Skip to content
Compare DS

Compare DS #12395

Sign in to view logs

Compare DS

Compare DS #12395

Workflow file for this run

.github/workflows/compare-ds.yaml at 69218ef
name: Compare DS
on:
workflow_run:
workflows: ["Compare DS Build"]
types:
- completed
permissions:
pull-requests: write
contents: read
actions: read
jobs:
build-content:
name: Generate Diff
runs-on: ubuntu-latest
container:
image: fedora:latest
steps:
- name: Install Deps
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-setuptools python3-jinja2 git python3-deepdiff python3-requests jq python3-pip python3-setuptools
- name: Install deps python
run: pip install gitpython xmldiff
- name: Download PR info
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
name: pr-info
path: pr-info/
- name: Get PR info
id: pr_info
run: |
PR_NUMBER=$(cat pr-info/pr-number.txt)
BASE_BRANCH=$(cat pr-info/base-branch.txt)
FORK_POINT=$(cat pr-info/fork-point.txt)
echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
echo "base_branch=${BASE_BRANCH}" >> $GITHUB_OUTPUT
echo "fork_point=${FORK_POINT}" >> $GITHUB_OUTPUT
echo "PR Number: ${PR_NUMBER}"
echo "Base Branch: ${BASE_BRANCH}"
echo "Fork Point: ${FORK_POINT}"
- name: Checkout master
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
repo: ComplianceAsCode/content
ref: master
fetch-depth: 0
# https://github.com/actions/checkout/issues/766
- name: Set git safe directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Checkout (CTF)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
repository: ComplianceAsCode/content-test-filtering
path: ctf
- name: Detect content changes in the PR
env:
PR_NUMBER: ${{ steps.pr_info.outputs.pr_number }}
FORK_POINT: ${{ steps.pr_info.outputs.fork_point }}
run: python3 ./ctf/content_test_filtering.py pr --base "$FORK_POINT" --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json "$PR_NUMBER" > output.json
- name: Test if there are no content changes
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
id: ctf
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'product'
- name: Download built product ${{ steps.pr_info.outputs.base_branch }} (${{ steps.pr_info.outputs.fork_point }})
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: pr-artifacts-${{ github.event.workflow_run.head_sha }}
path: pr_artifacts
run-id: ${{ github.event.workflow_run.id }}
- name: Unpack built artifacts
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: tar -xvzf pr_artifacts/artifacts.tar.gz -C pr_artifacts/unpacked_artifacts
- name: Build product
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only
- name: Compare datastreams
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: utils/compare_ds.py pr_artifacts/unpacked_artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log
env:
PYTHONPATH: ${{ github.workspace }}
- name: Test if there are datastream changes
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: echo "COMPARE_DS_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT
id: compare_ds
- name: Print datastream changes if any
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}}
run: cat diff.log
- name: Get diff.log
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0'}}
id: diff
run: |
body=$(cat diff.log)
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "log<<$EOF" >> "$GITHUB_OUTPUT"
echo "${body:0:65000}" >> "$GITHUB_OUTPUT"
echo "$EOF" >> "$GITHUB_OUTPUT"
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
id: fc
with:
issue-number: ${{ steps.pr_info.outputs.pr_number }}
comment-author: 'github-actions[bot]'
body-includes: This datastream diff is auto generated by the check
- name: Create or update comment
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE != '0' && steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE <= 65000 }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ steps.pr_info.outputs.pr_number }}
body: |
This datastream diff is auto generated by the check `Compare DS/Generate Diff`
<details>
<summary>Click here to see the full diff</summary>
```diff
${{ steps.diff.outputs.log }}
```
</details>
edit-mode: replace
- name: Create or update a trimmed comment
if: ${{ steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE > 65000 }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ steps.pr_info.outputs.pr_number }}
body: |
This datastream diff is auto generated by the check `Compare DS/Generate Diff`.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.
<details>
<summary>Click here to see the trimmed diff</summary>
```diff
${{ steps.diff.outputs.log }}
... The diff is trimmed here ...
```
</details>
edit-mode: replace
- name: Delete existing comment in case new commits trigger no changes in Compare DS tool
if: ${{ (steps.compare_ds.outputs.COMPARE_DS_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.fc.outputs.comment-id != 0 }}
uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1
with:
type: delete
comment_id: ${{ steps.fc.outputs.comment-id }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Compare Ansible playbook shell commands
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: utils/ansible_shell_diff.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log
env:
PYTHONPATH: ${{ github.workspace }}
- name: Test if there are Ansible shell module changes
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: echo "SHELL_DIFF_OUTPUT_SIZE=$(stat --printf="%s" diff.log)" >> $GITHUB_OUTPUT
id: ansible_shell_diff
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
id: shell_diff
with:
issue-number: ${{ steps.pr_info.outputs.pr_number }}
comment-author: 'github-actions[bot]'
body-includes: Change in Ansible 'shell' module found.
- name: Create comment
if: ${{ steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE != '0' && steps.shell_diff.outputs.comment-id == 0 }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4
with:
issue-number: ${{ steps.pr_info.outputs.pr_number }}
body: |
Change in Ansible `shell` module found.
Please consider using more suitable Ansible module than `shell` if possible.
- name: Delete existing comment in case new commits trigger no changes in Ansible shell module
if: ${{ (steps.ansible_shell_diff.outputs.SHELL_DIFF_OUTPUT_SIZE == '0' || steps.ctf.outputs.CTF_OUTPUT_SIZE == '0') && steps.shell_diff.outputs.comment-id != 0 }}
uses: jungwinter/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1
with:
type: delete
comment_id: ${{ steps.shell_diff.outputs.comment-id }}
token: ${{ secrets.GITHUB_TOKEN }}