mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2026-06-11 06:54:15 -04:00
5c654b3da8
- VitePress: custom theme (SF system fonts, glass nav, soft surfaces, pill buttons, light/dark code blocks, refined feature cards, platform showcase + stat strip). - Replace every emoji across docs and README with inline SVG icons. - Verify and fix doc accuracy against actual scripts: JSON schema (category+pattern only), env-var configuration for json2*/import_* scripts, owasp2json CLI surface. - Add public assets (logo.svg, favicon.svg, hero-shield.svg) and Shiki haproxy alias. - Workflows default to self-hosted runner-02 with a configurable fallback to GitHub runners via the RUNS_ON repo variable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
160 lines
5.1 KiB
YAML
160 lines
5.1 KiB
YAML
name: Update Patterns
|
|
|
|
permissions:
|
|
contents: write # Commit changes, push updates
|
|
statuses: write # Update commit statuses
|
|
actions: read # Required for checking out the repository
|
|
packages: write # For GitHub Packages (if used)
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 0 * * *' # Daily at midnight UTC
|
|
workflow_dispatch: # Manual trigger
|
|
|
|
jobs:
|
|
update-owasp-waf:
|
|
runs-on: ${{ fromJSON(vars.RUNS_ON || '["self-hosted","runner-02"]') }}
|
|
|
|
steps:
|
|
- name: 🚚 Checkout Repository
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0 # get full git history
|
|
|
|
- name: ⚙️ Set Up Python 3.11
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: 📦 Cache pip dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ~/.cache/pip
|
|
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pip-
|
|
|
|
- name: 📥 Install Dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
|
|
- name: 🕷️ Run OWASP Scraper
|
|
run: python owasp2json.py
|
|
|
|
- name: 🔄 Convert OWASP to Nginx WAF
|
|
run: python json2nginx.py
|
|
|
|
- name: 🔄 Convert OWASP to Apache WAF
|
|
run: python json2apache.py
|
|
|
|
- name: 🔄 Convert OWASP to Traefik WAF
|
|
run: python json2traefik.py
|
|
|
|
- name: 🔄 Convert OWASP to HAProxy WAF
|
|
run: python json2haproxy.py
|
|
|
|
- name: 🔄 Generate Bad Bot Blockers
|
|
run: python badbots.py
|
|
|
|
- name: 🚀 Commit and Push Changes (if any)
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
git add .
|
|
# Check if there are any changes *before* committing.
|
|
if ! git diff --quiet --exit-code; then
|
|
git commit -m "Update WAF rules [$(date +'%Y-%m-%d')]"
|
|
git push
|
|
else
|
|
echo "No changes to commit."
|
|
fi
|
|
continue-on-error: true # Continue even if no changes
|
|
|
|
- name: 📦 Create Zip Archives
|
|
run: |
|
|
mkdir -p dist
|
|
(cd waf_patterns/nginx && zip -r ../../dist/nginx_waf.zip .)
|
|
(cd waf_patterns/apache && zip -r ../../dist/apache_waf.zip .)
|
|
(cd waf_patterns/traefik && zip -r ../../dist/traefik_waf.zip .)
|
|
(cd waf_patterns/haproxy && zip -r ../../dist/haproxy_waf.zip .)
|
|
|
|
- name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist)
|
|
run: |
|
|
# Delete local tag
|
|
git tag -d latest || true
|
|
# Delete remote tag (force)
|
|
git push --delete origin latest || true
|
|
# Delete release, --yes for confirmation
|
|
gh release delete latest --yes || true
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
|
|
- name: 🚀 Create GitHub Release (if previous steps succeeded)
|
|
id: create_release
|
|
if: success() # Only create release if previous steps were successful
|
|
uses: actions/create-release@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
tag_name: latest
|
|
release_name: WAF rules (Nginx, Apache, Traefik, Haproxy)
|
|
draft: false
|
|
prerelease: false
|
|
|
|
- name: 📤 Upload Nginx WAF Zip
|
|
if: success()
|
|
uses: actions/upload-release-asset@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
|
asset_path: dist/nginx_waf.zip
|
|
asset_name: nginx_waf.zip
|
|
asset_content_type: application/zip
|
|
|
|
- name: 📤 Upload Apache WAF Zip
|
|
if: success()
|
|
uses: actions/upload-release-asset@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
|
asset_path: dist/apache_waf.zip
|
|
asset_name: apache_waf.zip
|
|
asset_content_type: application/zip
|
|
|
|
- name: 📤 Upload Traefik WAF Zip
|
|
if: success()
|
|
uses: actions/upload-release-asset@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
|
asset_path: dist/traefik_waf.zip
|
|
asset_name: traefik_waf.zip
|
|
asset_content_type: application/zip
|
|
|
|
- name: 📤 Upload HAProxy WAF Zip
|
|
if: success()
|
|
uses: actions/upload-release-asset@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
|
asset_path: dist/haproxy_waf.zip
|
|
asset_name: haproxy_waf.zip
|
|
asset_content_type: application/zip
|
|
|
|
- name: 🧹 Clean Up (Optional)
|
|
if: always() # Run cleanup even on failure
|
|
run: rm -rf ~/.cache/pip
|
|
|
|
- name: 🚨 Notify on Failure (Optional)
|
|
if: failure()
|
|
run: |
|
|
echo "🚨 Workflow failed! Please investigate."
|
|
# Example: Send a Slack notification (requires a Slack webhook URL)
|
|
# curl -X POST -H 'Content-type: application/json' --data '{"text":"WAF update workflow failed!"}' ${{ secrets.SLACK_WEBHOOK }}
|