Add OSPS Baseline Level 1 rules. #180
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update | |
on: | |
pull_request: | |
branches: [main] | |
jobs: | |
ruletype-update: | |
runs-on: ubuntu-latest | |
name: Check ruletype validate-update | |
steps: | |
- name: Checkout current | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
# See https://stackoverflow.com/a/74268200 -- the PR branch has a single | |
# commit merging the two branches, so we need the last 2 commits. | |
fetch-depth: 2 | |
- name: Checkout comparison branch (main) in subdirectory | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
# Checkout the main branch into a subdirectory | |
ref: main | |
path: before_files | |
- name: Set up Go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 | |
with: | |
check-latest: true | |
- name: Determine Changed Files | |
id: changes | |
run: | | |
# Fail the script if any command fails | |
set -e | |
# Show changed files between the current branch and the comparison branch | |
# See https://stackoverflow.com/a/74268200 for why diffing with HEAD^1 is used | |
CHANGED_FILES="$(git diff --name-only -r HEAD^1 HEAD)" | |
if [ -z "$CHANGED_FILES" ]; then | |
echo "No changes found." | |
else | |
echo "Files changed in branch $GITHUB_REF (compared to base):" | |
echo "$CHANGED_FILES" | |
# Set the output to be used in later GitHub Action steps | |
echo "changed_files<<EOF" >> "$GITHUB_OUTPUT" | |
echo "$CHANGED_FILES" >> "$GITHUB_OUTPUT" | |
echo "EOF" >> "$GITHUB_OUTPUT" | |
fi | |
- name: Run go command on each changed file | |
env: | |
CHANGED_FILES: ${{ steps.changes.outputs.changed_files }} | |
run: | | |
# Fail the script if any command fails | |
set -e | |
go install github.com/mindersec/minder/cmd/dev@latest | |
# Loop through the changed files and run the go command for each | |
echo "$CHANGED_FILES" | while read FILE; do | |
echo "Processing file: $FILE" | |
if [[ "$FILE" != *.yaml || "$FILE" == .github/* ]]; then | |
echo "Skipping $FILE..." | |
continue | |
fi | |
# Path to the "before" file in the subdirectory (from main branch) | |
BEFORE_FILE="before_files/$FILE" | |
AFTER_FILE="$FILE" | |
if [ -f "$BEFORE_FILE" ] && [ grep "type: rule-type" "$BEFORE_FILE" ]; then | |
echo "Running ruletype validate-update command for $BEFORE_FILE and $AFTER_FILE..." | |
# Run the go command with the before and after files | |
dev ruletype validate-update --before "$BEFORE_FILE" --after "$AFTER_FILE" | |
else | |
echo "Warning: $BEFORE_FILE does not exist, skipping." | |
fi | |
done |