Update content from upstream (NIST and FedRAMP) #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update content from upstream (NIST and FedRAMP) | |
on: | |
workflow_dispatch: | |
inputs: | |
fedramp_repo_ref: | |
required: false | |
default: "master" | |
description: GSA/fedramp-automation repository reference | |
nist_repo_ref: | |
required: false | |
default: "master" | |
description: usnistgov/oscal-content repository reference | |
fedramp_profile_name: | |
required: false | |
default: "fedramp_rev5_high" | |
description: FedRAMP profile name | |
nist_catalog_name: | |
required: false | |
default: "nist_rev5_800_53" | |
description: NIST catalog name | |
jobs: | |
update: | |
name: Update content | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/continuouscompliance/trestle-bot:v0.7.0 | |
steps: | |
- name: Generate app token | |
uses: tibdex/[email protected] | |
id: get_installation_token | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.PRIVATE_KEY }} | |
permissions: >- | |
{"contents": "write", "pull_requests": "write"} | |
- name: Clone | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ steps.get_installation_token.outputs.token }} | |
- name: Update catalogs | |
env: | |
NIST_REPO_REF: ${{ github.event.inputs.nist_repo_ref }} | |
NIST_CATALOG_NAME: ${{ github.event.inputs.nist_catalog_name }} | |
run: | | |
rm -rf "catalogs/${NIST_CATALOG_NAME}" | |
trestle import -f "https://raw.githubusercontent.com/usnistgov/oscal-content/${NIST_REPO_REF}/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json" -o "${NIST_CATALOG_NAME}" | |
- name: Update profiles | |
env: | |
FEDRAMP_REPO_REF: ${{ github.event.inputs.fedramp_repo_ref }} | |
FEDRAMP_PROFILE_NAME: ${{ github.event.inputs.fedramp_profile_name }} | |
NIST_CATALOG_NAME: ${{ github.event.inputs.nist_catalog_name }} | |
run: | | |
rm -rf "profiles/${FEDRAMP_PROFILE_NAME}" | |
trestle import -f "https://raw.githubusercontent.com/GSA/fedramp-automation/${FEDRAMP_REPO_REF}/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json" -o "${FEDRAMP_PROFILE_NAME}" | |
trestle href --name "${FEDRAMP_PROFILE_NAME}" -hr "trestle://catalogs/${NIST_CATALOG_NAME}/catalog.json" | |
- name: Configure git to trust the github workspace | |
run: | | |
git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
- name: Update content | |
uses: peter-evans/[email protected] | |
id: updates | |
with: | |
base: main | |
branch: "oscal-update-${{ github.run_id }}" | |
delete-branch: true | |
commit-message: "Update OSCAL content from upstream" | |
title: "Update upstream OSCAL content from usnistogv and GSA" | |
token: ${{ steps.get_installation_token.outputs.token }} | |
body: | | |
Updates upstream OSCAL content | |
- usnistgov NIST 800-53 | |
- GSA FedRAMP OSCAL profiles | |
Auto-generated by the `update-upstream` workflow. | |
add-paths: | | |
"catalogs/${NIST_CATALOG_NAME}" | |
"profiles/${FEDRAMP_PROFILE_NAME}" | |
- name: Regenerate profiles | |
if: ${{ steps.updates.outputs.pull-request-number }} | |
uses: RedHatProductSecurity/trestle-bot/actions/[email protected] | |
with: | |
markdown_path: "markdown/profiles" | |
oscal_model: "profile" | |
file_pattern: "markdown/*" | |
branch: "oscal-update-${{ github.run_id }}" | |
commit_message: Generating markdown changes [skip ci] | |
skip_assemble: true | |
commit_user_name: "trestle-bot[bot]" | |
commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com" |