Updated Flow

auth0 · Oct 29, 2024 · c7aec0d · c7aec0d
1 parent 2383604
commit c7aec0d
Show file tree

Hide file tree

Showing 3 changed files with 119 additions and 32 deletions.
diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml
@@ -0,0 +1,71 @@
+name: "Reversing Labs Scanner"
+description: "Runs the Reversing Labs scanner on a specified artifact."
+inputs:
+  artifact-path:
+    description: "Path to the artifact to be scanned."
+    required: true
+  version:
+    description: "Version of the artifact."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.10"
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+
+outputs:
+  scan-status:
+    description: "The outcome of the scan process."
+    value: ${{ env.scan-status }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -11,6 +11,18 @@ permissions:
   id-token: write # Required for trusted publishing to PyPI
 
 jobs:
+  rl-scanner:
+  uses: ./.github/workflows/rl-scanner.yml
+  with:
+    node-version: 18
+    artifact-name: "auth0-python.tgz"
+  secrets:
+    RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+    RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+    SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+    PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+    PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+    PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"
@@ -23,7 +35,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
-          
+
       # Get the version from the branch name
       - id: get_version
         uses: ./.github/actions/get-version

diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml
@@ -1,20 +1,31 @@
 name: RL-Secure Workflow
-run-name: rl-scanner-only
+name: RL-Secure Workflow
 
 on:
-  merge_group:
-  workflow_dispatch:
-  push:
-    branches: ["main"]
-  pull_request:
-    types:
-      - opened
-      - synchronize
+  workflow_call:
+    inputs:
+      python-version:
+        required: true
+        type: string
+      artifact-name:
+        required: true
+        type: string
+    secrets:
+      RLSECURE_LICENSE:
+        required: true
+      RLSECURE_SITE_KEY:
+        required: true
+      SIGNAL_HANDLER_TOKEN:
+        required: true
+      PRODSEC_TOOLS_USER:
+        required: true
+      PRODSEC_TOOLS_TOKEN:
+        required: true
+      PRODSEC_TOOLS_ARN:
+        required: true
 
 jobs:
   checkout-build-scan-only:
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
 
     permissions:
@@ -30,7 +41,7 @@ jobs:
       - name: Configure Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.10"
+          python-version: ${{ inputs.python-version }}
 
       - name: Configure dependencies
         run: |
@@ -50,32 +61,25 @@ jobs:
 
       - name: Create tgz build artifact
         run: |
-          tar -czvf auth0-python.tgz *
+          tar -czvf ${{ inputs.artifact-name }} *
 
       - name: Get Artifact Version
         id: get_version
         run: echo "version=$(cat .version)" >> $GITHUB_ENV
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
         with:
-          role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }}
-          aws-region: us-east-1
-          mask-aws-account-id: true
-
-      - name: Run Reversing Labs Wrapper Scanner
+          artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
+          version: "${{ steps.get_version.outputs.version }}"
         env:
           RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
           RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
           SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-          WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
-          PYTHONUNBUFFERED: 1
-        run: |
-          pip install rl-wrapper --index-url $WRAPPER_INDEX_URL && \
-          rl-wrapper \
-            --artifact "$(pwd)/auth0-python.tgz" \
-            --name "${{ github.event.repository.name }}" \
-            --version "${{ steps.get_version.outputs.version }}" \
-            --repository "${{ github.repository }}" \
-            --commit "${{ github.sha }}" \
-            --build-env "github_action"
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+      - name: Output scan result
+        run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV