defenseunicorns · mjnagel · Jul 19, 2024 · Jun 19, 2024 · Jun 28, 2024 · Jun 28, 2024
@@ -0,0 +1,51 @@
+name: Notify Lula
+description: "Comment on PR to notify Lula Team"
+
+
+inputs:
+  state:
+    description: 'state of the comment update'
+    required: true
+    default: ''
+  flavor:
+    description: 'flavor of the comment update'
+    required: true
+    default: ''
+  ghToken:
+    description: 'GITHUB_TOKEN'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Find Comment
+      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+      id: fc
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: Compliance ${{ inputs.flavor }} Evaluation
+        token: ${{ inputs.ghToken }}
+
+    - name: Create comment
+      if: ${{ steps.fc.outputs.comment-id == '' && inputs.state == 'failure'}}
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        token: ${{ inputs.ghToken }}
+        body: |
+          Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }}
+
+          CC: @defenseunicorns/lula-dev
+
+    - name: Update comment
+      if: ${{ steps.fc.outputs.comment-id != '' }}
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        token: ${{ inputs.ghToken }}
+        edit-mode: replace
+        body: |
+          Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }}
+
+          CC: @defenseunicorns/lula-dev
@@ -35,6 +35,12 @@ runs:
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
       run: brew install defenseunicorns/tap/uds@0.12.0
 
+    - name: Install Lula
+      uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c
+      with:
+        # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced
+        version: v0.4.1
+
     - name: Iron Bank Login
       if: ${{ inputs.registry1Username != '' }}
       env:

@@ -0,0 +1,75 @@
+name: Compliance Evaluation
+
+on:
+  # Manual trigger
+  workflow_dispatch:
+    inputs:
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+    # Triggered by pull-request-conditionals.yaml
+  workflow_call:
+    inputs:
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  evaluate:
+    runs-on: ubuntu-latest
+    name: Evaluate
+    continue-on-error: true
+    # env:
+    #   UDS_PKG: ${{ inputs.package }}
+    steps:
+      # Used to execute the uds run command
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+
+      - name: review compliance directory
+        run: ls -al ./compliance/
+        shell: bash
+
+      - name: remove overlapping file
+        run: rm ./compliance/oscal-assessment-results.yaml
+        shell: bash
+
+      - name: Download assessment
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.flavor }}-assessment-results
+          path: ./compliance
+
+      - name: review compliance directory again
+        run: ls -al ./compliance/
+        shell: bash
+
+      - name: Evaluate compliance
+        id: compliance-evaluation
+        run: uds run test-compliance-evaluate --no-progress
+
+      # steps in this action only run when there has been a previous failure - will indicate success thereafter
+      # need to think about how much noise this could create - noise currently = good
+      - name: Notify Lula Team of Compliance Assessment Results
+        if: ${{ always() }}
+        uses: ./.github/actions/notify-lula
+        with:
+          state: ${{ steps.compliance-evaluation.outcome }}
+          flavor: ${{ inputs.flavor }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Evaluated Assessment
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: ${{ inputs.flavor }}-assessment-results
+          path: ./compliance/oscal-assessment-results.yaml
+          overwrite: true
@@ -0,0 +1,56 @@
+name: Lint OSCAL Files
+
+on:
+  pull_request:
+    # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
+    types: [milestoned, opened, reopened, synchronize]
+    paths:
+      - '**/*oscal*.yaml'
+
+permissions:
+  contents: read
+
+jobs:
+
+  check-oscal-paths:
+    runs-on: ubuntu-latest
+    name: OSCAL Change Detection
+    outputs:
+      oscal: ${{ steps.path-filter.outputs.oscal }}
+      oscal_files: ${{ steps.path-filter.outputs.oscal_files }}
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # Uses a custom action to filter paths for source packages.
+      - name: Check src paths
+        id: path-filter
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        with:
+          filters: |
+            oscal:
+              - added|modified: "**/*oscal*.yaml"
+          list-files: shell
+
+  lint-oscal:
+    needs: check-oscal-paths
+    if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      # filter the files to remove not oscal files (such as those titles oscal-* under ./.github)
+      - name: Identify changed OSCAL files
+        id: find_changed_files
+        run: |
+          CHANGED_FILES=$(echo "${{ needs.check-oscal-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true)
+          echo "Changed OSCAL files: $CHANGED_FILES"
+          echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"
+        shell: bash
+      # checkout for access to the oscal files targeted for linting
+      - name: Checkout the code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Environment setup
+        uses: ./.github/actions/setup
+      # lint the oscal files
+      - name: lint-oscal
+        run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} --no-progress
+        shell: bash
@@ -10,7 +10,7 @@ on:
 permissions:
   id-token: write # Needed for OIDC-related operations.
   contents: read # Allows reading the content of the repository.
-  pull-requests: read # Allows reading pull request metadata.
+  pull-requests: write # Allows writing pull request metadata.
   packages: read # Allows reading the published GHCR packages
 
 # Default settings for all run commands in the workflow jobs.
@@ -86,3 +86,15 @@ jobs:
       flavor: ${{ matrix.flavor }}
       test_type: ${{ matrix.test_type }}
     secrets: inherit # Inherits all secrets from the parent workflow.
+
+  evaluate-package-compliance:
+    needs: run-package-test
+    name: Compliance Evaluation
+    strategy:
+      matrix:
+        flavor: [upstream, registry1, unicorn]
+      fail-fast: false
+    uses: ./.github/workflows/compliance.yaml
+    with:
+      flavor: ${{ matrix.flavor }}
+    secrets: inherit # Inherits all secrets from the parent workflow.
@@ -65,6 +65,17 @@ jobs:
         if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
         run: uds run test-uds-core --set FLAVOR=${{ inputs.flavor }} --no-progress
 
+      - name: Validate UDS Core Compliance
+        if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
+        run: uds run test-compliance-validate --no-progress
+
+      - name: Upload Assessment
+        if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: ${{ inputs.flavor }}-assessment-results
+          path: ./compliance/oscal-assessment-results.yaml
+
       - name: Test UDS Core Upgrade
         if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }}
         run: uds run test-uds-core-upgrade --set FLAVOR=${{ inputs.flavor }} --no-progress