From bf6648e7f16b970bf4b57a97c816dfeea40d8c29 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:28:52 +0530 Subject: [PATCH 1/3] chore: Migrate RL Scanner to useable actions --- .github/actions/rl-scanner/action.yml | 71 --------------------------- .github/workflows/release.yml | 6 +++ .github/workflows/rl-scanner.yml | 23 ++++++--- 3 files changed, 21 insertions(+), 79 deletions(-) delete mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml deleted file mode 100644 index 03c378a0c..000000000 --- a/.github/actions/rl-scanner/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: "Reversing Labs Scanner" -description: "Runs the Reversing Labs scanner on a specified artifact." -inputs: - artifact-path: - description: "Path to the artifact to be scanned." - required: true - version: - description: "Version of the artifact." - required: true - -runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - - name: Install Python dependencies - shell: bash - run: | - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Install RL Wrapper - shell: bash - run: | - pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - - - name: Run RL Scanner - shell: bash - env: - RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} - PYTHONUNBUFFERED: 1 - run: | - if [ ! -f "${{ inputs.artifact-path }}" ]; then - echo "Artifact not found: ${{ inputs.artifact-path }}" - exit 1 - fi - - rl-wrapper \ - --artifact "${{ inputs.artifact-path }}" \ - --name "${{ github.event.repository.name }}" \ - --version "${{ inputs.version }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - - # Check the outcome of the scanner - if [ $? -ne 0 ]; then - echo "RL Scanner failed." - echo "scan-status=failed" >> $GITHUB_ENV - exit 1 - else - echo "RL Scanner passed." - echo "scan-status=success" >> $GITHUB_ENV - fi - -outputs: - scan-status: - description: "The outcome of the scan process." - value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bab2bc72..a95b557dd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,9 @@ name: Create GitHub Release on: + push: + branches: + - chore/migrate-rl-scanner-to-useable-action # TEMPORARY: remove after RL scanner debugging pull_request: types: - closed @@ -24,10 +27,13 @@ jobs: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: + if: false # TEMPORARY: disabled during RL scanner debugging — re-enable after uses: ./.github/workflows/java-release.yml needs: rl-scanner with: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 7d38a0ab0..387df41d7 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -16,18 +16,23 @@ on: required: true SIGNAL_HANDLER_TOKEN: required: true + SIGNAL_HANDLER_DOMAIN: + required: true PRODSEC_TOOLS_USER: required: true PRODSEC_TOOLS_TOKEN: required: true PRODSEC_TOOLS_ARN: required: true + PRODSEC_PYTHON_TOOLS_REPO: + required: true jobs: checkout-build-scan-only: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) # TEMPORARY: 'push' added for RL scanner debugging + runs-on: ubuntu-latest outputs: - scan-status: ${{ steps.rl-scan-conclusion.outcome }} + scan-status: ${{ steps.rl-scan-conclusion.outputs.scan-status }} steps: - name: Checkout code @@ -54,17 +59,19 @@ jobs: - name: Run RL Scanner id: rl-scan-conclusion - uses: ./.github/actions/rl-scanner + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main with: - artifact-path: "$(pwd)/${{ inputs.artifact-name }}" - version: "${{ steps.get_version.outputs.version }}" - env: + artifact-name: ${{ github.event.repository.name }} + artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" + version: ${{ steps.get_version.outputs.version }} RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} - name: Output scan result - run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV + run: echo "scan-status=${{ steps.rl-scan-conclusion.outputs.scan-status }}" >> $GITHUB_ENV From d71f75be43628558ec8748cff2a8dec11f7fe02b Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:55:04 +0530 Subject: [PATCH 2/3] chore: Migrate RL Scanner to useable actions --- .github/workflows/release.yml | 4 ---- .github/workflows/rl-scanner.yml | 3 +-- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a95b557dd..aa337cebd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,6 @@ name: Create GitHub Release on: - push: - branches: - - chore/migrate-rl-scanner-to-useable-action # TEMPORARY: remove after RL scanner debugging pull_request: types: - closed @@ -33,7 +30,6 @@ jobs: PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: - if: false # TEMPORARY: disabled during RL scanner debugging — re-enable after uses: ./.github/workflows/java-release.yml needs: rl-scanner with: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 387df41d7..2abc5e83d 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -28,8 +28,7 @@ on: required: true jobs: checkout-build-scan-only: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) # TEMPORARY: 'push' added for RL scanner debugging - + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outputs.scan-status }} From ff7723430808c81ecf64e1a5f2fbd1179c78aed7 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 17:01:04 +0530 Subject: [PATCH 3/3] Update jackson to 2.21.4 --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 7c52f7506..c413cb153 100644 --- a/build.gradle +++ b/build.gradle @@ -22,9 +22,9 @@ logger.lifecycle("Using version ${version} for ${name} group $group") dependencies { // Core dependencies api 'com.squareup.okhttp3:okhttp:5.2.1' - api 'com.fasterxml.jackson.core:jackson-databind:2.21.2' - api 'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.21.2' - api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.2' + api 'com.fasterxml.jackson.core:jackson-databind:2.21.4' + api 'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.21.4' + api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.4' // Dependencies for legacy management code from auth0-real implementation 'com.squareup.okhttp3:logging-interceptor:5.2.1'