diff --git a/.github/workflows/4_bumper_repository.yml b/.github/workflows/4_bumper_repository.yml new file mode 100644 index 0000000..aed9b1b --- /dev/null +++ b/.github/workflows/4_bumper_repository.yml @@ -0,0 +1,142 @@ +name: Repository bumper +run-name: Bump ${{ github.ref_name }} (${{ inputs.id }}) + +on: + workflow_dispatch: + inputs: + version: + description: 'Target version (e.g. 1.2.3)' + default: '' + required: false + type: string + stage: + description: 'Version stage (e.g. alpha0)' + default: '' + required: false + type: string + tag: + description: 'Change branches references to tag-like references (e.g. v4.12.0-alpha7)' + default: false + required: false + type: boolean + issue-link: + description: 'Issue link in format https://github.com/wazuh//issues/' + required: true + type: string + id: + description: 'Optional identifier for the run' + required: false + type: string + +jobs: + bump: + name: Repository bumper + runs-on: ubuntu-22.04 + permissions: + contents: write + pull-requests: write + + env: + CI_COMMIT_AUTHOR: wazuhci + CI_COMMIT_EMAIL: 22834044+wazuhci@users.noreply.github.com + CI_GPG_PRIVATE_KEY: ${{ secrets.CI_WAZUHCI_GPG_PRIVATE }} + GH_TOKEN: ${{ secrets.CI_WAZUHCI_BUMPER_TOKEN }} + BUMP_SCRIPT_PATH: tools/repository_bumper.sh + BUMP_LOG_PATH: tools + + steps: + - name: Dump event payload + run: | + cat $GITHUB_EVENT_PATH | jq '.inputs' + + - name: Set up GPG key + id: signing_setup + run: | + echo "${{ env.CI_GPG_PRIVATE_KEY }}" | gpg --batch --import + KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5; exit}') + echo "gpg_key_id=$KEY_ID" >> $GITHUB_OUTPUT + + - name: Set up git + run: | + git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}" + git config --global user.email "${{ env.CI_COMMIT_EMAIL }}" + git config --global commit.gpgsign true + git config --global user.signingkey "${{ steps.signing_setup.outputs.gpg_key_id }}" + echo "use-agent" >> ~/.gnupg/gpg.conf + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf + echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf + echo RELOADAGENT | gpg-connect-agent + export DEBIAN_FRONTEND=noninteractive + export GPG_TTY=$(tty) + + - name: Checkout repository + uses: actions/checkout@v4 + with: + # Using workflow-specific GITHUB_TOKEN because currently CI_WAZUHCI_BUMPER_TOKEN + # doesn't have all the necessary permissions + token: ${{ env.GH_TOKEN }} + + - name: Determine branch name + id: vars + env: + VERSION: ${{ inputs.version }} + STAGE: ${{ inputs.stage }} + TAG: ${{ inputs.tag }} + run: | + script_params="" + version=${{ env.VERSION }} + stage=${{ env.STAGE }} + tag=${{ env.TAG }} + + # Both version and stage provided + if [[ -n "$version" && -n "$stage" && "$tag" != "true" ]]; then + script_params="--version ${version} --stage ${stage}" + elif [[ -n "$version" && -n "$stage" && "$tag" == "true" ]]; then + script_params="--version ${version} --stage ${stage} --tag ${tag}" + fi + + issue_number=$(echo "${{ inputs.issue-link }}" | awk -F'/' '{print $NF}') + BRANCH_NAME="enhancement/wqa${issue_number}-bump-${{ github.ref_name }}" + echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT + echo "script_params=${script_params}" >> $GITHUB_OUTPUT + + - name: Create and switch to bump branch + run: | + git checkout -b ${{ steps.vars.outputs.branch_name }} + + - name: Make version bump changes + run: | + echo "Running bump script" + bash ${{ env.BUMP_SCRIPT_PATH }} ${{ steps.vars.outputs.script_params }} + + - name: Commit and push changes + run: | + git add . + git commit -m "feat: bump ${{ github.ref_name }}" + git push origin ${{ steps.vars.outputs.branch_name }} + + - name: Create pull request + id: create_pr + run: | + gh auth setup-git + PR_URL=$(gh pr create \ + --title "Bump ${{ github.ref_name }} branch" \ + --body "Issue: ${{ inputs.issue-link }}" \ + --base ${{ github.ref_name }} \ + --head ${{ steps.vars.outputs.branch_name }}) + + echo "Pull request created: ${PR_URL}" + echo "pull_request_url=${PR_URL}" >> $GITHUB_OUTPUT + + - name: Merge pull request + run: | + # Any checks for the PR are bypassed since the branch is expected to be functional (i.e. the bump process does not introduce any bugs) + gh pr merge "${{ steps.create_pr.outputs.pull_request_url }}" --merge --admin + + - name: Show logs + run: | + echo "Bump complete." + echo "Branch: ${{ steps.vars.outputs.branch_name }}" + echo "PR: ${{ steps.create_pr.outputs.pull_request_url }}" + echo "Bumper scripts logs:" + cat ${BUMP_LOG_PATH}/repository_bumper*log diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b244d57 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +repository_bumper_*.log diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c65480..7a1b662 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,26 @@ All notable changes to this project will be documented in this file. - None +## [4.13.0] + +### Added + +- Add missing malicious-ioc ruleset lists ([#1092](https://github.com/wazuh/wazuh-kubernetes/pull/1092)) +- Integrate bumper script via GitHub action. ([#1086](https://github.com/wazuh/wazuh-kubernetes/pull/1086)) +- Added repository_bumper script. ([#1039](https://github.com/wazuh/wazuh-kubernetes/pull/1039)) + +### Changed + +- None + +### Fixed + +- None + +### Deleted + +- Remove 'stable' branch ocurrencies ([#1014](https://github.com/wazuh/wazuh-kubernetes/pull/1014)) + ## [4.10.2] ### Added diff --git a/tools/repository_bumper.sh b/tools/repository_bumper.sh new file mode 100644 index 0000000..0823af3 --- /dev/null +++ b/tools/repository_bumper.sh @@ -0,0 +1,176 @@ +#!/bin/bash + +# This script is used to update the version of a repository in the specified files. +# It takes a version number as an argument and updates the version in the specified files. +# Usage: ./repository_bumper.sh + +# Global variables +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +LOG_FILE="${DIR}/tools/repository_bumper_$(date +"%Y-%m-%d_%H-%M-%S-%3N").log" +VERSION="" +STAGE="" +FILES_EDITED=() +FILES_EXCLUDED='--exclude="repository_bumper_*.log" --exclude="CHANGELOG.md" --exclude="repository_bumper.sh" --exclude="*_bumper_repository.yml"' + +get_old_version_and_stage() { + local VERSION_FILE="${DIR}/VERSION.json" + + OLD_VERSION=$(jq -r '.version' "${VERSION_FILE}") + OLD_STAGE=$(jq -r '.stage' "${VERSION_FILE}") + echo "Old version: ${OLD_VERSION}" | tee -a "${LOG_FILE}" + echo "Old stage: ${OLD_STAGE}" | tee -a "${LOG_FILE}" +} + +grep_command() { + # This function is used to search for a specific string in the specified directory. + # It takes two arguments: the string to search for and the directory to search in. + # Usage: grep_command + eval grep -Rl "${1}" "${2}" --exclude-dir=".git" $FILES_EXCLUDED "${3}" +} + +update_version_in_files() { + + local OLD_MAYOR="$(echo "${OLD_VERSION}" | cut -d '.' -f 1)" + local OLD_MINOR="$(echo "${OLD_VERSION}" | cut -d '.' -f 2)" + local OLD_PATCH="$(echo "${OLD_VERSION}" | cut -d '.' -f 3)" + local NEW_MAYOR="$(echo "${VERSION}" | cut -d '.' -f 1)" + local NEW_MINOR="$(echo "${VERSION}" | cut -d '.' -f 2)" + local NEW_PATCH="$(echo "${VERSION}" | cut -d '.' -f 3)" + m_m_p_files=( $(grep_command "${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}" "${DIR}") ) + for file in "${m_m_p_files[@]}"; do + sed -i "s/\bv${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}\b/v${NEW_MAYOR}\.${NEW_MINOR}\.${NEW_PATCH}/g; s/\b${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}/${NEW_MAYOR}\.${NEW_MINOR}\.${NEW_PATCH}/g" "${file}" + if [[ $(git diff --name-only "${file}") ]]; then + FILES_EDITED+=("${file}") + fi + done + m_m_files=( $(grep_command "${OLD_MAYOR}\.${OLD_MINOR}" "${DIR}") ) + for file in "${m_m_files[@]}"; do + sed -i -E "/[0-9]+\.[0-9]+\.[0-9]+/! s/(^|[^0-9.])(${OLD_MAYOR}\.${OLD_MINOR})([^0-9.]|$)/\1${NEW_MAYOR}.${NEW_MINOR}\3/g" "$file" + if [[ $(git diff --name-only "${file}") ]]; then + FILES_EDITED+=("${file}") + fi + done + m_x_files=( $(grep_command "${OLD_MAYOR}\.x" "${DIR}" | grep -v "${DIR}/kitchen/README.md") ) + for file in "${m_x_files[@]}"; do + sed -i "s/\b${OLD_MAYOR}\.x\b/${NEW_MAYOR}\.x/g" "${file}" + if [[ $(git diff --name-only "${file}") ]]; then + FILES_EDITED+=("${file}") + fi + done + if ! sed -i "/^All notable changes to this project will be documented in this file.$/a \\\n## [${VERSION}]\\n\\n### Added\\n\\n- None\\n\\n### Changed\\n\\n- None\\n\\n### Fixed\\n\\n- None\\n\\n### Deleted\\n\\n- None" "${DIR}/CHANGELOG.md"; then + echo "Error: Failed to update CHANGELOG.md" | tee -a "${LOG_FILE}" + fi + if [[ $(git diff --name-only "${DIR}/CHANGELOG.md") ]]; then + FILES_EDITED+=("${DIR}/CHANGELOG.md") + fi + +} + +update_stage_in_files() { + local OLD_STAGE="$(echo "${OLD_STAGE}")" + sed -i "s/${OLD_STAGE}/${STAGE}/g" "${DIR}/VERSION.json" + if [[ $(git diff --name-only "${DIR}/VERSION.json") ]]; then + FILES_EDITED+=("${DIR}/VERSION.json") + fi +} + +update_docker_images_tag() { + local NEW_TAG="$1" + local DOCKERFILES=( $(grep_command -E "wazuh/wazuh-[a-zA-Z0-9._-]*" "${DIR}") ) + for file in "${DOCKERFILES[@]}"; do + sed -i -E "s/(wazuh\/wazuh-[a-zA-Z0-9._-]*):[a-zA-Z0-9._-]+/\1:${NEW_TAG}/g" "${file}" + if [[ $(git diff --name-only "${file}") ]]; then + FILES_EDITED+=("${file}") + fi + done +} + +main() { + + echo "Starting repository version bumping process..." | tee -a "${LOG_FILE}" + echo "Log file: ${LOG_FILE}" + # Parse arguments + while [[ $# -gt 0 ]]; do + case $1 in + --version) + VERSION="$2" + shift 2 + ;; + --stage) + STAGE="$2" + shift 