Skip to content
Dump controls

Dump controls #609

Sign in to view logs

Dump controls

Dump controls #609

Workflow file for this run

.github/workflows/main.yml at ef3038c
name: Dump controls
on:
workflow_dispatch:
schedule:
- cron: "17 5 * * *"
jobs:
dump-controls:
steps:
- name: Check out
id: check-out
uses: actions/checkout@v3
- name: Dump controls
id: dump-controls
run: |
./dump-controls > security-hub-controls.jsonl
# Could use git-diff-files as well on subsequent runs, but this detects
# when the file is written for the first time.
# https://unix.stackexchange.com/questions/155046/determine-if-git-working-directory-is-clean-from-a-script
# Use base64 to avoid frustration from quotes and newlines.
- name: Check diff
id: check-diff
run: |
printf diff=$(git status --porcelain | base64) > "$GITHUB_OUTPUT"
- name: Commit changes
id: commit-changes
if: steps.check-diff.outputs.diff != ''
run: |
git config --global user.name "GitHub Actions"
git config --global user.email "[email protected]"
git add .
git commit -m "Dump controls"
git tag "$(date --utc --iso-8601=date)"
git push
git push --tags
# Tag or commit hash.
# https://gist.github.com/mjj2000/3ee188cc155c26a118b06116ad0ebd1d
- name: Get release tag
id: get-release-tag
if: steps.check-diff.outputs.diff != ''
run: |
tag=$(git describe --exact-match --tags 2> /dev/null || git rev-parse --short HEAD)
printf tag=$tag > "$GITHUB_OUTPUT"
- name: Release dump
id: release-dump
if: steps.check-diff.outputs.diff != ''
uses: softprops/action-gh-release@v1
with:
files: |
security-hub-controls.jsonl
tag_name: ${{ steps.get-release-tag.outputs.tag }}
permissions:
contents: write
runs-on: ubuntu-latest