RedHatProductSecurity · jpower432 · Dec 13, 2023 · Dec 8, 2023
@@ -12,9 +12,6 @@ jobs:
   update:
     name: Regenerate content
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - name: Generate app token
         uses: tibdex/[email protected]

@@ -7,18 +7,33 @@ jobs:
   update:
     name: Run update
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
+      - name: Generate app token
+        uses: tibdex/[email protected]
+        id: get_installation_token
+        with: 
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          permissions: >-
+            {"contents": "write", "pull_requests": "write"}
       - name: Clone
         uses: actions/checkout@v4
-      - name: Set up Python 3.8
-        uses: actions/setup-python@v4
         with:
-          python-version: 3.8
+          token: ${{ steps.get_installation_token.outputs.token }}
       - name: Update from upstream repo
-        run: bash ./vendor/scripts/update-from-upstream.sh -b "main" -r "https://github.com/RedHatProductSecurity/oscal-profiles" -a "$ACTOR" -p "*.json" -i catalogs -i profiles
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTOR: "${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>"
+        run: bash ./scripts/update-from-upstream.sh -b "main" -r "https://github.com/RedHatProductSecurity/oscal-profiles" -p "*.json" -i catalogs -i profiles
+      - uses: peter-evans/[email protected]
+        with:
+          base: main
+          branch: autoupdate-${{ github.run_id }}
+          delete-branch: true
+          commit-message: "Update vendored OSCAL content"
+          title: "Update vendored OSCAL content"
+          body: |
+            This PR updates content from https://github.com/RedHatProductSecurity/oscal-profiles.
+            "Automatically generated by the [update-profiles](.github/workflows/update-profiles.yml) workflow."
+          add-paths: |
+            catalogs/
+            profiles/
+          token: ${{ steps.get_installation_token.outputs.token }}
+          committer: trestle-bot[bot] <136850459+trestle-bot[bot]@users.noreply.github.com>
@@ -3,10 +3,7 @@ ENABLE_LINTERS:
   - REPOSITORY_GITLEAKS
   - ACTION_ACTIONLINT
   - MARKDOWN_MARKDOWNLINT
-
-DISABLE_ERRORS_LINTERS:
-  - MAKEFILE_CHECKMAKE
-  - REPOSITORY_KICS
   - BASH_SHELLCHECK
+  - REPOSITORY_KICS
 
-FILTER_REGEX_EXCLUDE: (vendor/)
+REPOSITORY_KICS_ARGUMENTS: "--fail-on high"
@@ -2,12 +2,8 @@
 
 Q: How do I update the catalogs in this workspace?
 
-A: This is managed through GitHub Actions. The workflow file is located [here](../.github/workflows/update-nist.yml). It can be run [manually](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow).
+A: This is managed through GitHub Actions. The workflow file is located [here](../.github/workflows/update-profiles.yml). It can be run [manually](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow).
 
 Q: How do I update profiles in this workspace?
 
-A: This is managed through GitHub Actions. The workflow file is located [here](../.github/workflows/update-fedramp.yml). It can be run [manually](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow).
-
-Q: How do I update the vendor directory?
-
-A: The vendor directory is managed as a git subtree. To pull the latest commit from main on the [`oscal-automation-libs`](https://github.com/RedHatProductSecurity/oscal-automation-libs.git) repository, run `make update-subtree`.
+A: This is managed through GitHub Actions. The workflow file is located [here](../.github/workflows/update-profile.yml). It can be run [manually](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow).
@@ -6,34 +6,53 @@ set -eu
 # Script: update-from-upstream.sh
 # Description: Clones a git repository at a specific branch based on an argument input.
 #              It copies if any files matching a pattern to the current directory
-#              If the files have been updated and creates a branch and GitHub pull request.
 # Usage: ./update-from-upstream.sh -b <branch> -r <repo_url> -p <pattern1>...[-i include_dir1]
 # Note: Useful for keeping upstream profiles and catalogs up to date
 ####################################################
 
