Skip to content

Update third-party rules #1213

Update third-party rules

Update third-party rules #1213

Workflow file for this run

# Copyright 2024 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: Update third-party rules
on:
workflow_dispatch:
schedule:
- cron: "0 */12 * * *"
env:
CGO_ENABLED: "1"
GO_RELEASE: "go-1.26"
YARA_X_RELEASE: "1.19.0"
permissions: {}
jobs:
update:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest-arm-16-core
container:
image: cgr.dev/chainguard/wolfi-base:latest@sha256:9a74366aa10eff2bf14dab0948123bd2c51703e1c553a73740ef687f723aecf4
options: >-
--cap-add DAC_OVERRIDE
--cap-add SETGID
--cap-add SETUID
--cap-drop ALL
--cgroupns private
--cpu-shares=16384
--memory-swappiness=0
--security-opt no-new-privileges
--ulimit core=0
--ulimit nofile=65535:65535
--ulimit nproc=65535:65535
permissions:
contents: write
id-token: write
pull-requests: write
steps:
- name: Install dependencies
run: |
apk update
apk add bash curl findutils gcc gh git gnutar "${GO_RELEASE}" make nodejs perl pkgconf upx xz "yara-x~${YARA_X_RELEASE}"
- uses: chainguard-dev/actions/setup-gitsign@f0be69916b439d0fcced2451b23d0f27cd46d545 # main
- name: Set up Octo-STS
uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
id: octo-sts
with:
scope: chainguard-dev/malcontent
identity: third-party
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
# zizmor: ignore[artipacked] - credentials needed for git push and gh pr create
with:
token: ${{ steps.octo-sts.outputs.token }}
- name: Trust repository
run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
- name: Get Go cache paths
id: go-env
run: |
echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
- name: Cache Go dependencies
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
${{ steps.go-env.outputs.modcache }}
${{ steps.go-env.outputs.cache }}
key: go-${{ hashFiles('go.sum') }}
restore-keys: go-
- name: Get samples commit
id: samples
run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"
- name: Cache malcontent samples
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: out/chainguard-sandbox/malcontent-samples
key: samples-${{ steps.samples.outputs.commit }}
- name: Prepare samples
run: make samples
- name: Auto-pin YARAForge SHA256 for latest release
run: |
set -euo pipefail
SCRIPT=third_party/yara/update.sh
REL=$(basename "$(curl -fLs -o /dev/null -w '%{url_effective}' https://github.com/YARAHQ/yara-forge/releases/latest)")
if grep -q "^YARAFORGE_FULL_ZIP_SHA256_${REL}=" "${SCRIPT}"; then
echo "YARAForge pin already present for release ${REL}"
exit 0
fi
TMP=$(mktemp -d)
trap 'rm -rf "${TMP}"' EXIT
curl -fL -o "${TMP}/yaraforge.zip" "https://github.com/YARAHQ/yara-forge/releases/download/${REL}/yara-forge-rules-full.zip"
SHA=$(sha256sum "${TMP}/yaraforge.zip" | awk '{print $1}')
REL="${REL}" SHA="${SHA}" perl -i -pe '
s|^# yara-forge-rules-full\.zip \@ release tag \d+$|# yara-forge-rules-full.zip \@ release tag $ENV{REL}|;
s|^YARAFORGE_FULL_ZIP_SHA256_\d+="[0-9a-f]+"$|YARAFORGE_FULL_ZIP_SHA256_$ENV{REL}="$ENV{SHA}"|;
' "${SCRIPT}"
echo "Updated YARAForge pin to release ${REL} (sha256: ${SHA})"
shell: bash
- name: Run make update-third-party
run: |
make update-third-party
- name: Run make refresh-test-data
run: |
make refresh-sample-testdata
- name: Commit changes and create PR
env:
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
run: |
if [[ -n $(git status -s) ]]; then
DATE=$(date +%F)
BRANCH="third-party-rule-update-${DATE}"
git checkout -b "${BRANCH}"
git add .
git commit -m "Update third-party rules as of ${DATE}"
git push origin "${BRANCH}"
gh pr create -t "Update third-party rules as of ${DATE}" -b "${DATE} third-party rule update for malcontent." -B main -H "${BRANCH}"
fi
shell: bash