From 2ab1a2be6b3e9038bbbe52a1600bfdb3c1c7a039 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Fri, 23 Sep 2022 12:33:05 -0400 Subject: [PATCH 1/4] Update content-artifact content generation workflow. Make the oscal-content generation GHA workflow act similarly to the usnistgov/OSCAL repository and update relevant third-party Actions with tested releases from that repo as well. --- .github/workflows/content-artifacts.yml | 55 +++++++++++++++++-------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index ae6db777..c8b862fb 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -15,12 +15,13 @@ env: OSCAL_DIR_PATH: oscal CICD_DIR_PATH: oscal/build/ci-cd CONTENT_CONFIG_PATH: src/config + JAVA_CLASSPATH: ${{ github.workspace}}/lib SAXON_VERSION: 9.9.0-1 HOME_REPO: usnistgov/oscal-content jobs: validate-and-publish-content: name: Check, Convert and Validate Content - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: # use this if checkout needs to be authenticated - uses: actions/checkout@v2 @@ -35,40 +36,58 @@ jobs: with: path: git-content submodules: recursive - # job-validate-content + - name: Set env + run: | + echo "SAXON_HOME=${JAVA_CLASSPATH}" >> $GITHUB_ENV + echo "CALABASH_HOME=${JAVA_CLASSPATH}" >> $GITHUB_ENV - name: Update APT package metadata run: | sudo rm -rf /var/lib/apt/lists/* && sudo apt-get update - name: Install APT dependencies run: | sudo apt-get install libxml2-utils - - name: Install NPM dependencies + - name: Set up NodeJS + uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 + with: + node-version-file: git-content/${{ env.OSCAL_DIR_PATH }}/build/.nvmrc + cache: 'npm' + cache-dependency-path: '**/package-lock.json' + - name: Setup Dependencies run: | - sudo npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" yaml-convert@"^1.0.x" - - name: Set up JDK 11 - uses: actions/setup-java@v1 + # NodeJS + # If you are a developer and need to modify the workflow, be sure to review + # the package.json and package-lock.json to ensure the following deps are + # at least installed (they will be updated by dependabot): + # - ajv-cli + # - ajv-formats + # - markdown-link-check + # - yaml-convert + npm ci + echo "$PWD/node_modules/.bin/" >> $GITHUB_PATH + working-directory: git-content/${{ env.OSCAL_DIR_PATH }}/build + - name: Set up JDK + uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf with: java-version: 11 - - name: Cache Maven packages - uses: actions/cache@v2 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - name: Get Saxon-HE + distribution: 'temurin' + cache: 'maven' + - name: Install JDK Deps Saxon and XML Calabash run: | - mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:get -DartifactId=Saxon-HE -DgroupId=net.sf.saxon -Dversion=$SAXON_VERSION + mkdir -p "${JAVA_CLASSPATH}" + mvn dependency:copy-dependencies -DoutputDirectory="${JAVA_CLASSPATH}" + working-directory: git-content/${{ env.OSCAL_DIR_PATH }}/build - name: Set up Python 3.x - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 # current release v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: '3.8' architecture: 'x64' cache: 'pip' cache-dependency-path: | - git-content/${{ env.CICD_DIR_PATH }}/python/requirements.txt + git-content/${{ env.CICD_DIR_PATH }}/python/requirements.txt - name: Install Python dependencies run: | - pip install -r "${GITHUB_WORKSPACE}/git-content/${CICD_DIR_PATH}/python/requirements.txt" + pip install -r requirements.txt + working-directory: git-content/${{ env.CICD_DIR_PATH }}/python - name: Validate Content run: # mkdir -p "${OSCAL_BUILD_DIR_PATH}" @@ -80,7 +99,7 @@ jobs: - name: Publish Artifacts # only do this on main if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' - uses: stefanzweifel/git-auto-commit-action@v4.5.1 + uses: stefanzweifel/git-auto-commit-action@6c32682a4040e023c054b2fc60a7cf65cc77f7ad with: repository: git-content push_options: --force From e491bc1ac5c3c14edfe144e09981dd681840e9f9 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 27 Sep 2022 16:29:51 -0400 Subject: [PATCH 2/4] Move up OSCAL submodule for current stable OSCAL We need to do this to pull in the new Maven-based pom.xml dependency management strategy, this is not in 1.0.2. In current master of usnistgov/OSCAL, the necessary pom.xml for Maven was introduced and has not been modified in the current commit on master: 9365874bfccfa385beaea64a2333b9913cdb0beb. --- oscal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oscal b/oscal index bfcd0082..9365874b 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit bfcd0082bd4c08e16c7d5f5515adc5c858e8308e +Subproject commit 9365874bfccfa385beaea64a2333b9913cdb0beb From 75d9ca07d09c7cceba59277da251d3ebdf2132fe Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 27 Sep 2022 18:02:03 -0400 Subject: [PATCH 3/4] [skip ci] Add Dependabot config for GHA and submodule updates. --- .github/dependabot.yml | 15 +++++++++++++++ .github/workflows/content-artifacts.yml | 10 +++++----- .github/workflows/issue-triage.yml | 4 ++-- .github/workflows/labels.yml | 4 ++-- oscal | 2 +- 5 files changed, 25 