Generate and output sbom in GHA (with GHA actions test)

Signed-off-by: Andre Kurait <[email protected]>
opensearch-project · Nov 6, 2024 · 50b028b · 50b028b
1 parent c189ced
commit 50b028b
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 53 deletions.
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -1,10 +1,13 @@
 name: Release drafter
 
 # Push events to every tag not containing "/"
+# on:
+#   push:
+#     tags:
+#       - "*"
 on:
-  push:
-    tags:
-      - "*"
+  pull_request:
+    types: [opened, synchronize, reopened]
 env:
   java-version: '11'
   gradle-version: '8.0.2'
@@ -19,8 +22,8 @@ jobs:
     name: Draft a release
     if: github.repository == 'opensearch-project/opensearch-migrations'
     runs-on: ubuntu-latest
-    outputs:
-      dockerhub-password: ${{ steps.retrieve-values.outputs.dockerhub-password }}
+    # outputs:
+    #   dockerhub-password: ${{ steps.retrieve-values.outputs.dockerhub-password }}
     steps:
       - uses: actions/setup-java@v4
         with:
@@ -33,23 +36,49 @@ jobs:
       - id: get_data
         run: |
           echo "approvers=$(cat .github/CODEOWNERS | grep @ | tr -d '*\n ' | sed 's/@/,/g' | sed 's/,//1')" >> $GITHUB_OUTPUT
-          echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-      - uses: trstringer/manual-approval@v1
-        with:
-          secret: ${{ github.TOKEN }}
-          approvers: ${{ steps.get_data.outputs.approvers }}
-          minimum-approvals: 2
-          issue-title: 'Release opensearch-migrations version ${{ steps.get_data.outputs.version }}'
-          issue-body: "This release requires approval from at least two reviewers. Please approve or deny the release of opensearch-migrations **TAG**: ${{ github.ref_name }}  **COMMIT**: ${{ github.sha }} **VERSION**: ${{ steps.get_data.outputs.version }}. The published TrafficCapture version will be 0.${{ steps.get_data.outputs.version }}."
-          exclude-workflow-initiator-as-approver: true
+          # echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          echo "version=2.0.3" >> $GITHUB_OUTPUT
+      # - uses: trstringer/manual-approval@v1
+      #   with:
+      #     secret: ${{ github.TOKEN }}
+      #     approvers: ${{ steps.get_data.outputs.approvers }}
+      #     minimum-approvals: 2
+      #     issue-title: 'Release opensearch-migrations version ${{ steps.get_data.outputs.version }}'
+      #     issue-body: "This release requires approval from at least two reviewers. Please approve or deny the release of opensearch-migrations **TAG**: ${{ github.ref_name }}  **COMMIT**: ${{ github.sha }} **VERSION**: ${{ steps.get_data.outputs.version }}. The published TrafficCapture version will be 0.${{ steps.get_data.outputs.version }}."
+      #     exclude-workflow-initiator-as-approver: true
       - name: Download Repo Tar
         # Preface Traffic Capture version with 0. to signal interface immaturity
         run: |
           wget https://github.com/opensearch-project/opensearch-migrations/archive/refs/tags/${{ steps.get_data.outputs.version }}.tar.gz -O artifacts.tar.gz
           ./gradlew publishMavenJavaPublicationToMavenRepository -Dbuild.snapshot=false -Dbuild.version=0.${{ steps.get_data.outputs.version }} && tar -C build -cvf traffic-capture-artifacts.tar.gz repository
       - name: Build Docker Images
         run: |
-          ./deployment/cdk/opensearch-service-migration/buildDockerImages.sh
+          ./deployment/cdk/opensearch-service-migration/buildDockerImages.sh -Dbuild.snapshot=false -Dbuild.version=0.${{ steps.get_data.outputs.version }}
+      - name: Generate SBOM for migration_console
+        uses: anchore/sbom-action@v0
+        with:
+          image: migrations/migration_console:latest
+          output: console-sbom.json
+      - name: Generate SBOM for traffic_replayer
+        uses: anchore/sbom-action@v0
+        with:
+          image: migrations/traffic_replayer:latest
+          output: traffic-replayer-sbom-${{ steps.get_data.outputs.version }}.json
+      - name: Generate SBOM for capture_proxy
+        uses: anchore/sbom-action@v0
+        with:
+          image: migrations/capture_proxy:latest
+          output: traffic-capture-proxy-sbom-${{ steps.get_data.outputs.version }}.json
+      - name: Generate SBOM for reindex_from_snapshot
+        uses: anchore/sbom-action@v0
+        with:
+          image: migrations/reindex_from_snapshot:latest
+          output: reindex-from-snapshot-sbom-${{ steps.get_data.outputs.version }}.json
+      - name: Generate SBOM for artifacts
+        uses: anchore/sbom-action@v0
+        with:
+          file: artifacts.tar.gz
+          output: artifacts-sbom.json
       - name: Tag Docker image
         run: |
