cisagov · ahuynhMITRE · May 6, 2024 · Mar 21, 2024 · Mar 21, 2024 · Mar 25, 2024
diff --git a/.github/workflows/publish_package.yaml b/.github/workflows/publish_package.yaml
diff --git a/.github/workflows/publish_private_package.yaml b/.github/workflows/publish_private_package.yaml
@@ -0,0 +1,99 @@
+# Purpose: Publish nightly to a a private gallery just to make
+# sure that the code can be published.  This is like a
+# smoke test.
+
+name: Publish Private Package
+
+on:
+  schedule:
+    - cron: "23 0 * * *" # Execute each day at 00:23 UTC
+  workflow_dispatch:
+  # for testing
+  # push:
+  #   paths:
+  #     - ".github/workflows/publish_private_package.yaml"
+  #     - "utils/DeployUtils.ps1"
+
+env:
+  GalleryName: PrivateScubaGearGallery
+
+jobs:
+  publish:
+    name: Publish to Private Gallery
+    runs-on: windows-latest
+    environment: Development
+    permissions:
+      id-token: write
+      contents: write
+    defaults:
+      run:
+        shell: powershell
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: repo
+      - name: Install Azure Signing Tool
+        run: |
+          dotnet --version
+          dotnet tool install --global AzureSignTool --version 4.0.1
+      # OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
+      - name: Login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+      - name: Create Private Gallery
+        run: |
+          cd repo
+          . utils/DeployUtils.ps1
+          New-PrivateGallery -GalleryName $env:GalleryName -Trusted
+      - name: Get Key Vault Info
+        id: key-vault-info
+        env:
+          KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}}
+        run: |
+          $KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json
+          echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT
+          echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT
+      - name: Sign and Publish Module
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            # Source the deploy utilities so the functions in it can be called.
+            . repo/utils/DeployUtils.ps1
+            # Remove non-release files
+            Remove-Item -Recurse -Force repo -Include .git*
+            # Setup the parameters
+            $Parameters = @{
+              AzureKeyVaultUrl = '${{ steps.key-vault-info.outputs.KeyVaultUrl }}'
+              CertificateName = '${{ steps.key-vault-info.outputs.KeyVaultCertificateName }}'
+              ModulePath = 'repo/PowerShell/ScubaGear'
+              GalleryName = $env:GalleryName
+            }
+            # This publishes to a private gallery.
+            Publish-ScubaGearModule @Parameters
+          azPSVersion: "latest"
+      - name: Test Module Publish
+        run: |
+          Get-Location
+          $TestContainers = @()
+          $TestContainers += New-PesterContainer -Path "repo/Testing/Functional/BuildTest" -Data @{ }
+          $PesterConfig = @{
+            Run = @{
+              Container = $TestContainers
+            }
+            Output = @{
+              Verbosity = 'Detailed'
+            }
+          }
+          $Config = New-PesterConfiguration -Hashtable $PesterConfig
+          Invoke-Pester -Configuration $Config
+      # This is a manual test that writes the version to the console.
+      - name: Print Scuba Version
+        run: |
+          Install-Module -Name ScubaGear -SkipPublisherCheck
+          # Import-Module -Name ScubaGear
+          Invoke-SCuBA -Version
diff --git a/.github/workflows/publish_public_package.yaml b/.github/workflows/publish_public_package.yaml
@@ -0,0 +1,106 @@
+# Purpose: Publish on demand to the real gallery (PSGallery).
+
+name: Publish Public Package
+
+on:
+  workflow_dispatch:
+    inputs:
+      OverrideModuleVersion:
+        description: "Override the version of the release. Restricted to SemVer 1.0 - 3 segments"
+        required: false
+        type: string
+      IsPrerelease:
+        description: "Is this a prerelease"
+        required: false
+        type: boolean
+        default: false
+      PrereleaseTag:
+        description: "The prerelease tag: (-)?[0-9A-Za-z]+ (e.g. -alpha1, -rc2, b1234)"
+        required: false
+        type: string
+  # for testing
+  # push:
+  #   paths:
+  #     - ".github/workflows/publish_public_package.yaml"
+  #     - "utils/DeployUtils.ps1"
+
+jobs:
+  publish:
+    name: Publish to PSGallery
+    runs-on: windows-latest
+    environment: Development
+    permissions:
+      id-token: write
+      contents: write
+    defaults:
+      run:
+        shell: powershell
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: repo
+      - name: Install Azure Signing Tool
+        run: |
+          dotnet --version
+          dotnet tool install --global AzureSignTool --version 4.0.1
+      # OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
+      - name: Login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+      - name: Get Key Vault info
+        id: key-vault-info
+        env:
+          KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}}
+        run: |
+          $KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json
+          echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT
+          echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT
+      - name: Sign and Publish Module
+        run: |
+          # Source the deploy utilities so the functions in it can be called.
