From 5cf30d1a6bce3802501453bb8394ca6b139988f9 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 10:05:29 +0530 Subject: [PATCH 1/9] chore: Migrate RL Scanner to useable actions --- .github/actions/rl-scanner/action.yml | 71 --------------------------- .github/workflows/release.yml | 2 + .github/workflows/rl-scanner.yml | 16 ++++-- 3 files changed, 13 insertions(+), 76 deletions(-) delete mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml deleted file mode 100644 index 03c378a..0000000 --- a/.github/actions/rl-scanner/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: "Reversing Labs Scanner" -description: "Runs the Reversing Labs scanner on a specified artifact." -inputs: - artifact-path: - description: "Path to the artifact to be scanned." - required: true - version: - description: "Version of the artifact." - required: true - -runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - - name: Install Python dependencies - shell: bash - run: | - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Install RL Wrapper - shell: bash - run: | - pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - - - name: Run RL Scanner - shell: bash - env: - RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} - PYTHONUNBUFFERED: 1 - run: | - if [ ! -f "${{ inputs.artifact-path }}" ]; then - echo "Artifact not found: ${{ inputs.artifact-path }}" - exit 1 - fi - - rl-wrapper \ - --artifact "${{ inputs.artifact-path }}" \ - --name "${{ github.event.repository.name }}" \ - --version "${{ inputs.version }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - - # Check the outcome of the scanner - if [ $? -ne 0 ]; then - echo "RL Scanner failed." - echo "scan-status=failed" >> $GITHUB_ENV - exit 1 - else - echo "RL Scanner passed." - echo "scan-status=success" >> $GITHUB_ENV - fi - -outputs: - scan-status: - description: "The outcome of the scan process." - value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b145ab1..72b267f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,9 +27,11 @@ jobs: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: uses: ./.github/workflows/java-release.yml diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 3af7aac..8cbc8a6 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -16,12 +16,16 @@ on: required: true SIGNAL_HANDLER_TOKEN: required: true + SIGNAL_HANDLER_DOMAIN: + required: true PRODSEC_TOOLS_USER: required: true PRODSEC_TOOLS_TOKEN: required: true PRODSEC_TOOLS_ARN: required: true + PRODSEC_PYTHON_TOOLS_REPO: + required: true jobs: checkout-build-scan-only: @@ -55,17 +59,19 @@ jobs: - name: Run RL Scanner id: rl-scan-conclusion - uses: ./.github/actions/rl-scanner + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main with: - artifact-path: "$(pwd)/${{ inputs.artifact-name }}" - version: "${{ steps.get_version.outputs.version }}" - env: + artifact-name: "${{ github.event.repository.name }}" + artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" + version: ${{ steps.get_version.outputs.version }} RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} - name: Output scan result run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV From 766a156ddd4a75930d70b4efae772c5c250b2c4f Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 14:21:05 +0530 Subject: [PATCH 2/9] Testing RL Scanner --- .github/workflows/release.yml | 4 ++++ .github/workflows/rl-scanner.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 72b267f..433883d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,9 @@ name: Create GitHub Release on: + push: + branches: + - chore/migrate-rl-scanner-to-useable-action # TEMPORARY: remove after RL scanner debugging pull_request: types: - closed @@ -34,6 +37,7 @@ jobs: PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: + if: false # TEMPORARY: disabled during RL scanner debugging — re-enable before merge uses: ./.github/workflows/java-release.yml needs: rl-scanner with: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 8cbc8a6..c491883 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -29,7 +29,7 @@ on: jobs: checkout-build-scan-only: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} From e9d91769c4bd2b629732955fd495621a89e11935 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 14:36:39 +0530 Subject: [PATCH 3/9] Testing RL Scanner --- .github/workflows/rl-scanner.