-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
58 lines (55 loc) · 2.79 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: 'K8s NetworkPolicy Auto-Synthesis'
description: 'Automatically synthesize K8s NetworkPolicies, permitting only the connections your application requires and nothing more'
author: 'NP-Guard project'
branding:
icon: 'shield'
color: 'green'
inputs:
corporate-policies:
description: A list of space-separated corporate policy files to use
required: false
outputs:
synth-artifact:
description: The name of the GitHub Action Artifact containing synthesis results
value: ${{ steps.set-outputs.outputs.synth-artifact }}
synth-netpols-file-name:
description: The name of the file in the artifact, which contains the synthesized NetworkPolicies yaml
value: ${{ steps.set-outputs.outputs.synth-netpols-file-name }}
connection-list-file-name:
description: The name of the actual file in the artifact, which contains the topology-analysis output
value: ${{ steps.set-outputs.outputs.connection-list-file-name }}
runs:
using: 'composite'
steps:
- name: Prepare directory and command-line arguments
id: add-b-flag
shell: bash
run: |
mkdir -p ${{ github.workspace }}/netpol-synth-gh-action-output # github.workspace seems to be the only directory that can be easily shared with a docker container
chmod a+rw ${{ github.workspace }}/netpol-synth-gh-action-output
for policy in ${{ inputs.corporate-policies }}
do
export POLICIES_WITH_B="-b $policy $POLICIES_WITH_B"
done
echo "::set-output name=policies-with-b::$(echo $POLICIES_WITH_B)"
- name: Analyze
uses: docker://ghcr.io/np-guard/net-top-analyzer@sha256:bd40a99fdbd293040a66166abd978bb806e17bf991998ba83fe06bac77e63a06
with:
args: -dirpath /github/workspace -commitid ${{ github.sha }} -giturl ${{ env.GITHUB_SERVER_URL }}/${{ github.repository }} -gitbranch ${{ github.ref }} -outputfile /github/workspace/netpol-synth-gh-action-output/app-net-top.json
- name: Synthesize
uses: docker://ghcr.io/np-guard/netpol-synth@sha256:148e371fb40fd24ea924c1c32c969481f27808171dd901dd60141bd9f2f87b76
with:
args: /github/workspace/netpol-synth-gh-action-output/app-net-top.json -o /github/workspace/netpol-synth-gh-action-output/netpols.yaml ${{ steps.add-b-flag.outputs.policies-with-b }}
- name: Upload artifacts
uses: actions/upload-artifact@v2
with:
name: synthesis-results
path: ${{ github.workspace }}/netpol-synth-gh-action-output/*
- name: Set outputs and clean
id: set-outputs
shell: bash
run: |
echo "::set-output name=synth-artifact::synthesis-results"
echo "::set-output name=synth-netpols-file-name::netpols.yaml"
echo "::set-output name=connection-list-file-name::app-net-top.json"
rm -r ${{ github.workspace }}/netpol-synth-gh-action-output