Update patterns #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update patterns | |
on: | |
schedule: | |
- cron: '0 0 * * *' # Run daily at midnight UTC | |
workflow_dispatch: # Allow manual trigger | |
jobs: | |
update-owasp-waf: | |
runs-on: ubuntu-latest | |
steps: | |
- name: 🚚 Checkout Repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Full history to avoid shallow clone issues | |
- name: ⚙️ Set Up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: 📦 Cache Python Packages | |
id: cache-pip | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cache/pip | |
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
restore-keys: | | |
${{ runner.os }}-pip- | |
- name: 📥 Install Dependencies | |
if: steps.cache-pip.outputs.cache-hit != 'true' | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements.txt | |
continue-on-error: false # Fail the workflow if dependencies fail to install | |
- name: 🕷️ Run OWASP Scraper | |
run: | | |
python owasp2json.py | |
continue-on-error: false | |
- name: 🔄 Convert OWASP to Nginx WAF | |
run: | | |
python json2nginx.py | |
continue-on-error: false | |
- name: 🔄 Convert OWASP to Apache WAF | |
run: | | |
python json2apache.py | |
continue-on-error: false | |
- name: 🔄 Convert OWASP to Traefik WAF | |
run: | | |
python json2traefik.py | |
continue-on-error: false | |
- name: 🔄 Convert OWASP to HAProxy WAF | |
run: | | |
python json2haproxy.py | |
continue-on-error: false | |
- name: 🔄 Generate Bad Bot Blockers | |
run: | | |
python badbots.py | |
continue-on-error: false | |
# Ensure conf files are pushed even if no changes detected | |
- name: 🚀 Commit and Push OWASP WAF patterns | |
run: | | |
git config user.name "github-actions[bot]" | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git add . | |
git commit -m "Update: [$(date)]" || echo "No changes to commit" | |
git push | |
continue-on-error: true # Continue even if no changes are made | |
- name: 📦 Create Zip Files for Each Web Server | |
run: | | |
mkdir -p zips | |
zip -r zips/nginx_waf.zip waf_patterns/nginx/ | |
zip -r zips/apache_waf.zip waf_patterns/apache/ | |
zip -r zips/traefik_waf.zip waf_patterns/traefik/ | |
zip -r zips/haproxy_waf.zip waf_patterns/haproxy/ | |
- name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist) | |
run: | | |
# Delete the local 'latest' tag | |
if git rev-parse --verify --quiet refs/tags/latest; then | |
git tag -d latest | |
fi | |
# Delete the remote 'latest' tag | |
git push origin :refs/tags/latest || echo "Tag 'latest' does not exist on remote." | |
# Delete the 'latest' release (if it exists) | |
gh release delete latest --yes || echo "Release 'latest' does not exist." | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: 🚀 Create GitHub Release | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: latest # Use "latest" as the tag name | |
release_name: Latest Release | |
draft: false | |
prerelease: false | |
- name: 📤 Upload Nginx WAF Zip to Release | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: zips/nginx_waf.zip | |
asset_name: nginx_waf.zip | |
asset_content_type: application/zip | |
- name: 📤 Upload Apache WAF Zip to Release | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: zips/apache_waf.zip | |
asset_name: apache_waf.zip | |
asset_content_type: application/zip | |
- name: 📤 Upload Traefik WAF Zip to Release | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: zips/traefik_waf.zip | |
asset_name: traefik_waf.zip | |
asset_content_type: application/zip | |
- name: 📤 Upload HAProxy WAF Zip to Release | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: zips/haproxy_waf.zip | |
asset_name: haproxy_waf.zip | |
asset_content_type: application/zip | |
- name: 🧹 Cleanup Cache (Optional) | |
run: | | |
rm -rf ~/.cache/pip | |
if: always() # Run this step even if previous steps fail | |
- name: 🚨 Notify on Failure (Optional) | |
if: failure() | |
run: | | |
echo "🚨 Workflow failed! Please investigate." | |
# Slack or email notification logic (add webhook or SMTP integration here). |