From 96da07bc384a54ac8a827b263b99971681b0690c Mon Sep 17 00:00:00 2001 From: arpit-jain_atko Date: Mon, 21 Oct 2024 14:08:07 +0530 Subject: [PATCH 1/7] SDK-5037: Creating RL workflow for node-auth0 repo --- .github/workflows/rl-secure.yml | 73 +++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/rl-secure.yml diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml new file mode 100644 index 000000000..adbdfd058 --- /dev/null +++ b/.github/workflows/rl-secure.yml @@ -0,0 +1,73 @@ +name: RL-Secure +run-name: rl-scanner + +on: + merge_group: + workflow_dispatch: + push: + branches: ['master'] + pull_request: + types: + - opened + - synchronize + +jobs: + rl-scanner: + if: github.event_name == 'workflow_dispatch' || + (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + + permissions: + pull-requests: write + id-token: write + + steps: + - uses: actions/checkout@v4 + + - name: Install npm dependencies + run: npm ci + + - name: Build Dist Folder + run: npm run build + + - name: Create tgz build artifact + run: | + tar -czvf node-auth0.tgz * + + - name: Get Artifact Version + id: get_version + run: echo "version=$(cat .version)" >> $GITHUB_ENV + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: "3.10" + + - name: Install Python dependencies + run: | + pip install --upgrade pip + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Run Reversing Labs Wrapper Scanner + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + PYTHONUNBUFFERED: 1 + run: | + pip install rl-wrapper --index-url $WRAPPER_INDEX_URL && \ + rl-wrapper \ + --artifact "$(pwd)/node-auth0.tgz" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ steps.get_version.outputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_action" From 4d7f5c9d7c1975c5863bafd7c227a1da65e9ee9b Mon Sep 17 00:00:00 2001 From: arpit-jain_atko Date: Fri, 25 Oct 2024 17:55:24 +0530 Subject: [PATCH 2/7] SDK-5037: RL integration: Segregation of RL workflow from release file --- .github/actions/rl-scanner/action.yml | 71 ++++++++++++++++++ .github/workflows/release.yml | 14 ++++ .github/workflows/rl-secure.yml | 102 ++++++++++++-------------- 3 files changed, 133 insertions(+), 54 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 000000000..eb0171342 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,71 @@ +name: 'Reversing Labs Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + +runs: + using: 'composite' + steps: + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ inputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78f238832..64a9ad96c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,22 @@ permissions: ### TODO: Also remove `npm-release` workflow from this repo's .github/workflows folder once the repo is public. jobs: + rl-scanner: + uses: ./.github/workflows/rl-secure.yml + with: + node-version: 18 ## depends if build requires node else we can remove this. + artifact-name: 'node-auth0.tgz' ## Will change respective to Repository + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + release: uses: ./.github/workflows/npm-release.yml + needs: rl-scanner with: node-version: 18 require-build: true diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index adbdfd058..96c4efbe4 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -1,73 +1,67 @@ -name: RL-Secure -run-name: rl-scanner +name: RL-Secure Workflow on: - merge_group: - workflow_dispatch: - push: - branches: ['master'] - pull_request: - types: - - opened - - synchronize + workflow_call: + inputs: + node-version: ## depends if build requires node else we can remove this. + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true jobs: rl-scanner: - if: github.event_name == 'workflow_dispatch' || - (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) + name: Run Reversing Labs Scanner + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest - - permissions: - pull-requests: write - id-token: write + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} steps: - - uses: actions/checkout@v4 - - - name: Install npm dependencies - run: npm ci + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Build Dist Folder - run: npm run build + - name: Build package + uses: ./.github/actions/build + with: + node: ${{ inputs.node-version }} - name: Create tgz build artifact run: | - tar -czvf node-auth0.tgz * + tar -czvf ${{ inputs.artifact-name }} * - - name: Get Artifact Version - id: get_version - run: echo "version=$(cat .version)" >> $GITHUB_ENV + - id: get_version + uses: ./.github/actions/get-version - - name: Set up Python - uses: actions/setup-python@v4 + - name: Run RL Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner with: - python-version: "3.10" - - - name: Install Python dependencies - run: | - pip install --upgrade pip - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Run Reversing Labs Wrapper Scanner + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - PYTHONUNBUFFERED: 1 - run: | - pip install rl-wrapper --index-url $WRAPPER_INDEX_URL && \ - rl-wrapper \ - --artifact "$(pwd)/node-auth0.tgz" \ - --name "${{ github.event.repository.name }}" \ - --version "${{ steps.get_version.outputs.version }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_action" + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file From a374b4b95ef748e2b8308cb738244e68b19c70e5 Mon Sep 17 00:00:00 2001 From: arpit-jain_atko Date: Wed, 30 Oct 2024 16:30:22 +0530 Subject: [PATCH 3/7] Testing RL changes on node-auth0 SDK --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64a9ad96c..a955a3cdb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: types: - closed workflow_dispatch: + push: + branches: + - 'reversinglabs-implementation' permissions: contents: write From 8fa0284b9e6a86a2c9a5605b0a4bb0364fe30217 Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Thu, 31 Oct 2024 13:14:42 +0530 Subject: [PATCH 4/7] Validating workflow --- .github/workflows/rl-secure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index 96c4efbe4..00c508a0c 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -26,7 +26,7 @@ on: jobs: rl-scanner: name: Run Reversing Labs Scanner - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + ### if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} From a152ff2b0b1a7e5e5cb36e54a815f1e72e6a730e Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Thu, 31 Oct 2024 13:17:28 +0530 Subject: [PATCH 5/7] Validating workflow --- .github/workflows/rl-secure.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index 00c508a0c..a779604d4 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -37,11 +37,6 @@ jobs: with: fetch-depth: 0 - - name: Build package - uses: ./.github/actions/build - with: - node: ${{ inputs.node-version }} - - name: Create tgz build artifact run: | tar -czvf ${{ inputs.artifact-name }} * From 3e0d9860aa7d0f2c58f5224f491cf402b1753032 Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Thu, 31 Oct 2024 13:27:27 +0530 Subject: [PATCH 6/7] Validating workflow --- .github/workflows/rl-secure.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index a779604d4..171cfbe2f 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -37,6 +37,14 @@ jobs: with: fetch-depth: 0 + - name: Install dependencies + shell: bash + run: npm ci --include=dev + + - name: Build + shell: bash + run: npm run build + - name: Create tgz build artifact run: | tar -czvf ${{ inputs.artifact-name }} * From 866370bef3d17529d25b93949cb6d8b33bcc0e91 Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Thu, 31 Oct 2024 13:49:05 +0530 Subject: [PATCH 7/7] Validation done removing testing code --- .github/workflows/release.yml | 3 --- .github/workflows/rl-secure.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a955a3cdb..64a9ad96c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,9 +5,6 @@ on: types: - closed workflow_dispatch: - push: - branches: - - 'reversinglabs-implementation' permissions: contents: write diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index 171cfbe2f..88efff49c 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -26,7 +26,7 @@ on: jobs: rl-scanner: name: Run Reversing Labs Scanner - ### if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }}