps.release_notes.outputs.link }}\n" > release_body.txt
echo -e "### Docker Images\n" >> release_body.txt
echo -e "- \`somecr.io/someengineering/fixcore:${{ steps.release.outputs.tag }}\`" >> release_body.txt
echo -e "- \`somecr.io/someengineering/fixworker:${{ steps.release.outputs.tag }}\`" >> release_body.txt
echo -e "- \`somecr.io/someengineering/fixshell:${{ steps.release.outputs.tag }}\`" >> release_body.txt
echo -e "- \`somecr.io/someengineering/fixmetrics:${{ steps.release.outputs.tag }}\`" >> release_body.txt
- name: Create release
uses: ncipollo/release-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
prerelease: ${{ steps.release.outputs.prerelease }}
bodyFile: release_body.txt
artifacts: docker-compose.yaml
# - name: Check out someengineering/helm-charts
# if: steps.release.outputs.prerelease == 'false'
# uses: actions/checkout@v3
# with:
# repository: someengineering/helm-charts
# path: helm-charts
# token: ${{ secrets.SOME_CI_PAT }}
# - name: Get current chart version
# if: steps.release.outputs.prerelease == 'false'
# id: current_chart_version
# shell: bash
# run: |
# echo "result=$(yq '.version' helm-charts/someengineering/fixinventory/Chart.yaml)" >> $GITHUB_OUTPUT
# - name: Get new chart version
# if: steps.release.outputs.prerelease == 'false'
# id: new_chart_version
# uses: WyriHaximus/github-action-next-semvers@v1
# with:
# version: ${{ steps.current_chart_version.outputs.result }}
# - name: Update appVersion and bump chart version
# if: steps.release.outputs.prerelease == 'false'
# shell: bash
# run: |
# yq -i '.version = "${{ steps.new_chart_version.outputs.patch }}" | .appVersion = "${{ steps.release.outputs.tag }}"' helm-charts/someengineering/fixinventory/Chart.yaml
# - name: Set up Helm
# if: steps.release.outputs.prerelease == 'false'
# uses: azure/setup-helm@v1
# with:
# version: v3.8.1
# - name: Install helm-docs
# if: steps.release.outputs.prerelease == 'false'
# uses: supplypike/setup-bin@v1
# with:
# uri: https://github.com/norwoodj/helm-docs/releases/download/v1.11.0/helm-docs_1.11.0_Linux_x86_64.tar.gz
# name: helm-docs
# version: "1.11.0"
# - name: Generate helm-charts README.md
# if: steps.release.outputs.prerelease == 'false'
# run: (cd helm-charts && helm-docs)
# - name: Create someengineering/helm-charts pull request
# if: steps.release.outputs.prerelease == 'false'
# uses: peter-evans/create-pull-request@v6
# with:
# path: helm-charts
# commit-message: "chore: bump Fix Inventory appVersion to ${{ steps.release.outputs.tag }}"
# title: "chore: bump Fix Inventory appVersion to ${{ steps.release.outputs.tag }}"
# body: |
# Bumps Fix Inventory version to [${{ steps.release.outputs.tag }}](https://github.com/someengineering/fixinventory/releases/tag/${{ steps.release.outputs.tag }}).
# labels: |
# 🤖 bot
# branch: ${{ steps.release.outputs.tag }}
# delete-branch: true
# token: ${{ secrets.SOME_CI_PAT }}
# committer: C.K. <[email protected]>
# author: C.K. <[email protected]>