+          . repo/utils/DeployUtils.ps1
+          # Remove non-release files
+          Remove-Item -Recurse -Force repo -Include .git*
+          # Extract the API key used to publish to PSGallery
+          $ApiKey = az keyvault secret show --id '${{ steps.key-vault-info.outputs.KeyVaultUrl }}/secrets/ScubaGear-PSGAllery-API-Key' --query value -o tsv
+          if (-Not $ApiKey)
+          {
+            Write-Error "Failed to retrieve API key"
+          }
+          # Setup the parameters
+          $Parameters = @{
+            AzureKeyVaultUrl = '${{ steps.key-vault-info.outputs.KeyVaultUrl }}'
+            CertificateName = '${{ steps.key-vault-info.outputs.KeyVaultCertificateName }}'
+            ModulePath = 'repo/PowerShell/ScubaGear'
+            GalleryName = 'PSGallery'
+            NuGetApiKey = $ApiKey
+          }
+          # if ('true' -eq '${{ inputs.IsPrerelease }}')
+          # {
+          #   $Parameters.Add('PrereleaseTag', '${{ inputs.PrereleaseTag }}')
+          # }
+          # if (-Not [string]::IsNullOrEmpty('${{ inputs.OverrideModuleVersion }}'))
+          # {
+          #   $Parameters.Add('OverrideModuleVersion', '${{ inputs.OverrideModuleVersion }}')
+          # }
+          # This publishes to PSGallery.
+          Publish-ScubaGearModule @Parameters
+      # This is a manual test that simply writes the version to the console
+      - name: Print Scuba Version
+        run: |
+          if ('true' -eq '${{ inputs.IsPrerelease }}')
+          {
+            $Version = '${{ inputs.OverrideModuleVersion }}' + '${{ inputs.PrereleaseTag }}'
+            Write-Host "Checking for prerelease with required version: " + $Version
+            Find-Module -Name ScubaGear -RequiredVersion $Version -AllowPrerelease
+          }
+          else
+          {
+            Write-Host "Installing latest version"
+            Find-Module -Name ScubaGear
+          }
diff --git a/.github/workflows/run_module_version_bump.yml b/.github/workflows/run_module_version_bump.yml
@@ -0,0 +1,111 @@
+name: Module Version Bump
+
+on:
+  workflow_dispatch:
+    inputs:
+      newVersionNumber:
+        description: "New Version number (e.g., 1.2.4)"
+        required: true
+        type: string
+
+jobs:
+  module-version-bump:
+    runs-on: windows-latest
+    env:
+      NEW_VERSION_NUMBER: ${{ inputs.newVersionNumber }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Bump ScubaGear Version Number
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          #
+          # Replace ScubaGear module version in the manifest.
+          #
+          $ManifestPath = '.\PowerShell\ScubaGear\ScubaGear.psd1'
+          $VersionRegex = "\'\d+\.\d+\.\d+\'"
+          $PreviousVersion = ''
+          (Get-Content -Path $ManifestPath) | ForEach-Object {
+            $ModuleVersionRegex = $_ -match "ModuleVersion = $($VersionRegex)"
+            if ($ModuleVersionRegex) {
+                $_ -match $VersionRegex | Out-Null
+                $PreviousVersion = $matches[0] -replace "'", ""
+                $_ -replace $VersionRegex, "'${env:NEW_VERSION_NUMBER}'"
+            }
+            else {
+              $_
+            }
+          } | Set-Content -Path $ManifestPath
+
+          #
+          # Replace ScubaGear module version in the README
+          #
+          $READMEPath = '.\README.md'
+          $BadgeRegex = "ScubaGear-v\d+\.\d+\.\d+"
+          $ZipRegex = "ScubaGear-v\d+\-\d+\-\d+.zip"
+          $ZipVerReplace = "ScubaGear-v${env:NEW_VERSION_NUMBER}" -replace '\.', '-'
+          $ZipVerReplace = $ZipVerReplace + '.zip'
+          (Get-Content -Path $READMEPath) | ForEach-Object {
+            $BadgeVerMatch = $_ -match $BadgeRegex
+            $ZipVerMatch = $_ -match $ZipRegex
+            if ($BadgeVerMatch) {
+              $_ -replace $BadgeRegex, "ScubaGear-v${env:NEW_VERSION_NUMBER}"
+            }
+            elseif ($ZipVerMatch) {
+              $_ -replace $ZipRegex, $ZipVerReplace
+            }
+            else {
+              $_
+            }
+          } | Set-Content -Path $READMEPath
+
+          #
+          # Create the PR body
+          #
+          $PRTemplatePath = '.\.github\pull_request_template.md'
+
+          $Description = '<!-- Describe the "what" of your changes in detail. -->'
+          $Motivation = '<!-- Why is this change required\? -->'
+          $Testing = '<!-- see how your change affects other areas of the code, etc. -->'
+          $RemoveHeader = '# <!-- Use the title to describe PR changes in the imperative mood --> #'
+
