AIRS: Adding python sdk for management api #3079
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Deploy Preview" | |
| on: | |
| pull_request_target: | |
| branches: [ master ] | |
| permissions: {} | |
| concurrency: | |
| group: preview-${{ github.event.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| precheck: | |
| if: ${{ github.repository == 'PaloAltoNetworks/pan.dev' }} | |
| name: Precheck | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| is-org-member-result: ${{ steps.is-org-member.outputs.is-org-member-result }} | |
| steps: | |
| - name: Check if PR head is trusted | |
| id: is-org-member | |
| run: | | |
| if [[ "$PR_AUTHOR" == "create-pr-on-fork-for-pan-dev[bot]" ]]; then | |
| echo "is-org-member-result=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| if [[ "$PR_AUTHOR" == "dependabot[bot]" ]]; then | |
| echo "is-org-member-result=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| if [[ "$HEAD_REPO" != "$BASE_REPO" ]]; then | |
| echo "is-org-member-result=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| status=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" \ | |
| "https://api.github.com/orgs/PaloAltoNetworks/members/$PR_AUTHOR") | |
| if [[ "$status" == "204" ]]; then | |
| echo "is-org-member-result=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "is-org-member-result=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.READ_ORG_PAT }} | |
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | |
| HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | |
| BASE_REPO: ${{ github.repository }} | |
| analyze: | |
| if: github.repository == 'PaloAltoNetworks/pan.dev' && needs.precheck.outputs.is-org-member-result == 'true' | |
| name: Analyze | |
| needs: precheck | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| language: [ 'javascript' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| analyze_unsafe: | |
| if: github.repository == 'PaloAltoNetworks/pan.dev' && needs.precheck.outputs.is-org-member-result == 'false' | |
| name: Analyze Unsafe | |
| needs: precheck | |
| runs-on: ubuntu-latest | |
| environment: default | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| language: [ 'javascript' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| build: | |
| name: Build | |
| needs: [analyze, analyze_unsafe] | |
| if: | | |
| github.repository == 'PaloAltoNetworks/pan.dev' && | |
| !failure() && !cancelled() && | |
| (success('analyze') || success('analyze_unsafe')) | |
| runs-on: pan-dev-runner-xl | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - name: Setup node | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: '20' | |
| cache: 'yarn' | |
| - name: Get yarn cache | |
| id: yarn-cache | |
| run: echo "YARN_CACHE_DIR=$(yarn cache dir)" >> "${GITHUB_OUTPUT}" | |
| - name: Install dependencies | |
| run: yarn --prefer-offline --frozen-lockfile --ignore-scripts | |
| - name: Include netsec | |
| if: contains(github.event.pull_request.labels.*.name, 'netsec') | |
| run: | | |
| echo "Including 'netsec' in build..." | |
| if [[ -n "$PRODUCTS_INCLUDE" ]]; then | |
| echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,prisma-airs" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTS_INCLUDE=cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,prisma-airs" >> $GITHUB_ENV | |
| fi | |
| - name: Include cloud | |
| if: contains(github.event.pull_request.labels.*.name, 'cloud') | |
| run: | | |
| echo "Including 'cloud' in build..." | |
| if [[ -n "$PRODUCTS_INCLUDE" ]]; then | |
| echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,prisma-cloud,compute" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTS_INCLUDE=prisma-cloud,compute" >> $GITHUB_ENV | |
| fi | |
| - name: Include sase | |
| if: contains(github.event.pull_request.labels.*.name, 'sase') | |
| run: | | |
| echo "Including 'sase' in build..." | |
| if [[ -n "$PRODUCTS_INCLUDE" ]]; then | |
| echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,sase,access,sdwan,scm" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTS_INCLUDE=sase,access,sdwan,scm" >> $GITHUB_ENV | |
| fi | |
| - name: Include contributing | |
