Update Patterns #100
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Patterns | |
| permissions: | |
| contents: write # Commit changes, push updates | |
| statuses: write # Update commit statuses | |
| actions: read # Required for checking out the repository | |
| packages: write # For GitHub Packages (if used) | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' # Daily at midnight UTC | |
| workflow_dispatch: # Manual trigger | |
| jobs: | |
| update-owasp-waf: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 🚚 Checkout Repository | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 # get full git history | |
| - name: ⚙️ Set Up Python 3.11 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: 📦 Cache pip dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: 📥 Install Dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| - name: 🕷️ Run OWASP Scraper | |
| run: python owasp2json.py | |
| - name: 🔄 Convert OWASP to Nginx WAF | |
| run: python json2nginx.py | |
| - name: 🔄 Convert OWASP to Apache WAF | |
| run: python json2apache.py | |
| - name: 🔄 Convert OWASP to Traefik WAF | |
| run: python json2traefik.py | |
| - name: 🔄 Convert OWASP to HAProxy WAF | |
| run: python json2haproxy.py | |
| - name: 🔄 Generate Bad Bot Blockers (Placeholder - Provide badbots.py) | |
| run: | | |
| # Placeholder: Replace this with your actual badbots.py script. | |
| # Assuming badbots.py generates files in waf_patterns/ | |
| # Example (if badbots.py creates nginx/bots.conf): | |
| # python badbots.py | |
| echo "Placeholder for badbots.py execution" | |
| - name: 🚀 Commit and Push Changes (if any) | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add . | |
| # Check if there are any changes *before* committing. | |
| if ! git diff --quiet --exit-code; then | |
| git commit -m "Update WAF rules [$(date +'%Y-%m-%d')]" | |
| git push | |
| else | |
| echo "No changes to commit." | |
| fi | |
| continue-on-error: true # Continue even if no changes | |
| - name: 📦 Create Zip Archives | |
| run: | | |
| mkdir -p dist | |
| (cd waf_patterns/nginx && zip -r ../../dist/nginx_waf.zip .) | |
| (cd waf_patterns/apache && zip -r ../../dist/apache_waf.zip .) | |
| (cd waf_patterns/traefik && zip -r ../../dist/traefik_waf.zip .) | |
| (cd waf_patterns/haproxy && zip -r ../../dist/haproxy_waf.zip .) | |
| - name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist) | |
| run: | | |
| gh auth login --with-token <<< "$GITHUB_TOKEN" | |
| # Delete local tag | |
| git tag -d latest || true | |
| # Delete remote tag (force) | |
| git push --delete origin latest || true | |
| # Delete release, --yes for confirmation | |
| gh release delete latest --yes || true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: 🚀 Create GitHub Release (if previous steps succeeded) | |
| if: success() # Only create release if previous steps were successful | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: latest | |
| release_name: Latest Release | |
| draft: false | |
| prerelease: false | |
| - name: 📤 Upload Nginx WAF Zip | |
| if: success() | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: dist/nginx_waf.zip | |
| asset_name: nginx_waf.zip | |
| asset_content_type: application/zip | |
| - name: 📤 Upload Apache WAF Zip | |
| if: success() | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: dist/apache_waf.zip | |
| asset_name: apache_waf.zip | |
| asset_content_type: application/zip | |
| - name: 📤 Upload Traefik WAF Zip | |
| if: success() | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: dist/traefik_waf.zip | |
| asset_name: traefik_waf.zip | |
| asset_content_type: application/zip | |
| - name: 📤 Upload HAProxy WAF Zip | |
| if: success() | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: dist/haproxy_waf.zip | |
| asset_name: haproxy_waf.zip | |
| asset_content_type: application/zip | |
| - name: 🧹 Clean Up (Optional) | |
| if: always() # Run cleanup even on failure | |
| run: rm -rf ~/.cache/pip | |
| - name: 🚨 Notify on Failure (Optional) | |
| if: failure() | |
| run: | | |
| echo "🚨 Workflow failed! Please investigate." | |
| # Example: Send a Slack notification (requires a Slack webhook URL) | |
| # curl -X POST -H 'Content-type: application/json' --data '{"text":"WAF update workflow failed!"}' ${{ secrets.SLACK_WEBHOOK }} |