Add OSPS-BR-01 ruletype #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Minder Apply IaC repo | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| apply-iac: | |
| runs-on: ubuntu-latest | |
| name: Apply Minder Policies And RuleTypes | |
| steps: | |
| - name: Fetch ID token | |
| run: | | |
| set -x -e | |
| echo $GITHUB_TOKEN | |
| URL="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=minder" | |
| curl -o .action-token -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" $URL | |
| echo "MINDER_AUTH_TOKEN=$(jq -r .value <.action-token)" >> "$GITHUB_ENV" | |
| - name: Install cosign to verify Minder | |
| uses: sigstore/[email protected] | |
| #- name: Install Minder Client | |
| # uses: stacklok/minder-client-installer@main | |
| - name: Temp Minder install | |
| run: | | |
| shopt -s expand_aliases | |
| if [ -z "$NO_COLOR" ]; then | |
| alias log_info="echo -e \"\033[1;32mINFO\033[0m:\"" | |
| alias log_error="echo -e \"\033[1;31mERROR\033[0m:\"" | |
| else | |
| alias log_info="echo \"INFO:\"" | |
| alias log_error="echo \"ERROR:\"" | |
| fi | |
| set -e | |
| minder_executable_name=minder | |
| mkdir -p "$HOME/.minder" | |
| cd "$HOME/.minder" | |
| echo "$HOME/.minder" >> $GITHUB_PATH | |
| release_version=$(curl -s https://api.github.com/repos/mindersec/minder/releases/latest | jq -r '.tag_name') | |
| # Remove the 'v' prefix from the release version | |
| release_number=$(echo $release_version | sed 's/v//') | |
| log_info "Downloading Minder release version $release_version" | |
| # Determine file name based on OS | |
| compression_extension=".tar.gz" | |
| case ${{ runner.os }} in | |
| Linux|linux) | |
| case ${{ runner.arch }} in | |
| X64|amd64) | |
| desired_minder_filename="minder_${release_number}_linux_amd64" | |
| ;; | |
| ARM64|arm64) | |
| desired_minder_filename="minder_${release_number}_linux_arm64" | |
| ;; | |
| *) | |
| log_error "unsupported architecture ${{ runner.arch }}" | |
| exit 1 | |
| ;; | |
| esac | |
| ;; | |
| esac | |
| # Download the desired release | |
| log_info "Downloading https://github.com/mindersec/minder/releases/download/${release_version}/${desired_minder_filename}${compression_extension}" | |
| curl -fsL https://github.com/mindersec/minder/releases/download/${release_version}/${desired_minder_filename}${compression_extension} -o ${desired_minder_filename}${compression_extension} | |
| log_info "Extracting desired release from ${desired_minder_filename}${compression_extension}" | |
| case ${{ runner.os }} in | |
| Linux|linux) | |
| tar -xzf ${desired_minder_filename}${compression_extension} | |
| ;; | |
| esac | |
| # Make the extracted file executable | |
| log_info "Making extracted file ${minder_executable_name} executable" | |
| chmod +x ${minder_executable_name} | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
| - name: Apply Minder ruletypes | |
| env: | |
| MINDER_PROJECT: 52d8c0d5-27ff-420b-852d-4106d21775c7 | |
| # Very temporary! My ngrok endpoint | |
| MINDER_GRPC_SERVER_PORT: 19909 | |
| MINDER_GRPC_SERVER_HOST: 2.tcp.us-cal-1.ngrok.io | |
| MINDER_GRPC_SERVER_INSECURE: true | |
| run: | | |
| minder ruletype apply -f ./rule-types | |
| # Minder ruletype apply takes a directory, but profile apply does not!! | |
| minder profile apply -f ./profiles/enable-auto-apply.yaml |