Skip to content

Update content from upstream (NIST and FedRAMP) #7

Update content from upstream (NIST and FedRAMP)

Update content from upstream (NIST and FedRAMP) #7

Workflow file for this run

name: Update content from upstream (NIST and FedRAMP)
on:
workflow_dispatch:
inputs:
fedramp_repo_ref:
required: false
default: "master"
description: GSA/fedramp-automation repository reference
nist_repo_ref:
required: false
default: "master"
description: usnistgov/oscal-content repository reference
fedramp_profile_name:
required: false
default: "fedramp_rev5_high"
description: FedRAMP profile name
nist_catalog_name:
required: false
default: "nist_rev5_800_53"
description: NIST catalog name
jobs:
update:
name: Update content
runs-on: ubuntu-latest
container:
image: quay.io/continuouscompliance/trestle-bot:v0.7.0
steps:
- name: Generate app token
uses: tibdex/[email protected]
id: get_installation_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
permissions: >-
{"contents": "write", "pull_requests": "write"}
- name: Clone
uses: actions/checkout@v4
with:
token: ${{ steps.get_installation_token.outputs.token }}
- name: Update catalogs
env:
NIST_REPO_REF: ${{ github.event.inputs.nist_repo_ref }}
NIST_CATALOG_NAME: ${{ github.event.inputs.nist_catalog_name }}
run: |
rm -rf "catalogs/${NIST_CATALOG_NAME}"
trestle import -f "https://raw.githubusercontent.com/usnistgov/oscal-content/${NIST_REPO_REF}/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json" -o "${NIST_CATALOG_NAME}"
- name: Update profiles
env:
FEDRAMP_REPO_REF: ${{ github.event.inputs.fedramp_repo_ref }}
FEDRAMP_PROFILE_NAME: ${{ github.event.inputs.fedramp_profile_name }}
NIST_CATALOG_NAME: ${{ github.event.inputs.nist_catalog_name }}
run: |
rm -rf "profiles/${FEDRAMP_PROFILE_NAME}"
trestle import -f "https://raw.githubusercontent.com/GSA/fedramp-automation/${FEDRAMP_REPO_REF}/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json" -o "${FEDRAMP_PROFILE_NAME}"
trestle href --name "${FEDRAMP_PROFILE_NAME}" -hr "trestle://catalogs/${NIST_CATALOG_NAME}/catalog.json"
- name: Configure git to trust the github workspace
run: |
git config --global --add safe.directory "${GITHUB_WORKSPACE}"
- name: Update content
uses: peter-evans/[email protected]
id: updates
with:
base: main
branch: "oscal-update-${{ github.run_id }}"
delete-branch: true
commit-message: "Update OSCAL content from upstream"
title: "Update upstream OSCAL content from usnistogv and GSA"
token: ${{ steps.get_installation_token.outputs.token }}
body: |
Updates upstream OSCAL content
- usnistgov NIST 800-53
- GSA FedRAMP OSCAL profiles
Auto-generated by the `update-upstream` workflow.
add-paths: |
"catalogs/${NIST_CATALOG_NAME}"
"profiles/${FEDRAMP_PROFILE_NAME}"
- name: Regenerate profiles
if: ${{ steps.updates.outputs.pull-request-number }}
uses: RedHatProductSecurity/trestle-bot/actions/[email protected]
with:
markdown_path: "markdown/profiles"
oscal_model: "profile"
file_pattern: "markdown/*"
branch: "oscal-update-${{ github.run_id }}"
commit_message: Generating markdown changes [skip ci]
skip_assemble: true
commit_user_name: "trestle-bot[bot]"
commit_user_email: "136850459+trestle-bot[bot]@users.noreply.github.com"