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index c491883..050c07d 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -27,6 +27,10 @@ on: PRODSEC_PYTHON_TOOLS_REPO: required: true +permissions: + contents: write + id-token: write # This is required for requesting the JWT + jobs: checkout-build-scan-only: if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) From 4716883f2f29539d31f633acdf8c6b3224654f7a Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 14:48:38 +0530 Subject: [PATCH 4/9] Testing RL Scanner --- .github/workflows/release.yml | 53 +++++++--- .github/workflows/rl-scanner.yml | 166 ++++++++++++++++--------------- 2 files changed, 125 insertions(+), 94 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 433883d..03fb776 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,19 +22,46 @@ permissions: jobs: rl-scanner: - uses: ./.github/workflows/rl-scanner.yml - with: - java-version: "17" - artifact-name: "auth0-springboot-api.tgz" - secrets: - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} - PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + fetch-tags: true + + - name: Set up Java + uses: actions/setup-java@v5 + with: + distribution: temurin + java-version: "17" + + - name: Set up Gradle + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + + - name: Build artifact + run: | + ./gradlew assemble check --continue --console=plain + tar -czvf auth0-springboot-api.tgz * + + - name: Get version + id: get_version + uses: ./.github/actions/get-version + + - name: Run RL Scanner + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main + with: + artifact-name: "${{ github.event.repository.name }}" + artifact-path: "${{ github.workspace }}/auth0-springboot-api.tgz" + version: ${{ steps.get_version.outputs.version }} + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: if: false # TEMPORARY: disabled during RL scanner debugging — re-enable before merge diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 050c07d..73f2404 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,81 +1,85 @@ -name: RL-Secure Workflow - -on: - workflow_call: - inputs: - java-version: - required: true - type: string - artifact-name: - required: true - type: string - secrets: - RLSECURE_LICENSE: - required: true - RLSECURE_SITE_KEY: - required: true - SIGNAL_HANDLER_TOKEN: - required: true - SIGNAL_HANDLER_DOMAIN: - required: true - PRODSEC_TOOLS_USER: - required: true - PRODSEC_TOOLS_TOKEN: - required: true - PRODSEC_TOOLS_ARN: - required: true - PRODSEC_PYTHON_TOOLS_REPO: - required: true - -permissions: - contents: write - id-token: write # This is required for requesting the JWT - -jobs: - checkout-build-scan-only: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) - runs-on: ubuntu-latest - outputs: - scan-status: ${{ steps.rl-scan-conclusion.outcome }} - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Java - uses: actions/setup-java@v5 - with: - distribution: temurin - java-version: ${{ inputs.java-version }} - - - name: Set up Gradle - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - - - name: Test and Assemble with Gradle - run: ./gradlew assemble check --continue --console=plain - - - id: get_version - uses: ./.github/actions/get-version - - - name: Create tgz build artifact - run: | - tar -czvf ${{ inputs.artifact-name }} * - - - name: Run RL Scanner - id: rl-scan-conclusion - uses: auth0/devsecops-tooling/.github/actions/rl-scan@main - with: - artifact-name: "${{ github.event.repository.name }}" - artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" - version: ${{ steps.get_version.outputs.version }} - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} - - - name: Output scan result - run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV +# DEPRECATED: RL scanner is now inlined as the `rl-scanner` job in release.yml. +# Kept commented for reference; the reusable-workflow layout caused AWS OIDC +# (sts:AssumeRoleWithWebIdentity) to be rejected by the PRODSEC_TOOLS_ARN trust policy. +# +# name: RL-Secure Workflow +# +# on: +# workflow_call: +# inputs: +# java-version: +# required: true +# type: string +# artifact-name: +# required: true +# type: string +# secrets: +# RLSECURE_LICENSE: +# required: true +# RLSECURE_SITE_KEY: +# required: true +# SIGNAL_HANDLER_TOKEN: +# required: true +# SIGNAL_HANDLER_DOMAIN: +# required: true +# PRODSEC_TOOLS_USER: +# required: true +# PRODSEC_TOOLS_TOKEN: +# required: true +# PRODSEC_TOOLS_ARN: +# required: true +# PRODSEC_PYTHON_TOOLS_REPO: +# required: true +# +# permissions: +# contents: write +# id-token: write # This is required for requesting the JWT +# +# jobs: +# checkout-build-scan-only: +# if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) +# runs-on: ubuntu-latest +# outputs: +# scan-status: ${{ steps.rl-scan-conclusion.outcome }} +# +# steps: +# - name: Checkout code +# uses: actions/checkout@v6 +# +# - name: Set up Java +# uses: actions/setup-java@v5 +# with: +# distribution: temurin +# java-version: ${{ inputs.java-version }} +# +# - name: Set up Gradle +# uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 +# +# - name: Test and Assemble with Gradle +# run: ./gradlew assemble check --continue --console=plain +# +# - id: get_version +# uses: ./.github/actions/get-version +# +# - name: Create tgz build artifact +# run: | +# tar -czvf ${{ inputs.artifact-name }} * +# +# - name: Run RL Scanner +# id: rl-scan-conclusion +# uses: auth0/devsecops-tooling/.github/actions/rl-scan@main +# with: +# artifact-name: "${{ github.event.repository.name }}" +# artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" +# version: ${{ steps.get_version.outputs.version }} +# RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} +# RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} +# SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} +# SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} +# PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} +# PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} +# PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} +# PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} +# +# - name: Output scan result +# run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV From a6244f20fe9637e8226454dfd70a9a5337708958 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:19:04 +0530 Subject: [PATCH 5/9] Testing RL Scanner --- .github/workflows/rl-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 73f2404..b10ebf0 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,4 +1,4 @@ -# DEPRECATED: RL scanner is now inlined as the `rl-scanner` job in release.yml. +# DEPRECATED: RL scanner is now inlined as the `rl-scanner` job in release.yml. # Kept commented for reference; the reusable-workflow layout caused AWS OIDC # (sts:AssumeRoleWithWebIdentity) to be rejected by the PRODSEC_TOOLS_ARN trust policy. # From cf89d68051db1de0b652c18830034a73ce62498e Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:30:26 +0530 Subject: [PATCH 6/9] chore: re-trigger RL scanner run From b97b37422e898c5510369e32f7d6e58ad6de16bc Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:37:01 +0530 Subject: [PATCH 7/9] chore: switch RL scanner back to reusable workflow --- .github/workflows/release.yml | 53 +++------- .github/workflows/rl-scanner.yml | 166 +++++++++++++++---------------- 2 files changed, 94 insertions(+), 125 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 03fb776..433883d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,46 +22,19 @@ permissions: jobs: rl-scanner: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Set up Java - uses: actions/setup-java@v5 - with: - distribution: temurin - java-version: "17" - - - name: Set up Gradle - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - - - name: Build artifact - run: | - ./gradlew assemble check --continue --console=plain - tar -czvf auth0-springboot-api.tgz * - - - name: Get version - id: get_version - uses: ./.github/actions/get-version - - - name: Run RL Scanner - uses: auth0/devsecops-tooling/.github/actions/rl-scan@main - with: - artifact-name: "${{ github.event.repository.name }}" - artifact-path: "${{ github.workspace }}/auth0-springboot-api.tgz" - version: ${{ steps.get_version.outputs.version }} - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} + uses: ./.github/workflows/rl-scanner.yml + with: + java-version: "17" + artifact-name: "auth0-springboot-api.tgz" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: if: false # TEMPORARY: disabled during RL scanner debugging — re-enable before merge diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index b10ebf0..050c07d 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,85 +1,81 @@ -# DEPRECATED: RL scanner is now inlined as the `rl-scanner` job in release.yml. -# Kept commented for reference; the reusable-workflow layout caused AWS OIDC -# (sts:AssumeRoleWithWebIdentity) to be rejected by the PRODSEC_TOOLS_ARN trust policy. -# -# name: RL-Secure Workflow -# -# on: -# workflow_call: -# inputs: -# java-version: -# required: true -# type: string -# artifact-name: -# required: true -# type: string -# secrets: -# RLSECURE_LICENSE: -# required: true -# RLSECURE_SITE_KEY: -# required: true -# SIGNAL_HANDLER_TOKEN: -# required: true -# SIGNAL_HANDLER_DOMAIN: -# required: true -# PRODSEC_TOOLS_USER: -# required: true -# PRODSEC_TOOLS_TOKEN: -# required: true -# PRODSEC_TOOLS_ARN: -# required: true -# PRODSEC_PYTHON_TOOLS_REPO: -# required: true -# -# permissions: -# contents: write -# id-token: write # This is required for requesting the JWT -# -# jobs: -# checkout-build-scan-only: -# if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) -# runs-on: ubuntu-latest -# outputs: -# scan-status: ${{ steps.rl-scan-conclusion.outcome }} -# -# steps: -# - name: Checkout code -# uses: actions/checkout@v6 -# -# - name: Set up Java -# uses: actions/setup-java@v5 -# with: -# distribution: temurin -# java-version: ${{ inputs.java-version }} -# -# - name: Set up Gradle -# uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 -# -# - name: Test and Assemble with Gradle -# run: ./gradlew assemble check --continue --console=plain -# -# - id: get_version -# uses: ./.github/actions/get-version -# -# - name: Create tgz build artifact -# run: | -# tar -czvf ${{ inputs.artifact-name }} * -# -# - name: Run RL Scanner -# id: rl-scan-conclusion -# uses: auth0/devsecops-tooling/.github/actions/rl-scan@main -# with: -# artifact-name: "${{ github.event.repository.name }}" -# artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" -# version: ${{ steps.get_version.outputs.version }} -# RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} -# RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} -# SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} -# SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} -# PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} -# PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} -# PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} -# PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} -# -# - name: Output scan result -# run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV +name: RL-Secure Workflow + +on: + workflow_call: + inputs: + java-version: + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + SIGNAL_HANDLER_DOMAIN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true + PRODSEC_PYTHON_TOOLS_REPO: + required: true + +permissions: + contents: write + id-token: write # This is required for requesting the JWT + +jobs: + checkout-build-scan-only: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Java + uses: actions/setup-java@v5 + with: + distribution: temurin + java-version: ${{ inputs.java-version }} + + - name: Set up Gradle + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + + - name: Test and Assemble with Gradle + run: ./gradlew assemble check --continue --console=plain + + - id: get_version + uses: ./.github/actions/get-version + + - name: Create tgz build artifact + run: | + tar -czvf ${{ inputs.artifact-name }} * + + - name: Run RL Scanner + id: rl-scan-conclusion + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main + with: + artifact-name: "${{ github.event.repository.name }}" + artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}" + version: ${{ steps.get_version.outputs.version }} + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV From ced0bdf56abc87c0015f16640c2d6afa63cc9f7b Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:42:12 +0530 Subject: [PATCH 8/9] chore: switch RL scanner back to reusable workflow --- .github/workflows/rl-scanner.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 050c07d..c491883 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -27,10 +27,6 @@ on: PRODSEC_PYTHON_TOOLS_REPO: required: true -permissions: - contents: write - id-token: write # This is required for requesting the JWT - jobs: checkout-build-scan-only: if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) From 04a9d19b0e8a6c978c437d0cbdf7ee2ffabfece5 Mon Sep 17 00:00:00 2001 From: tanya732 Date: Wed, 1 Jul 2026 16:48:25 +0530 Subject: [PATCH 9/9] chore: revert temporary RL scanner debug triggers --- .github/workflows/release.yml | 4 ---- .github/workflows/rl-scanner.yml | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 433883d..72b267f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,6 @@ name: Create GitHub Release on: - push: - branches: - - chore/migrate-rl-scanner-to-useable-action # TEMPORARY: remove after RL scanner debugging pull_request: types: - closed @@ -37,7 +34,6 @@ jobs: PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} release: - if: false # TEMPORARY: disabled during RL scanner debugging — re-enable before merge uses: ./.github/workflows/java-release.yml needs: rl-scanner with: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index c491883..8cbc8a6 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -29,7 +29,7 @@ on: jobs: checkout-build-scan-only: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }}