From 4c8fb5362d157dc2c141cafb7481ec2a6ae1c582 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Wed, 29 Apr 2026 15:51:39 +0530 Subject: [PATCH 1/6] chore: migrate RL scanner to shared devsecops-tooling action ## Changes - Replace local `rl-scanner` composite action and reusable workflow with the shared `auth0/devsecops-tooling/.github/actions/rl-scan@main` action, matching `auth0-fastapi-api` - Inline RL scanner job directly in `publish.yml` - Use absolute artifact path via `github.workspace` - Add `SIGNAL_HANDLER_DOMAIN` and `PRODSEC_PYTHON_TOOLS_REPO` secrets - Add `needs: rl-scanner` dependency on `publish-pypi` job - Remove `.github/workflows/rl-scanner.yml` - Remove `.github/actions/rl-scanner/` --- .github/actions/rl-scanner/action.yml | 71 ----------------------- .github/workflows/publish.yml | 62 +++++++++++++++----- .github/workflows/rl-scanner.yml | 83 --------------------------- 3 files changed, 49 insertions(+), 167 deletions(-) delete mode 100644 .github/actions/rl-scanner/action.yml delete mode 100644 .github/workflows/rl-scanner.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml deleted file mode 100644 index a1db225..0000000 --- a/.github/actions/rl-scanner/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: "Reversing Labs Scanner" -description: "Runs the Reversing Labs scanner on a specified artifact." -inputs: - artifact-path: - description: "Path to the artifact to be scanned." - required: true - version: - description: "Version of the artifact." - required: true - -runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.10" - - - name: Install Python dependencies - shell: bash - run: | - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Install RL Wrapper - shell: bash - run: | - pip install rl-wrapper>=1.0.6 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - - - name: Run RL Scanner - shell: bash - env: - RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} - PYTHONUNBUFFERED: 1 - run: | - if [ ! -f "${{ inputs.artifact-path }}" ]; then - echo "Artifact not found: ${{ inputs.artifact-path }}" - exit 1 - fi - - rl-wrapper \ - --artifact "${{ inputs.artifact-path }}" \ - --name "${{ github.event.repository.name }}" \ - --version "${{ inputs.version }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - - # Check the outcome of the scanner - if [ $? -ne 0 ]; then - echo "RL Scanner failed." - echo "scan-status=failed" >> $GITHUB_ENV - exit 1 - else - echo "RL Scanner passed." - echo "scan-status=success" >> $GITHUB_ENV - fi - -outputs: - scan-status: - description: "The outcome of the scan process." - value: ${{ env.scan-status }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 73e2926..70e15b7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,6 +1,9 @@ name: Publish Release on: + push: + branches: + - chore/migrate-rl-scanner # TEMPORARY: remove after RL scanner debugging workflow_dispatch: ### TODO: Replace instances of './.github/actions/' with reference to the `dx-sdk-actions` repo is made public and this file is transferred over @@ -12,22 +15,55 @@ permissions: jobs: rl-scanner: - uses: ./.github/workflows/rl-scanner.yml - with: - python-version: "3.10" - artifact-name: "auth0-fastapi-api.tgz" - secrets: - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + fetch-tags: true + + - name: Configure Python + uses: actions/setup-python@v6 + with: + python-version: "3.12" + + - name: Build artifact + run: | + pip install --user --upgrade pip + pip install --user pipx + pipx ensurepath + pipx install poetry + poetry config virtualenvs.in-project true + poetry install --with dev + poetry build + tar -czvf auth0-api-python.tgz * + + - name: Get version + id: get_version + uses: ./.github/actions/get-version + + - name: Run RL Scanner + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main + with: + artifact-name: "auth0-api-python" + artifact-path: "${{ github.workspace }}/auth0-api-python.tgz" + version: ${{ steps.get_version.outputs.version }} + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} + publish-pypi: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: false # TEMPORARY: disabled during RL scanner debugging — original condition below + # if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) name: "PyPI" runs-on: ubuntu-latest - # needs: rl-scanner + needs: rl-scanner environment: release steps: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml deleted file mode 100644 index 482ce02..0000000 --- a/.github/workflows/rl-scanner.yml +++ /dev/null @@ -1,83 +0,0 @@ -name: RL-Secure Workflow - -on: - workflow_call: - inputs: - python-version: - required: true - type: string - artifact-name: - required: true - type: string - secrets: - RLSECURE_LICENSE: - required: true - RLSECURE_SITE_KEY: - required: true - SIGNAL_HANDLER_TOKEN: - required: true - PRODSEC_TOOLS_USER: - required: true - PRODSEC_TOOLS_TOKEN: - required: true - PRODSEC_TOOLS_ARN: - required: true - -jobs: - rl-scanner: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) - runs-on: ubuntu-latest - outputs: - scan-status: ${{ steps.rl-scan-conclusion.outcome }} - - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Configure Python - uses: actions/setup-python@v6 - with: - python-version: ${{ inputs.python-version }} - - - name: Configure dependencies - run: | - pip install --user --upgrade pip - pip install --user pipx - pipx ensurepath - pipx install poetry==1.4.2 - pip install --upgrade pip - pip install boto3 requests - poetry config virtualenvs.in-project true - poetry install --with dev - poetry self add "poetry-dynamic-versioning[plugin]==1.1.1" - - - name: Build release - run: | - poetry build - - - name: Create tgz build artifact - run: | - tar -czvf ${{ inputs.artifact-name }} * - - - name: Get Artifact Version - id: get_version - uses: ./.github/actions/get-version - - - name: Run RL Scanner - id: rl-scan-conclusion - uses: ./.github/actions/rl-scanner - with: - artifact-path: "$(pwd)/${{ inputs.artifact-name }}" - version: "${{ steps.get_version.outputs.version }}" - env: - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - - - name: Output scan result - run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV From 204626241dc9572d219235d8845aa8725b1a2ca6 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Wed, 29 Apr 2026 16:40:16 +0530 Subject: [PATCH 2/6] chore: trigger RL scanner debug run From 9daea2ea44bd0f8ec047e87b6b6891f38dda1b80 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Wed, 29 Apr 2026 18:52:17 +0530 Subject: [PATCH 3/6] chore: trigger RL scanner debug run From ef874da9be5707b0ed5a5a914938218f222c6c18 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Thu, 30 Apr 2026 08:46:00 +0530 Subject: [PATCH 4/6] chore: trigger RL scanner debug run From 62d55c01f0fed3f791edf44151e1017006699cb4 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Fri, 1 May 2026 13:55:55 +0530 Subject: [PATCH 5/6] chore: trigger RL workflow From 715ee8751e7c6b6d0091179904166fbe8019096f Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Mon, 4 May 2026 12:33:39 +0530 Subject: [PATCH 6/6] chore: revert temporary testing triggers from publish workflow --- .github/workflows/publish.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 70e15b7..3e13c05 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,9 +1,6 @@ name: Publish Release on: - push: - branches: - - chore/migrate-rl-scanner # TEMPORARY: remove after RL scanner debugging workflow_dispatch: ### TODO: Replace instances of './.github/actions/' with reference to the `dx-sdk-actions` repo is made public and this file is transferred over @@ -15,7 +12,7 @@ permissions: jobs: rl-scanner: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -59,8 +56,7 @@ jobs: PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} publish-pypi: - if: false # TEMPORARY: disabled during RL scanner debugging — original condition below - # if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) name: "PyPI" runs-on: ubuntu-latest needs: rl-scanner