add workflow sync-oscal-cac

[huiwangredhat]

This workflow aims to sync OSCAL content updates to CAC content.

1. OSCAL content PR merge will trigger this workflow
2. It will detect the updated OSCAL files(catalogs, profiles and component-definition)
3. It calls the CLI of complyscribe to sync the updates to CAC content of the controls and product profiles
4. It will create a PR to CAC content, e.g., Auto-generated PR from OSCAL 33

[marcusburghardt]

I have some minor comments in the workflow. Also, reviewing the changes in https://github.com/ComplianceAsCode/content/pull/13617/files I noticed the proposed PR is removing more content than expected from control files. For example, it was removing all "unselected" rules. This seems unrelated to this PR, but worth to investigate the transformation commands. Any thoughts @RichardXuan ?

[marcusburghardt]

Since we know the branch name, we could filter by the exact name and avoid the loop below. WDYT?

[huiwangredhat]

Updated.

[marcusburghardt]

The task is opening a PR in CaC/content, based on a existing PR in oscal-content. But the title, as I interpreted, suggests a PR will be opened in oscal-content. Maybe we could slightly update the title. WDYT?

[marcusburghardt]

Thanks for the nice work on this workflow @huiwangredhat. It is a new process, so some changes are expected over time as it gets more use and we start getting more feedback. This good base will help us to quickly adapt whenever necessary.

[huiwangredhat]

I have some minor comments in the workflow. Also, reviewing the changes in https://github.com/ComplianceAsCode/content/pull/13617/files I noticed the proposed PR is removing more content than expected from control files. For example, it was removing all "unselected" rules. This seems unrelated to this PR, but worth to investigate the transformation commands. Any thoughts @RichardXuan ?

@marcusburghardt, Thank you for your reminder. In the beginning, I thought this maybe caused by the inconsistent data between oscal-content and cac content. You know, after we synced CAC to OSCAL on 20250617, OSCAL content hasn't synced the CAC updates. If the data is inconsistent, it could be updated on the other side if we run the sync CLI. So I run sync-cac-oscal to make sure the data is consistent, then run the sync-oscal-cac to confirm this issue first. I found it is trying to remove some rules/vars.
steps:

• git clone cac master and checkout a new branch
• git clone oscal-content and checkout a new branch
• run sync-cac-content to make sure the data consistent
  poetry run complyscribe sync-cac-content catalog --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --cac-policy-id anssi --oscal-catalog anssi
poetry run complyscribe sync-cac-content profile --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --cac-policy-id anssi --oscal-catalog anssi --product rhel10
poetry run complyscribe sync-cac-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --component-definition-type software --cac-profile anssi_bp28_high --oscal-profile rhel10-anssi-high --product rhel10
poetry run complyscribe sync-cac-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --component-definition-type validation --cac-profile anssi_bp28_high --oscal-profile rhel10-anssi-high --product rhel10
• run sync-oscal-content, it shouldn't update anything --- It removed some rules as the PR
  poetry run complyscribe sync-oscal-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --product rhel10 --oscal-profile rhel10-anssi-high
• update oscal content
• run sync-oscal-content, cac content should be updated correctly

@marcusburghardt @AlexXuan233 I would like to file an issue to check/fix it. Due to it's out of the CI, so I will merge this PR first. WDYT?

[AlexXuan233]

I have some minor comments in the workflow. Also, reviewing the changes in https://github.com/ComplianceAsCode/content/pull/13617/files I noticed the proposed PR is removing more content than expected from control files. For example, it was removing all "unselected" rules. This seems unrelated to this PR, but worth to investigate the transformation commands. Any thoughts @RichardXuan ?

@marcusburghardt I will fix this. Let me create an jira issue for record. WDYT

[AlexXuan233]

I have some minor comments in the workflow. Also, reviewing the changes in https://github.com/ComplianceAsCode/content/pull/13617/files I noticed the proposed PR is removing more content than expected from control files. For example, it was removing all "unselected" rules. This seems unrelated to this PR, but worth to investigate the transformation commands. Any thoughts @RichardXuan ?

@marcusburghardt, Thank you for your reminder. In the beginning, I thought this maybe caused by the inconsistent data between oscal-content and cac content. You know, after we synced CAC to OSCAL on 20250617, OSCAL content hasn't synced the CAC updates. If the data is inconsistent, it could be updated on the other side if we run the sync CLI. So I run sync-cac-oscal to make sure the data is consistent, then run the sync-oscal-cac to confirm this issue first. I found it is trying to remove some rules/vars. steps:

• git clone cac master and checkout a new branch
• git clone oscal-content and checkout a new branch
• run sync-cac-content to make sure the data consistent
  poetry run complyscribe sync-cac-content catalog --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --cac-policy-id anssi --oscal-catalog anssi
poetry run complyscribe sync-cac-content profile --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --cac-policy-id anssi --oscal-catalog anssi --product rhel10
poetry run complyscribe sync-cac-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --component-definition-type software --cac-profile anssi_bp28_high --oscal-profile rhel10-anssi-high --product rhel10
poetry run complyscribe sync-cac-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --component-definition-type validation --cac-profile anssi_bp28_high --oscal-profile rhel10-anssi-high --product rhel10
• run sync-oscal-content, it shouldn't update anything --- It removed some rules as the PR
  poetry run complyscribe sync-oscal-content component-definition --repo-path /Users/huiwang/issue-569/test/oscal-content --committer-email test@redhat.com --committer-name test --branch test_transfer_cli --cac-content-root /Users/huiwang/issue-743/cac-content --product rhel10 --oscal-profile rhel10-anssi-high
• update oscal content
• run sync-oscal-content, cac content should be updated correctly

@marcusburghardt @AlexXuan233 I would like to file an issue to check/fix it. Due to it's out of the CI, so I will merge this PR first. WDYT?

Agreed.