feat(action): adds directory and action for vendor dir

Adds initial vendor directory for OSCAL content with REV4 and
REV5 NIST 800-53 catalogs and FedRAMP High profiles.
Adds update-vendor.yaml for automated updates of content

Signed-off-by: Jennifer Power <[email protected]>

.github/workflows/update-vendor.yaml

@@ -0,0 +1,55 @@
+name: Update vendored OSCAL content
+
+on: 
+  workflow_dispatch:
+  schedule:
+    # Run weekly at 05:00 on Sunday
+    - cron: "0 5 * * 0"
+
+jobs:
+  update-vendor:
+    name: Update content
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    strategy:
+      matrix:
+        variables:
+          - catalog-source: "https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json"
+            profile-source: "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json"
+            profile-name: "fedramp_rev5_high"
+            catalog-name: "nist_rev5_800_53"
+          - catalog-source: "https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json"
+            profile-source: "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json"
+            profile-name: "fedramp_rev4_high"
+            catalog-name: "nist_rev4_800_53"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+      - name: Install python deps
+        run: pip3 install compliance-trestle==2.3.1
+      - name: Update catalogs
+        run: |
+          rm -rf "catalogs/${{ matrix.variables.catalog-name }}"
+          trestle import -f "${{ matrix.variables.catalog-source }}" -o "${{ matrix.variables.catalog-name }}"
+        working-directory: ./vendor
+      - name: Update profiles
+        run: |
+          rm -rf "profiles/${{ matrix.variables.profile-name }}"
+          trestle import -f "${{ matrix.variables.profile-source }}" -o "${{ matrix.variables.profile-name }}"
+          trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json"
+        working-directory: ./vendor
+      - name: Update content
+        uses: peter-evans/[email protected]
+        with:
+          base: master
+          branch: "vendor-update-${{ github.run_id }}"
+          delete-branch: true
+          commit-message: "Update vendored OSCAL content"
+          add-paths: |
+            vendor/

.gitignore

@@ -79,3 +79,6 @@ ocp4/profiles/test.profile
 # Ignore coverage files
 .coverage
 coverage.xml
+
+# Trestle specfic
+vendor/.trestle/cache

vendor/.trestle/config.ini

@@ -0,0 +1 @@
+# trestle config file

vendor/REAMDE.adoc

@@ -0,0 +1,5 @@
+= Vendor
+
+This vendor directory contains a link:https://ibm.github.io/compliance-trestle/[compliance-trestle] managed workspace to import upstream catalog and profile content into generated link:https://pages.nist.gov/OSCAL-Reference/models/v1.1.1/component-definition/json-outline/[OSCAL Component Definition].
+
+