Skip to content

Commit

Permalink
added RL changes
Browse files Browse the repository at this point in the history
  • Loading branch information
tanya732 committed Nov 11, 2024
1 parent d5c05d7 commit 87f8126
Show file tree
Hide file tree
Showing 15 changed files with 492 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @auth0/dx-sdks-engineer
* @auth0/project-dx-sdks-engineer-codeowner
30 changes: 30 additions & 0 deletions .github/actions/get-prerelease/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Return a boolean indicating if the version contains prerelease identifiers

#
# Returns a simple true/false boolean indicating whether the version indicates it's a prerelease or not.
#
# TODO: Remove once the common repo is public.
#

inputs:
version:
required: true

outputs:
prerelease:
value: ${{ steps.get_prerelease.outputs.PRERELEASE }}

runs:
using: composite

steps:
- id: get_prerelease
shell: bash
run: |
if [[ "${VERSION}" == *"beta"* || "${VERSION}" == *"alpha"* ]]; then
echo "PRERELEASE=true" >> $GITHUB_OUTPUT
else
echo "PRERELEASE=false" >> $GITHUB_OUTPUT
fi
env:
VERSION: ${{ inputs.version }}
42 changes: 42 additions & 0 deletions .github/actions/get-release-notes/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Return the release notes extracted from the body of the PR associated with the release.

#
# Returns the release notes from the content of a pull request linked to a release branch. It expects the branch name to be in the format release/vX.Y.Z, release/X.Y.Z, release/vX.Y.Z-beta.N. etc.
#
# TODO: Remove once the common repo is public.
#
inputs:
version:
required: true
repo_name:
required: false
repo_owner:
required: true
token:
required: true

outputs:
release-notes:
value: ${{ steps.get_release_notes.outputs.RELEASE_NOTES }}

runs:
using: composite

steps:
- uses: actions/github-script@v7
id: get_release_notes
with:
result-encoding: string
script: |
const { data: pulls } = await github.rest.pulls.list({
owner: process.env.REPO_OWNER,
repo: process.env.REPO_NAME,
state: 'all',
head: `${process.env.REPO_OWNER}:release/${process.env.VERSION}`,
});
core.setOutput('RELEASE_NOTES', pulls[0].body);
env:
GITHUB_TOKEN: ${{ inputs.token }}
REPO_OWNER: ${{ inputs.repo_owner }}
REPO_NAME: ${{ inputs.repo_name }}
VERSION: ${{ inputs.version }}
21 changes: 21 additions & 0 deletions .github/actions/get-version/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Return the version extracted from the branch name

#
# Returns the version from the .version file.
#
# TODO: Remove once the common repo is public.
#

outputs:
version:
value: ${{ steps.get_version.outputs.VERSION }}

runs:
using: composite

steps:
- id: get_version
shell: bash
run: |
VERSION=$(head -1 .version)
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
39 changes: 39 additions & 0 deletions .github/actions/maven-publish/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Publish release to Java

inputs:
ossr-username:
required: true
ossr-token:
required: true
signing-key:
required: true
signing-password:
required: true
java-version:
required: true

runs:
using: composite

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Java
shell: bash
run: |
curl -s "https://get.sdkman.io" | bash
source "/home/runner/.sdkman/bin/sdkman-init.sh"
sdk list java
sdk install java ${{ inputs.java-version }} && sdk default java ${{ inputs.java-version }}
- uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # [email protected]

- name: Publish Android/Java Packages to Maven
shell: bash
run: ./gradlew publish -PisSnapshot=false --stacktrace
env:
MAVEN_USERNAME: ${{ inputs.ossr-username }}
MAVEN_PASSWORD: ${{ inputs.ossr-token }}
SIGNING_KEY: ${{ inputs.signing-key}}
SIGNING_PASSWORD: ${{ inputs.signing-password}}
47 changes: 47 additions & 0 deletions .github/actions/release-create/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Create a GitHub release