+          $NewDescription = "- This PR was create by a GitHub Action to bump ScubaGear's module version in the manifest and the README.`n - Please fill out the rest of the template that the Action did not cover. `n"
+          $NewMotivation = "- Bump ScubaGear's module version to v${env:NEW_VERSION_NUMBER} before the next release`n"
+          $NewTesting = "- A human should still check if the version bumping was successful by running ScubaGear.`n"
+
+          $PRTemplateContent = (Get-Content -Path $PRTemplatePath) | ForEach-Object {
+            $DescriptionRegex = $_ -match $Description
+            $MotivationRegex = $_ -match $Motivation
+            $TestingRegex = $_ -match $Testing
+            $RemoveHeaderRegex = $_ -match $RemoveHeader # removes unneeded new line
+            if ($DescriptionRegex) {
+                  $_ -replace $Description, $NewDescription
+            }
+            elseif ($MotivationRegex) {
+                  $_ -replace $Motivation, $NewMotivation
+            }
+            elseif ($TestingRegex) {
+                $_ -replace $Testing, $NewTesting
+            }
+            elseif ($RemoveHeaderRegex) {
+              $_ -replace $RemoveHeader, ""
+            }
+            else {
+              $_ + "`n"
+            }
+          }
+
+          # Create the PR
+          $ScubaGearVersionBumpBranch = "scubagear-version-bump-${env:NEW_VERSION_NUMBER}"
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Action"
+          git checkout -b $ScubaGearVersionBumpBranch
+          git add .
+          git commit -m "Update ScubaGear version to ${env:NEW_VERSION_NUMBER}"
+          git push origin $ScubaGearVersionBumpBranch
+          gh pr create -B main -H $ScubaGearVersionBumpBranch --title "Bump ScubaGear module version from v$($PreviousVersion) to v${env:NEW_VERSION_NUMBER}" --body "${PRTemplateContent}" --label "version bump"
diff --git a/.github/workflows/run_pipeline.yaml b/.github/workflows/run_pipeline.yaml
@@ -7,77 +7,23 @@ on:
   push:
   pull_request:
   workflow_dispatch:
-    inputs:
-      # When set to true, it will run every step in the pipeline, regardless of
-      # what files have changed.
-      doEverything:
-        description: "Run every workflow in the pipeline."
-        required: false
-        type: boolean
-        default: true
 
 jobs:
-  test-files:
-    name: Test for Changes
-    runs-on: ubuntu-latest
-    # This condition prevents duplicate runs.
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-      - name: Check for Changes
-        uses: dorny/paths-filter@v3
-        id: file-changes
-        with:
-          base: ${{ github.ref }}
-          filters: |
-            yaml-files:
-              - added|modified: "**.yml"
-              - added|modified: "**.yaml"
-            powershell-files:
-              - added|modified: "**.ps1"
-              - added|modified: "**.psm1"
-              - added|modified: "**.psd1"
-              - added|modified: "**.pssc"
-              - added|modified: "**.psrc"
-              - added|modified: "**.ps1xml"
-              - added|modified: "**.cdxml"
-            markdown-files:
-              - added|modified: "PowerShell/ScubaGear/baselines/*.md"
-            rego-files:
-              - added|modified: "**.rego"
-    outputs:
-      yaml-changes: ${{ steps.file-changes.outputs.yaml-files || inputs.doEverything }}
-      powershell-changes: ${{ steps.file-changes.outputs.powershell-files || inputs.doEverything }}
-      markdown-changes: ${{ steps.file-changes.outputs.markdown-files || inputs.doEverything }}
-      rego-changes: ${{ steps.file-changes.outputs.rego-files || inputs.doEverything }}
   lint-yaml:
     name: Lint
-    needs:
-      - test-files
-    if: needs.test-files.outputs.yaml-changes == 'true'
     uses: ./.github/workflows/lint_yaml.yaml
   lint-powershell:
     name: Lint
-    needs:
-      - test-files
-    if: needs.test-files.outputs.powershell-changes == 'true'
     uses: ./.github/workflows/lint_powershell.yaml
+  scan-secret:
+    name: Security
+    uses: ./.github/workflows/run_secret_scan.yaml
   syntax:
     name: Syntax
-    needs:
-      - test-files
-    if: needs.test-files.outputs.markdown-changes == 'true'
     uses: ./.github/workflows/syntax_check_markdown.yaml
   unit-powershell:
     name: Unit
-    needs:
-      - test-files
-    if: needs.test-files.outputs.powershell-changes == 'true'
     uses: ./.github/workflows/unit_test_powershell.yaml
   unit-opa:
     name: Unit
-    needs:
-      - test-files
-    if: needs.test-files.outputs.rego-changes == 'true'
     uses: ./.github/workflows/unit_test_opa.yaml