diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2a3b7b6..d0451e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,8 +1,8 @@ -name: Create and publish a docker image to ghcr +name: Release| Build GHCR image on: release: - types: - - created + types: [published] + workflow_dispatch: env: REGISTRY: ghcr.io diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86a5629..97904d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,10 @@ -name: releaser +name: Release| Build Binary on: push: tags: - 'v*' + workflow_dispatch: jobs: releaser: diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml deleted file mode 100644 index 3351bbb..0000000 --- a/.github/workflows/sbom.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Build and Push SBOM to Interlynk - -on: - release: - types: - - created - -jobs: - build-sbom: - name: SBOM build and Push to Platform - runs-on: ubuntu-latest - permissions: - id-token: write - contents: write - steps: - - name: Checkout Repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Download syft binary - run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - name: Run syft - run: syft version - - name: Get Tag - id: get_tag - run: echo "tag=$(git describe --tags HEAD)" > $GITHUB_ENV - - name: Build SBOM - run: | - syft --source-name 'sbomasm' --source-version ${{ env.tag }} --exclude ./public --exclude ./.github -o cyclonedx-json --file sbomasm.cdx.json . - - name: Upload SBOM - run: | - curl -v "https://api.interlynk.io/lynkapi" \ - -H "Authorization: Bearer ${{ secrets.INTERLYNK_SECURITY_TOKEN }}" \ - -F 'operations={"query":"mutation uploadSbom($doc: Upload!, $projectId: ID!) { sbomUpload(input: { doc: $doc, projectId: $projectId }) { errors } }","variables":{"doc":null,"projectId": "${{ vars.INTERLYNK_PRODUCT_ID }}" }}' \ - -F 'map={"0":["variables.doc"]}' \ - -F '0=@"sbomasm.cdx.json";type=application/json' diff --git a/.github/workflows/sbom_dev.yml b/.github/workflows/sbom_dev.yml new file mode 100644 index 0000000..f984663 --- /dev/null +++ b/.github/workflows/sbom_dev.yml @@ -0,0 +1,74 @@ +name: Dev| Build SBOM + +on: + push: + branches-ignore: + - 'main' + pull_request: + branches-ignore: + - 'main' + workflow_dispatch: + +env: + TOOL_NAME: ${{ github.repository }} + SUPPLIER_NAME: Interlynk + SUPPLIER_URL: https://interlynk.io + DEFAULT_TAG: v0.0.1 + PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk + SBOM_TEMP_DIR: $RUNNER_TEMP/sbom + SBOM_ENV: development + MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 + MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json + SBOM_EXCLUDE_DIRS: "**/samples/**" + + +jobs: + build-sbom: + name: Build SBOM + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Get Tag + id: get_tag + run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV + + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' # Specify the Python version needed + + - name: Checkout Python SBOM tool + run: | + git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }} + cd ${{ env.PYLYNK_TEMP_DIR }} + git fetch --tags + latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`) + git checkout $latest_tag + echo "Checked out pylynk at tag: $latest_tag" + + - name: Install Python dependencies + run: | + cd ${{ env.PYLYNK_TEMP_DIR }} + pip install -r requirements.txt + + - name: Generate SBOM + shell: bash + run: | + cd ${{ github.workspace }} + mkdir -p ${{ env.SBOM_TEMP_DIR}} + curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }} + chmod +x $RUNNER_TEMP/sbom-tool + $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}" + + - name: Upload SBOM + run: | + python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }} + diff --git a/.github/workflows/sbom_release.yml b/.github/workflows/sbom_release.yml new file mode 100644 index 0000000..9693f6e --- /dev/null +++ b/.github/workflows/sbom_release.yml @@ -0,0 +1,70 @@ +name: Release| Build SBOM + +on: + release: + types: [published] + workflow_dispatch: + +env: + TOOL_NAME: ${{ github.repository }} + SUPPLIER_NAME: Interlynk + SUPPLIER_URL: https://interlynk.io + DEFAULT_TAG: v0.0.1 + PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk + SBOM_TEMP_DIR: $RUNNER_TEMP/sbom + SBOM_ENV: production + MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 + MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json + SBOM_EXCLUDE_DIRS: "**/samples/**" + + +jobs: + build-sbom: + name: Build SBOM + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Get Tag + id: get_tag + run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV + + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' # Specify the Python version needed + + - name: Checkout Python SBOM tool + run: | + git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }} + cd ${{ env.PYLYNK_TEMP_DIR }} + git fetch --tags + latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`) + git checkout $latest_tag + echo "Checked out pylynk at tag: $latest_tag" + + - name: Install Python dependencies + run: | + cd ${{ env.PYLYNK_TEMP_DIR }} + pip install -r requirements.txt + + - name: Generate SBOM + shell: bash + run: | + cd ${{ github.workspace }} + mkdir -p ${{ env.SBOM_TEMP_DIR}} + curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }} + chmod +x $RUNNER_TEMP/sbom-tool + $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}" + + - name: Upload SBOM + run: | + python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }} + diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index 5ebe72a..0000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,71 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '24 17 * * 0' - push: - branches: [ "main" ] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read - - steps: - - name: "Checkout code" - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 - with: - sarif_file: results.sarif diff --git a/.github/workflows/test-sbom.yml b/.github/workflows/test-sbom.yml deleted file mode 100644 index 29ff6ae..0000000 --- a/.github/workflows/test-sbom.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Build and Push SBOM to Interlynk - -on: - workflow_dispatch - -jobs: - build-sbom: - name: SBOM build and Push to Platform - runs-on: ubuntu-latest - permissions: - id-token: write - contents: write - steps: - - name: Checkout Repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Download syft binary - run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - name: Run syft - run: syft version - - name: Get Tag - id: get_tag - run: echo "tag=$(git describe --tags HEAD)" > $GITHUB_ENV - - name: Build SBOM - run: | - syft --source-name 'sbomasm' --source-version ${{ env.tag }} --exclude ./public --exclude ./.github -o cyclonedx-json --file sbomasm.cdx.json . - - - name: Clone Python Tool (replace with actual organization and repo) - run: | - git clone https://interlynk-io:${{ secrets.GITHUB_TOKEN }}@github.com/interlynk-io/pylynk - cd pylynk ; pip3 install -r requirement.txt; cp pylynk* /tmp; cp lynkctx.py /tmp; chmod +x /tmp/pylynk*; chmod +x /tmp/lynkctx.py # Navigate into the cloned directory - - - name: Upload SBOM - run: | - python3 /tmp/pylynk.py upload --prod 'sbomasm' --sbom sbomasm.cdx.json --${{ secrets.INTERLYNK_SECURITY_TOKEN }}