File: //usr/local/modsecurity-crs/.github/workflows/lint.yaml
name: Lint
on:
push:
branches:
- main
- v3.3/dev
- v3.3/master
pull_request:
branches:
- main
- v3.3/dev
- v3.3/master
merge_group:
# Pin versions to not disrupt test pipelines
env:
CRS_TOOLCHAIN_VERSION: '2.3.4'
SECRULES_PARSING_VERSION: '0.2.11'
CRS_LINTER_VERSION: '0.1.2'
jobs:
check-syntax:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
with:
# required for version detection using `git describe`
fetch-depth: 50
- name: Lint Yaml
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
format: github
file_or_dir: tests/regression/tests
config_file: .yamllint.yml
- name: Set up Python 3
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.x
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
- name: "Check CRS syntax"
run: |
pip install -U setuptools
pip install secrules-parsing==${{ env.SECRULES_PARSING_VERSION }}
secrules-parser -c --output-type github -f rules/*.conf
- name: Fetch upstream tags for version detection in next step
run: |
git remote add upstream https://github.com/coreruleset/coreruleset
git fetch --tags upstream
git fetch upstream main
echo ${{ github.base_ref }}
if [ -n "${{ github.base_ref }}" ]; then
git fetch upstream "${{ github.base_ref }}"
fi
- name: "Check CRS formatting"
run: |
pip install -U setuptools
pip install crs-linter==${{ env.CRS_LINTER_VERSION }}
# Use the target branch to look up the latest tag, e.g., `v3.3/master`, fall back
# to main branch.
# The version is either a tag, if the current commit is tagged, or a string of the form
# v<major>.<minor>.<patch>-<nr of commits>-g<hash>.
# In the former case we simply use that as the version, in the latter we construct
# v<major>.<minor + 1>.<patch>-dev.
if [ -z "${{ github.base_ref }}" ]; then
# e.g., force push
version="$(git describe --tags --match "v*.*.*")"
else
version="$(git describe --tags --match "v*.*.*" "upstream/${{ github.base_ref }}")"
fi
version="$(cut -dv -f2 <<<"${version}")"
echo "Detected version ${version}"
if grep -q -- "-g" <<<"${version}"; then
prefix="$(cut -d. -f1 <<<"${version}")"
minor="$(cut -d. -f2 <<<"${version}")"
suffix="$(cut -d. -f3 <<<"${version}")"
version="${prefix}.$((minor + 1)).${suffix}"
release_ref="${{ github.head_ref }}"
if [[ "${release_ref}" =~ ^release/v ]]
then
version="${release_ref/release\/v/}"
else
version="${version/-*-g*/}-dev"
fi
fi
echo "Required version for check: ${version}"
crs-linter \
--output=github \
-r crs-setup.conf.example \
-r 'rules/*.conf' \
-t util/APPROVED_TAGS \
-f util/FILENAME_EXCLUSIONS \
-v "${version}"
- name: "Find rules without test"
run: |
pip install -U setuptools
pip install -r ./util/find-rules-without-test/requirements.txt
./util/find-rules-without-test/find-rules-without-test.py --output=github .
- name: "Install crs-toolchain ${{ env.CRS_TOOLCHAIN_VERSION }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download -R coreruleset/crs-toolchain "v${{ env.CRS_TOOLCHAIN_VERSION }}" \
-p "crs-toolchain_${{ env.CRS_TOOLCHAIN_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - crs-toolchain
- name: "Check that all assembly files are properly formatted"
run: |
./crs-toolchain regex format -aco github
- name: "Check that all rules are up to date"
run: |
./crs-toolchain regex compare -ao github
- name: "Check that all tests are properly numbered"
run: |
./crs-toolchain util renumber-tests -cao github