           docker tag migrations/migration_console:latest opensearchstaging/opensearch-migrations-console:${{ steps.get_data.outputs.version }}
@@ -60,40 +89,40 @@ jobs:
           docker tag migrations/capture_proxy:latest opensearchstaging/opensearch-migrations-traffic-capture-proxy:latest
           docker tag migrations/reindex_from_snapshot:latest opensearchstaging/opensearch-migrations-reindex-from-snapshot:${{ steps.get_data.outputs.version }}
           docker tag migrations/reindex_from_snapshot:latest opensearchstaging/opensearch-migrations-reindex-from-snapshot:latest
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.MIGRATIONS_DOCKER_ROLE }}
-          aws-region: us-east-1
-      - name: Retrieve Values
-        id: retrieve-values
-        run: |
-          DOCKERHUB_PASSWORD=`aws secretsmanager get-secret-value --secret-id jenkins-staging-dockerhub-credential --query SecretString --output text`
-          echo "::add-mask::$DOCKERHUB_PASSWORD"
-          echo "dockerhub-password=$DOCKERHUB_PASSWORD" >> $GITHUB_OUTPUT
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.MIGRATIONS_DOCKER_USERNAME }}
-          password: ${{ steps.retrieve-values.outputs.dockerhub-password }}
-      - name: Push Docker image to Docker Hub
-        run: |
-          docker push opensearchstaging/opensearch-migrations-console:${{ steps.get_data.outputs.version }}
-          docker push opensearchstaging/opensearch-migrations-console:latest
-          docker push opensearchstaging/opensearch-migrations-traffic-replayer:${{ steps.get_data.outputs.version }}
-          docker push opensearchstaging/opensearch-migrations-traffic-replayer:latest
-          docker push opensearchstaging/opensearch-migrations-traffic-capture-proxy:${{ steps.get_data.outputs.version }}
-          docker push opensearchstaging/opensearch-migrations-traffic-capture-proxy:latest
-          docker push opensearchstaging/opensearch-migrations-reindex-from-snapshot:${{ steps.get_data.outputs.version }}
-          docker push opensearchstaging/opensearch-migrations-reindex-from-snapshot:latest
-      - name: Logout to DockerHub
-        if: always()
-        run: docker logout
-      - name: Draft a release
-        uses: softprops/action-gh-release@v2
-        with:
-          draft: true
-          generate_release_notes: true
-          files: |
-            artifacts.tar.gz
-            traffic-capture-artifacts.tar.gz
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@v4
+      #   with:
+      #     role-to-assume: ${{ secrets.MIGRATIONS_DOCKER_ROLE }}
+      #     aws-region: us-east-1
+      # - name: Retrieve Values
+      #   id: retrieve-values
+      #   run: |
+      #     DOCKERHUB_PASSWORD=`aws secretsmanager get-secret-value --secret-id jenkins-staging-dockerhub-credential --query SecretString --output text`
+      #     echo "::add-mask::$DOCKERHUB_PASSWORD"
+      #     echo "dockerhub-password=$DOCKERHUB_PASSWORD" >> $GITHUB_OUTPUT
+      # - name: Login to DockerHub
+      #   uses: docker/login-action@v1
+      #   with:
+      #     username: ${{ secrets.MIGRATIONS_DOCKER_USERNAME }}
+      #     password: ${{ steps.retrieve-values.outputs.dockerhub-password }}
+      # - name: Push Docker image to Docker Hub
+      #   run: |
+      #     docker push opensearchstaging/opensearch-migrations-console:${{ steps.get_data.outputs.version }}
+      #     docker push opensearchstaging/opensearch-migrations-console:latest
+      #     docker push opensearchstaging/opensearch-migrations-traffic-replayer:${{ steps.get_data.outputs.version }}
+      #     docker push opensearchstaging/opensearch-migrations-traffic-replayer:latest
+      #     docker push opensearchstaging/opensearch-migrations-traffic-capture-proxy:${{ steps.get_data.outputs.version }}
+      #     docker push opensearchstaging/opensearch-migrations-traffic-capture-proxy:latest
+      #     docker push opensearchstaging/opensearch-migrations-reindex-from-snapshot:${{ steps.get_data.outputs.version }}
+      #     docker push opensearchstaging/opensearch-migrations-reindex-from-snapshot:latest
+      # - name: Logout to DockerHub
+      #   if: always()
+      #   run: docker logout
+      # - name: Draft a release
+      #   uses: softprops/action-gh-release@v2
+      #   with:
+      #     draft: true
+      #     generate_release_notes: true
+      #     files: |
+      #       artifacts.tar.gz
+      #       traffic-capture-artifacts.tar.gz
diff --git a/deployment/cdk/opensearch-service-migration/buildDockerImages.sh b/deployment/cdk/opensearch-service-migration/buildDockerImages.sh
@@ -6,4 +6,4 @@ script_dir_abs_path=$(dirname "$script_abs_path")
 cd "$script_dir_abs_path" || exit
 
 cd ../../.. || exit
-./gradlew :buildDockerImages -x test
+./gradlew :buildDockerImages -x test "$@"