Skip to content

Docs 7072 security posture #2024

Docs 7072 security posture

Docs 7072 security posture #2024

Workflow file for this run

name: "Deploy Preview"
on:
pull_request_target:
branches: [ master ]
jobs:
precheck:
name: Precheck
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
outputs:
is-org-member-result: ${{ steps.is-org-member.outputs.is-org-member-result }}
steps:
- name: Check if actor is org member
id: is-org-member
run: |
if [[ "${{ github.actor }}" == "create-pr-on-fork-for-pan-dev[bot]" ]]; then
echo "is-org-member-result=null" >> "$GITHUB_OUTPUT"
else
echo "is-org-member-result=$(gh api -X GET orgs/PaloAltoNetworks/memberships/${{ github.actor }} | jq -r .message)" >> "$GITHUB_OUTPUT"
fi
env:
GH_TOKEN: ${{ secrets.READ_ORG_PAT }}
analyze:
if: github.repository_owner == 'PaloAltoNetworks' && needs.precheck.outputs.is-org-member-result == 'null'
name: Analyze
needs: precheck
runs-on: pan-dev-runner
permissions:
contents: read
security-events: write
strategy:
fail-fast: true
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
analyze_unsafe:
if: github.repository_owner == 'PaloAltoNetworks' && needs.precheck.outputs.is-org-member-result != 'null'
name: Analyze Unsafe
needs: precheck
runs-on: pan-dev-runner
environment: default
permissions:
contents: read
security-events: write
strategy:
fail-fast: true
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
build:
name: Build
needs: [analyze, analyze_unsafe]
if: |
!failure() && !cancelled() &&
(success('analyze') || success('analyze_unsafe'))
runs-on: pan-dev-runner-xl
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'yarn'
- name: Get yarn cache
id: yarn-cache
run: echo "YARN_CACHE_DIR=$(yarn cache dir)" >> "${GITHUB_OUTPUT}"
# - name: Cache dependencies
# uses: actions/cache@v4
# with:
# path: ${{ steps.yarn-cache.outputs.YARN_CACHE_DIR }}
# key: ${{ runner.os }}-pandev-${{ hashFiles('**/yarn.lock') }}
# restore-keys: |
# ${{ runner.os }}-pandev-
# - name: Cache docusaurus build
# uses: actions/cache@v4
# with:
# path: node_modules/.cache/webpack
# key: ${{ runner.os }}-pandev-pr-${{ github.event.number }}-${{ hashFiles('**/yarn.lock') }}
# restore-keys: |
# ${{ runner.os }}-pandev-pr-${{ github.event.number }}-
- name: Install dependencies
run: yarn --prefer-offline
- name: Include netsec
if: contains(github.event.pull_request.labels.*.name, 'netsec')
run: |
echo "Including 'netsec' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,ai-runtime-security" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,ai-runtime-security" >> $GITHUB_ENV
fi
- name: Include cloud
if: contains(github.event.pull_request.labels.*.name, 'cloud')
run: |
echo "Including 'cloud' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,prisma-cloud,compute" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=prisma-cloud,compute" >> $GITHUB_ENV
fi
- name: Include sase
if: contains(github.event.pull_request.labels.*.name, 'sase')
run: |
echo "Including 'sase' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,sase,access,sdwan,scm" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=sase,access,sdwan,scm" >> $GITHUB_ENV
fi
- name: Include contributing
if: contains(github.event.pull_request.labels.*.name, 'contributing')
run: |
echo "Including 'contributing' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,contributing" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=contributing" >> $GITHUB_ENV
fi
- name: Output final PRODUCTS_INCLUDE
run: |
echo "Building the following products: $PRODUCTS_INCLUDE"
- name: Build site
run: yarn build-github
- name: Zip build directory
run: |
if [ -d "build" ]; then
BUILD_DIR="build"
elif [ -d "websites/pan-dev/build" ]; then
BUILD_DIR="websites/pan-dev/build"
else
echo "Error: 'build' directory not found in current directory or in websites/pan-dev/"
exit 1
fi
echo "Build directory found at: $BUILD_DIR"
zip -r build.zip "$BUILD_DIR"
- uses: actions/upload-artifact@v4
with:
name: build
path: build.zip
deploy:
name: Deploy
needs: build
if: ${{ !failure() && !cancelled() }}
runs-on: pan-dev-runner-lg
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'yarn'
- uses: actions/download-artifact@v4
with:
name: build
- name: Unzip build artifact
run: |
unzip build.zip
if [ -d "build" ]; then
DEPLOY_DIR="."
elif [ -d "websites/pan-dev/build" ]; then
DEPLOY_DIR="websites/pan-dev"
else
echo "Error: 'build' directory not found in current directory or in websites/pan-dev/"
exit 1
fi
echo "Deploy directory found at: $DEPLOY_DIR"
echo "DEPLOY_DIR=$DEPLOY_DIR" >> $GITHUB_ENV
- name: Deploy to Firebase
id: deploy_preview
uses: FirebaseExtended/action-hosting-deploy@120e124148ab7016bec2374e5050f15051255ba2 # v0.7.1
with:
repoToken: '${{ secrets.GITHUB_TOKEN }}'
firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_PAN_DEV_F1B58 }}'
projectId: pan-dev-f1b58
expires: 30d
channelId: 'pr${{ github.event.number }}'
entryPoint: ${{ env.DEPLOY_DIR }}
env:
FIREBASE_CLI_PREVIEWS: hostingchannels