insertions(+), 10 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..28c2d4cf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ + +version: 2 +updates: + + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + target-branch: "develop" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + target-branch: "develop" diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index c8b862fb..c73ef9bf 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -24,14 +24,14 @@ jobs: runs-on: ubuntu-20.04 steps: # use this if checkout needs to be authenticated - - uses: actions/checkout@v2 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' with: path: git-content submodules: recursive token: ${{ secrets.COMMIT_TOKEN }} # use this if checkout is anonymous - - uses: actions/checkout@v2 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 if: github.repository != env.HOME_REPO || github.ref != 'refs/heads/main' with: path: git-content @@ -47,7 +47,7 @@ jobs: run: | sudo apt-get install libxml2-utils - name: Set up NodeJS - uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 + uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 with: node-version-file: git-content/${{ env.OSCAL_DIR_PATH }}/build/.nvmrc cache: 'npm' @@ -66,7 +66,7 @@ jobs: echo "$PWD/node_modules/.bin/" >> $GITHUB_PATH working-directory: git-content/${{ env.OSCAL_DIR_PATH }}/build - name: Set up JDK - uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf + uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d with: java-version: 11 distribution: 'temurin' @@ -99,7 +99,7 @@ jobs: - name: Publish Artifacts # only do this on main if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' - uses: stefanzweifel/git-auto-commit-action@6c32682a4040e023c054b2fc60a7cf65cc77f7ad + uses: stefanzweifel/git-auto-commit-action@fd157da78fa13d9383e5580d1fd1184d89554b51 with: repository: git-content push_options: --force diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index 6f0ee38f..d9fc7664 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -11,7 +11,7 @@ jobs: if: github.event.action == 'opened' steps: - name: Add New Issues to Issue Triage Board - uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729 # current tag: v2 + uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729 with: project-name: Issue Triage column-name: Needs Triage @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest if: github.event.action == 'closed' steps: - - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488 #current tag: v0.8.1 + - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488 with: project: Issue Triage column: Done diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 2380a2c9..668edbfa 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -12,7 +12,7 @@ jobs: name: DefaultLabelsActions runs-on: ubuntu-latest steps: - - uses: actions/checkout@1.0.0 - - uses: lannonbr/issue-label-manager-action@2.0.0 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + - uses: lannonbr/issue-label-manager-action@7890981d0e8f2922211a7fe2c391c53cb3037cb4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/oscal b/oscal index 9365874b..3f52405f 160000 --- a/oscal +++ b/oscal @@ -1 +1 @@ -Subproject commit 9365874bfccfa385beaea64a2333b9913cdb0beb +Subproject commit 3f52405faa6e6f0879a41e5333061a63a0945a09 From 70b509a7877f4e8df8ab4c5f46c82ee5a3a135a1 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 1 Nov 2022 14:26:14 -0400 Subject: [PATCH 4/4] Final updates to GHA deps before re-review. --- .github/workflows/content-artifacts.yml | 4 ++-- .github/workflows/issue-triage.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index c73ef9bf..8ec945fb 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -66,7 +66,7 @@ jobs: echo "$PWD/node_modules/.bin/" >> $GITHUB_PATH working-directory: git-content/${{ env.OSCAL_DIR_PATH }}/build - name: Set up JDK - uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: java-version: 11 distribution: 'temurin' @@ -99,7 +99,7 @@ jobs: - name: Publish Artifacts # only do this on main if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/main' - uses: stefanzweifel/git-auto-commit-action@fd157da78fa13d9383e5580d1fd1184d89554b51 + uses: stefanzweifel/git-auto-commit-action@0049e3fa4059ca715255fbbcb7dea4516f02ce0a with: repository: git-content push_options: --force diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index d9fc7664..ae1ff7bd 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -11,7 +11,7 @@ jobs: if: github.event.action == 'opened' steps: - name: Add New Issues to Issue Triage Board - uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729 + uses: peter-evans/create-or-update-project-card@5eacbbd224b7814354861b555cc18a8359e2cebe with: project-name: Issue Triage column-name: Needs Triage @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest if: github.event.action == 'closed' steps: - - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488 + - uses: alex-page/github-project-automation-plus@1f8873e97e3c8f58161a323b7c568c1f623a1c4d with: project: Issue Triage column: Done