Skip to content

Commit

Permalink
chore: CICD refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
@livehybrid
livehybrid authored Nov 28, 2024
1 parent 0e42dbf commit 3bffc67
Show file tree
Hide file tree
Showing 19 changed files with 56 additions and 7,959 deletions.
26 changes: 26 additions & 0 deletions .appinspect.manualcheck.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
check_for_remote_code_execution_in_javascript:
comment: 'Manual Check - RCE in Javascript'
check_built_in_import_function:
comment: 'Manual Check - built-in import'
check_for_builtin_functions:
comment: 'Manual Check - built-in function'
check_for_data_compression_and_archiving:
comment: 'Manual Check - Data compression & archiving'
check_for_file_and_directory_access:
comment: 'Manual Check - File/Dir access'
check_for_generic_operating_system_services:
comment: 'Manual Check - OS Services'
check_for_importing_modules:
comment: 'Manual Check - Importing Modules'
check_for_plain_text_credentials_in_python:
comment: 'Manual Check - Plain credentials'
check_for_environment_variable_use_in_python:
comment: 'Manual Check - ENV Vars in Python'
check_for_secret_disclosure:
comment: 'Manual Check - Secret Disclosure'
check_for_executable_flag:
comment: 'Manual Check - Executable flag'
check_for_binary_files_without_source_code:
comment: 'Manual Check - Binary files without source code'
check_for_data_persistence:
comment: 'Manual Check - Data Persistence'
119 changes: 27 additions & 92 deletions .github/workflows/build-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,109 +1,44 @@
name: Splunk App CI/CD

on:
push:
branches:
- "**"
tags:
- "v*.*.*"

permissions:
pull-requests: write
actions: write
checks: write
jobs:
package:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v5
- name: Package app
uses: livehybrid/deploy-splunk-app-action@main
with:
python-version: "3.9"
cache: "poetry"
architecture: "x64"
- name: "Setup Environment"
run: |
poetry install --no-root
- name: Generate Documentation
run: |
cat README.md | sed 's/package\/appserver/appserver/g' > package/README.md
poetry run grip README.md --export README.html --title ""
#poetry run pandoc -s README.html -o package/README.pdf
- name: Generate Addon
run: |
echo "Version is now calculated by ucc-gen"
[ -f ./globalConfig.json ] && poetry run ucc-gen -o output -v || poetry run scripts/build.sh
mv output/$(basename $(pwd)) output/app
# echo "Fix to allow boto3 to be uploaded"
# sed -i.bak -e '267,282d' output/app/lib/botocore/session.py
# rm -f output/app/lib/botocore/session.py.bak
# set -x
# ls *
# rm -rf output/app/lib/3rdparty/**/*.pyc
# rm -rf output/app/lib/3rdparty/linux/nacl/__pycache__/*
# rm -rf output/app/lib/3rdparty/linux/cffi/__pycache__/*
- name: Generating package
run: |
set -x
rm -rf output/app/lib/3rdparty/**/*.pyc || true
rm -rf output/app/lib/__pycache__ || true
mkdir -p dist
poetry run ucc-gen package -o dist --path output/app
- name: Local Inspect package
run: |
PACKAGE_ID=$(basename $(pwd))
PACKAGE=$(ls dist/*)
mkdir -p reports
poetry run splunk-appinspect inspect $PACKAGE --mode=precert --data-format junitxml --output-file reports/$PACKAGE_ID-splunk_appinspect.xml --excluded-tags manual --excluded-tags prerelease --included-tags splunk_appinspect
poetry run splunk-appinspect inspect $PACKAGE --mode=precert --data-format junitxml --output-file reports/$PACKAGE_ID-cloud.xml --excluded-tags manual --excluded-tags prerelease --included-tags cloud
poetry run splunk-appinspect inspect $PACKAGE --mode=precert --data-format junitxml --output-file reports/$PACKAGE_ID-private-victoria.xml --included-tags private_victoria
poetry run splunk-appinspect inspect $PACKAGE --mode=precert --data-format junitxml --output-file reports/$PACKAGE_ID-future.xml --included-tags future
# - name: Run App Inspect CLI
# uses: splunk/[email protected]
# with:
# app_path: $PACKAGE
# included_tags: cloud, splunk_appinspect

- uses: splunk/[email protected]
name: "AppInspect API"
with:
username: "${{ secrets.SPLUNKBASE_USERNAME }}"
password: "${{ secrets.SPLUNKBASE_PASSWORD }}"
app_path: dist
included_tags: "private_victoria,splunk_appinspect,cloud"
excluded_tags: "offensive"

- name: Upload package artifact
uses: actions/upload-artifact@v4
with:
name: dist
path: dist/

- name: Upload Reports
uses: actions/upload-artifact@v4
with:
name: reports
path: reports

publish-gh:
appinspect:
name: quality-appinspect
needs: package
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
container: cimg/go:1.19
uses: livehybrid/deploy-splunk-app-action/.github/workflows/appinspect-cli.yml@main
with:
tags: "cloud,future,private_victoria"
secrets:
token: "${{ secrets.GITHUB_TOKEN }}"

quality-appinspect-api:
name: quality-appinspect-api
needs:
- appinspect
uses: livehybrid/deploy-splunk-app-action/.github/workflows/appinspect-api.yml@main
secrets:
splunkbase_username: ${{ secrets.SPLUNKBASE_USERNAME }}
splunkbase_password: ${{ secrets.SPLUNKBASE_PASSWORD }}

publish-gh:
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: .
- uses: ncipollo/release-action@v1
with:
artifacts: "dist/*"
allowUpdates: true
needs:
- appinspect
uses: livehybrid/deploy-splunk-app-action/.github/workflows/publish.yml@main
2 changes: 1 addition & 1 deletion .uccignore
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
lib/charset_normalizer/md__mypyc.cpython-*-x86_64-linux-gnu.so
lib/charset_normalizer/**/*.so
Empty file removed deps/.gitkeep
View file
Empty file.
2 changes: 0 additions & 2 deletions package/appserver/static/js/build/0.js
View file

This file was deleted.

Loading

0 comments on commit 3bffc67

Please sign in to comment.