-# shellcheck disable=SC2128
-SCRIPT_DIR="$(realpath "$(dirname "$BASH_SOURCE")")"
+function run_log () {
+  if [[ $1 == 0 ]]; then
+    echo ">>  INFO: $2"
+  elif [[ $1 != 0 ]]; then
+    echo ">>  ERROR: $2"
+    exit 1
+  fi
+}
+
+# Function to clone a git repository
+function clone_repo() {
+    local BRANCH="${1:?branch is required}"
+    local REPO="${2:?repository is required}"
+    local DIR="${3:-"."}"
+    echo "git clone --branch $BRANCH $REPO $DIR"
+    git clone --branch "$BRANCH" "$REPO" "$DIR"
+}
+
+# Function to generate the destination path based on the source path while removing specified parent directories
+function generate_destination_path() {
+    local SOURCE_PATH="${1:?"source directory is required"}"
+    local remove_dirs=("${@:2}")
 
-# shellcheck disable=SC1091
-source "$SCRIPT_DIR/logging.sh"
-# shellcheck disable=SC1091
-source "$SCRIPT_DIR/auto-commit-push.sh"
+    # Iterate over the remove_dirs array and remove each specified parent directory from the source path
+    for dir in "${remove_dirs[@]}"; do
+        SOURCE_PATH=${SOURCE_PATH#"$dir/"}
+    done
 
+    echo "$SOURCE_PATH"
+}
 
 function main() {
     # Default include directories
     DEFAULT_INCLUDE_DIRS=()
     BRANCH=""
     REPO_URL=""
-    AUTHOR=""
     patterns=()
 
     # Parse command line options
-    while getopts ":b:r:a:p:i:" opt; do
+    while getopts ":b:r:p:i:" opt; do
         case $opt in
             b) BRANCH="$OPTARG";;
             r) REPO_URL="$OPTARG";;
-            a) AUTHOR="$OPTARG";;
             p) patterns+=("$OPTARG");;
             i) include_dirs+=("$OPTARG");;
             \?) echo "Invalid option -$OPTARG" >&2; exit 1;;
@@ -42,17 +61,13 @@ function main() {
 
     # Check if required arguments are provided
     if [ -z "$BRANCH" ] || [ -z "$REPO_URL" ] || [ ${#patterns[@]} -eq 0 ]; then
-    echo "Usage: update-from-upstream.sh -b branch -r repo_url -a author -p pattern1 -p pattern2 ... [-i include_dir1] [-i include_dir2] ..."
+    echo "Usage: update-from-upstream.sh -b branch -r repo_url -p pattern1 -p pattern2 ... [-i include_dir1] [-i include_dir2] ..."
     exit 1
     fi
 
     # Set default value for include_dirs if not provided
     include_dirs=("${include_dirs[@]:-${DEFAULT_INCLUDE_DIRS[@]}}")
 
-    local COMMIT_TITLE="Sync OSCAL Content"
-    local COMMIT_BODY="chore: updates from upstream $REPO_URL"
-    git checkout -b "autoupdate_$GITHUB_RUN_ID"
-
     tmpdir=$(mktemp -d)
     run_log 0 "Created $tmpdir"
     clone_repo "$BRANCH" "$REPO_URL" "$tmpdir"
@@ -79,20 +94,6 @@ function main() {
             done
         done
     done
-
-    if [ -n "$(git status --porcelain)" ]; then
-
-        add_files "${patterns[@]}"
-
-        if [ -n "$(git status --untracked-files=no --porcelain)" ]; then
-            local_commit "$COMMIT_BODY" "$AUTHOR"
-            create_branch_pull_request "autoupdate_$GITHUB_RUN_ID" "$COMMIT_TITLE" "$COMMIT_BODY"
-        else
-            run_log 0 "Nothing to commit."
-        fi
-    else
-        run_log 0 "Nothing to commit."
-    fi
 }
 
 main "$@"