#
# Creates a GitHub release with the given version.
#
# TODO: Remove once the common repo is public.
#

inputs:
token:
required: true
files:
required: false
name:
required: true
body:
required: true
tag:
required: true
commit:
required: true
draft:
default: false
required: false
prerelease:
default: false
required: false
fail_on_unmatched_files:
default: true
required: false

runs:
using: composite

steps:
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
with:
body: ${{ inputs.body }}
name: ${{ inputs.name }}
tag_name: ${{ inputs.tag }}
target_commitish: ${{ inputs.commit }}
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }}
files: ${{ inputs.files }}
env:
GITHUB_TOKEN: ${{ inputs.token }}
66 changes: 66 additions & 0 deletions .github/actions/rl-scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: 'Reversing Labs Scanner'
description: 'Runs the Reversing Labs scanner on a specified artifact.'
inputs:
artifact-path:
description: 'Path to the artifact to be scanned.'
required: true
version:
description: 'Version of the artifact.'
required: true

runs:
using: 'composite'
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Install Python dependencies
shell: bash
run: |
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
- name: Run RL Scanner
shell: bash
env:
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
if [ ! -f "${{ inputs.artifact-path }}" ]; then
echo "Artifact not found: ${{ inputs.artifact-path }}"
exit 1
fi
rl-wrapper \
--artifact "${{ inputs.artifact-path }}" \
--name "${{ github.event.repository.name }}" \
--version "${{ inputs.version }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
# Check the outcome of the scanner
if [ $? -ne 0 ]; then
echo "RL Scanner failed."
echo "scan-status=failed" >> $GITHUB_ENV
exit 1
else
echo "RL Scanner passed."
echo "scan-status=success" >> $GITHUB_ENV
fi
outputs:
scan-status:
description: 'The outcome of the scan process.'
value: ${{ env.scan-status }}
36 changes: 36 additions & 0 deletions .github/actions/tag-exists/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Return a boolean indicating if a tag already exists for the repository

#
# Returns a simple true/false boolean indicating whether the tag exists or not.
#
# TODO: Remove once the common repo is public.
#

inputs:
token:
required: true
tag:
required: true

outputs:
exists:
description: 'Whether the tag exists or not'
value: ${{ steps.tag-exists.outputs.EXISTS }}

runs:
using: composite

steps:
- id: tag-exists
shell: bash
run: |
GET_API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/git/ref/tags/${TAG_NAME}"
http_status_code=$(curl -LI $GET_API_URL -o /dev/null -w '%{http_code}\n' -s -H "Authorization: token ${GITHUB_TOKEN}")
if [ "$http_status_code" -ne "404" ] ; then
echo "EXISTS=true" >> $GITHUB_OUTPUT
else
echo "EXISTS=false" >> $GITHUB_OUTPUT
fi
env:
TAG_NAME: ${{ inputs.tag }}
GITHUB_TOKEN: ${{ inputs.token }}
84 changes: 84 additions & 0 deletions .github/workflows/java-release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Create Java and GitHub Release

on:
workflow_call:
inputs:
java-version:
required: true
type: string

secrets:
ossr-username:
required: true
ossr-token:
required: true
signing-key:
required: true
signing-password:
required: true
github-token:
required: true

### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.

jobs:
release:
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
runs-on: ubuntu-latest
environment: release

steps:
# Checkout the code
- uses: actions/checkout@v4
with:
fetch-depth: 0

# Get the version from the branch name
- id: get_version
uses: ./.github/actions/get-version

# Get the prerelease flag from the branch name
- id: get_prerelease
uses: ./.github/actions/get-prerelease
with:
version: ${{ steps.get_version.outputs.version }}

# Get the release notes
- id: get_release_notes
uses: ./.github/actions/get-release-notes
with:
token: ${{ secrets.github-token }}
version: ${{ steps.get_version.outputs.version }}
repo_owner: ${{ github.repository_owner }}
repo_name: ${{ github.event.repository.name }}

# Check if the tag already exists
- id: tag_exists
uses: ./.github/actions/tag-exists
with:
tag: ${{ steps.get_version.outputs.version }}
token: ${{ secrets.github-token }}

# If the tag already exists, exit with an error
- if: steps.tag_exists.outputs.exists == 'true'
run: exit 1

# Publish the release to Maven
- uses: ./.github/actions/maven-publish
with:
java-version: ${{ inputs.java-version }}
ossr-username: ${{ secrets.ossr-username }}
ossr-token: ${{ secrets.ossr-token }}
signing-key: ${{ secrets.signing-key }}
signing-password: ${{ secrets.signing-password }}

# Create a release for the tag
- uses: ./.github/actions/release-create
with:
token: ${{ secrets.github-token }}
name: ${{ steps.get_version.outputs.version }}
body: ${{ steps.get_release_notes.outputs.release-notes }}
tag: ${{ steps.get_version.outputs.version }}
commit: ${{ github.sha }}
prerelease: ${{ steps.get_prerelease.outputs.prerelease }}
Loading

0 comments on commit 87f8126

Please sign in to comment.