2 + ;; + --tag) + TAG="$2" + shift 2 + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + done + + # Validate arguments + if [[ -z "${VERSION}" ]]; then + echo "Error: --version argument is required." | tee -a "${LOG_FILE}" + exit 1 + fi + + if [[ -z "${STAGE}" ]]; then + echo "Error: --stage argument is required." | tee -a "${LOG_FILE}" + exit 1 + fi + + # Validate if version is in the correct format + if ! [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Error: Version must be in the format X.Y.Z (e.g., 1.2.3)." | tee -a "${LOG_FILE}" + exit 1 + fi + + # Validate if stage is in the correct format + STAGE=$(echo "${STAGE}" | tr '[:upper:]' '[:lower:]') + if ! [[ "${STAGE}" =~ ^(alpha[0-9]*|beta[0-9]*|rc[0-9]*|stable)$ ]]; then + echo "Error: Stage must be one of the following examples: alpha1, beta1, rc1, stable." | tee -a "${LOG_FILE}" + exit 1 + fi + + # Validate if tag is true or false + if [[ -n "$TAG" && ! "$TAG" =~ ^(true|false)$ ]]; then + echo "Error: --tag must be either true or false." | tee -a "${LOG_FILE}" + exit 1 + fi + + # Get old version and stage + get_old_version_and_stage + + if [[ "${OLD_VERSION}" == "${VERSION}" && "${OLD_STAGE}" == "${STAGE}" ]]; then + echo "Version and stage are already up to date." | tee -a "${LOG_FILE}" + echo "No changes needed." | tee -a "${LOG_FILE}" + exit 0 + fi + if [[ "${OLD_VERSION}" != "${VERSION}" ]]; then + echo "Updating version from ${OLD_VERSION} to ${VERSION}" | tee -a "${LOG_FILE}" + update_version_in_files "${VERSION}" + fi + if [[ "${OLD_STAGE}" != "${STAGE}" ]]; then + echo "Updating stage from ${OLD_STAGE} to ${STAGE}" | tee -a "${LOG_FILE}" + update_stage_in_files "${STAGE}" + fi + + # Update Docker images tag if tag is true + if [[ "${TAG}" == "true" ]]; then + echo "Updating Docker images tag to ${VERSION}-${STAGE}" | tee -a "${LOG_FILE}" + update_docker_images_tag "${VERSION}-${STAGE}" + fi + + echo "The following files were edited:" | tee -a "${LOG_FILE}" + for file in $(printf "%s\n" "${FILES_EDITED[@]}" | sort -u); do + echo "${file}" | tee -a "${LOG_FILE}" + done + + echo "Version and stage updated successfully." | tee -a "${LOG_FILE}" +} + +# Call the main method with all arguments +main "$@" diff --git a/wazuh/wazuh_managers/wazuh_conf/master.conf b/wazuh/wazuh_managers/wazuh_conf/master.conf index 947c584..8ccd33d 100644 --- a/wazuh/wazuh_managers/wazuh_conf/master.conf +++ b/wazuh/wazuh_managers/wazuh_conf/master.conf @@ -272,6 +272,9 @@ etc/lists/audit-keys etc/lists/amazon/aws-sources etc/lists/amazon/aws-eventnames + etc/lists/malicious-ioc/malicious-ip + etc/lists/malicious-ioc/malicious-domains + etc/lists/malicious-ioc/malware-hashes etc/decoders diff --git a/wazuh/wazuh_managers/wazuh_conf/worker.conf b/wazuh/wazuh_managers/wazuh_conf/worker.conf index f55b8d6..ddb0b31 100644 --- a/wazuh/wazuh_managers/wazuh_conf/worker.conf +++ b/wazuh/wazuh_managers/wazuh_conf/worker.conf @@ -272,6 +272,9 @@ etc/lists/audit-keys etc/lists/amazon/aws-sources etc/lists/amazon/aws-eventnames + etc/lists/malicious-ioc/malicious-ip + etc/lists/malicious-ioc/malicious-domains + etc/lists/malicious-ioc/malware-hashes etc/decoders