From cedc1426bdf898e6cd0ccba131ec4fd368898538 Mon Sep 17 00:00:00 2001 From: Yoan Moscatelli Date: Tue, 19 Mar 2024 16:35:40 +0100 Subject: [PATCH] :sparkles: add sbom generation --- .github/workflows/generate-sbom.yaml | 71 ++++++++++++++++++++++++++++ .github/workflows/nightly.yaml | 6 +++ .github/workflows/promote.yaml | 7 +++ 3 files changed, 84 insertions(+) create mode 100644 .github/workflows/generate-sbom.yaml diff --git a/.github/workflows/generate-sbom.yaml b/.github/workflows/generate-sbom.yaml new file mode 100644 index 0000000000..399f86194c --- /dev/null +++ b/.github/workflows/generate-sbom.yaml @@ -0,0 +1,71 @@ +name: "Generate sbom" + +on: + workflow_call: + inputs: + ref: + description: "the git revision to checkout" + default: ${{ github.ref }} + required: false + type: string + +jobs: + generate-sbom: + runs-on: ubuntu-22.04 + steps: + - name: Cleanup some unused ressources + run: |- + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet + + - name: Create directories + shell: bash + run: | + mkdir -p metalk8s_sbom/repo + mkdir -p metalk8s_sbom/sbom + + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + path: metalk8s_sbom/repo/metalk8s + + - name: Scan metalk8s repository + uses: scality/sbom@v1 + with: + repo: metalk8s + input_path: metalk8s_sbom/repo/metalk8s + output_path: metalk8s_sbom/sbom + + - name: Generate archive + shell: bash + run: | + cd metalk8s_sbom/sbom + tar -czf sbom_metalk8s.tar.gz *.json + + - name: Clean up + shell: bash + run: | + rm -rf metalk8s_sbom/repo + rm -f metalk8s_sbom/sbom/*.json + + - name: Upload SBOM to artifacts + uses: scality/action-artifacts@v4 + with: + method: upload + url: https://artifacts.scality.net + user: ${{ secrets.artifacts_user }} + password: ${{ secrets.artifacts_password }} + source: metalk8s_sbom/ + + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Generate Job result + if: always() + uses: ./.github/actions/generate-job-result + with: + name: generate-sbom + ARTIFACTS_USER: ${{ secrets.ARTIFACTS_USER }} + ARTIFACTS_PASSWORD: ${{ secrets.ARTIFACTS_PASSWORD }} + GIT_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 827f8e9e3e..cea7549d5f 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -205,6 +205,10 @@ jobs: nodes-count: 2 k8s-conformance: true + generate-sbom: + uses: ./.github/workflows/generate-sbom.yaml + secrets: inherit + write-final-failed-status: runs-on: ubuntu-22.04 needs: @@ -213,6 +217,7 @@ jobs: - install - bootstrap-restore - k8s-conformance + - generate-sbom if: failure() steps: - name: Checkout @@ -240,6 +245,7 @@ jobs: - install - bootstrap-restore - k8s-conformance + - generate-sbom if: success() steps: - name: Checkout diff --git a/.github/workflows/promote.yaml b/.github/workflows/promote.yaml index 2904aae55a..a958ebe0df 100644 --- a/.github/workflows/promote.yaml +++ b/.github/workflows/promote.yaml @@ -10,9 +10,16 @@ jobs: uses: ./.github/workflows/build.yaml secrets: inherit + generate-sbom: + needs: + - build + uses: ./.github/workflows/generate-sbom.yaml + secrets: inherit + promote-artifacts: needs: - build + - generate-sbom runs-on: ubuntu-20.04 outputs: artifact-link: ${{ steps.promote.outputs.link }}