| if: contains(github.event.pull_request.labels.*.name, 'contributing') | |
| run: | | |
| echo "Including 'contributing' in build..." | |
| if [[ -n "$PRODUCTS_INCLUDE" ]]; then | |
| echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,contributing" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTS_INCLUDE=contributing" >> $GITHUB_ENV | |
| fi | |
| - name: Include dependencies | |
| if: contains(github.event.pull_request.labels.*.name, 'dependencies') | |
| run: | | |
| echo "Including 'dependencies' in build..." | |
| if [[ -n "$PRODUCTS_INCLUDE" ]]; then | |
| echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,contributing" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTS_INCLUDE=contributing" >> $GITHUB_ENV | |
| fi | |
| - name: Output final PRODUCTS_INCLUDE | |
| run: | | |
| echo "Building the following products: $PRODUCTS_INCLUDE" | |
| # needed for fetching Hashicorp blog feed | |
| - name: Cache Playwright | |
| id: playwright-cache | |
| uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| ~/.cache/ms-playwright | |
| key: ${{ runner.os }}-playwright-${{ hashFiles('package.json') }} | |
| - name: Install Playwright | |
| if: steps.playwright-cache.outputs.cache-hit != 'true' | |
| run: | | |
| npx playwright install chromium | |
| npx playwright install-deps chromium | |
| - name: Build site | |
| run: FEED_SOFT_FAIL=1 FEED_DEBUG=1 yarn build-github | |
| - name: Verify build did not modify critical files | |
| run: | | |
| git diff --exit-code -- \ | |
| firebase.json .firebaserc package.json yarn.lock docusaurus.config.ts \ | |
| 'scripts/**' '.github/**' 'src/theme/**' 'plugin-sitemap-coveo/**' | |
| - name: Zip build directory | |
| run: | | |
| if [ -d "build" ]; then | |
| BUILD_DIR="build" | |
| elif [ -d "websites/pan-dev/build" ]; then | |
| BUILD_DIR="websites/pan-dev/build" | |
| else | |
| echo "Error: 'build' directory not found in current directory or in websites/pan-dev/" | |
| exit 1 | |
| fi | |
| echo "Build directory found at: $BUILD_DIR" | |
| rm -f build.zip | |
| zip -r build.zip "$BUILD_DIR" | |
| - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: build | |
| path: build.zip | |
| deploy: | |
| name: Deploy | |
| needs: build | |
| if: ${{ github.repository == 'PaloAltoNetworks/pan.dev' && !failure() && !cancelled() }} | |
| runs-on: pan-dev-runner-lg | |
| environment: preview | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: '20' | |
| cache: 'yarn' | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: build | |
| - name: Unzip build artifact | |
| run: | | |
| unzip -n build.zip 'build/*' || unzip -n build.zip 'websites/pan-dev/build/*' | |
| if [ -d "build" ]; then | |
| DEPLOY_DIR="." | |
| elif [ -d "websites/pan-dev/build" ]; then | |
| DEPLOY_DIR="websites/pan-dev" | |
| else | |
| echo "Error: 'build' directory not found in current directory or in websites/pan-dev/" | |
| exit 1 | |
| fi | |
| echo "Deploy directory found at: $DEPLOY_DIR" | |
| echo "DEPLOY_DIR=$DEPLOY_DIR" >> $GITHUB_ENV | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| workload_identity_provider: ${{ secrets.WIF_PROVIDER }} | |
| service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }} | |
| export_environment_variables: false | |
| - name: Mask sensitive values in logs | |
| run: | | |
| echo "::add-mask::${{ steps.auth.outputs.credentials_file_path }}" | |
| echo "::add-mask::${{ secrets.GCP_PROJECT_NUMBER }}" | |
| - name: Read GCP credentials | |
| id: creds | |
| run: | | |
| creds=$(cat "${{ steps.auth.outputs.credentials_file_path }}") | |
| echo "::add-mask::$creds" | |
| echo "sa_key=$creds" >> "$GITHUB_OUTPUT" | |
| - name: Deploy to Firebase | |
| id: deploy_preview | |
| uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0.10.0 | |
| with: | |
| repoToken: '${{ secrets.GITHUB_TOKEN }}' | |
| firebaseServiceAccount: "${{ steps.creds.outputs.sa_key }}" | |
| projectId: ${{ secrets.FIREBASE_PROJECT_ID }} | |
| expires: 7d | |
| channelId: 'pr${{ github.event.number }}' | |
| totalPreviewChannelLimit: 25 | |
| entryPoint: ${{ env.DEPLOY_DIR }} | |
| env: | |
| FIREBASE_CLI_PREVIEWS: hostingchannels | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |