otel migration (#81) #283
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| tags: | |
| - "v*" | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| jobs: | |
| conda-sbom-generator: | |
| name: Conda SBOM Generator | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash -el {0} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check required secrets | |
| run: | | |
| if [ -z "${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}" ]; then | |
| echo "::error::The ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN secret is not set." | |
| exit 1 | |
| fi | |
| if [ -z "${{ secrets.ANACONDA_CONNECTOR_TOKEN }}" ]; then | |
| echo "::error::The ANACONDA_CONNECTOR_TOKEN secret is not set." | |
| exit 1 | |
| fi | |
| - name: Setup Miniconda | |
| uses: conda-incubator/setup-miniconda@v3 | |
| with: | |
| auto-activate-base: true | |
| python-version: "3.11" | |
| use-mamba: true | |
| conda-solver: libmamba | |
| - name: Install conda-build tooling | |
| run: | | |
| conda install -n base -y conda-build conda-index | |
| - name: Configure private conda channels | |
| run: | | |
| conda config --add channels conda-forge | |
| conda config --add channels datalayer | |
| conda config --add channels https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud | |
| conda config --add channels https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud/label/dev | |
| conda config --add channels https://conda.anaconda.org/t/${{ secrets.ANACONDA_CONNECTOR_TOKEN }}/anaconda-connector | |
| - name: Set recipe version variables | |
| run: | | |
| if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${{ github.event.release.tag_name }}" ]]; then | |
| TAG="${{ github.event.release.tag_name }}" | |
| elif [[ "${GITHUB_REF_TYPE}" == "tag" && -n "${GITHUB_REF_NAME}" ]]; then | |
| TAG="${GITHUB_REF_NAME}" | |
| else | |
| TAG="v0.0.0" | |
| fi | |
| echo "Using GIT_DESCRIBE_TAG=${TAG}" | |
| echo "GIT_DESCRIBE_TAG=${TAG}" >> "$GITHUB_ENV" | |
| - name: Build conda package | |
| run: | | |
| echo "Building with GIT_DESCRIBE_TAG=${GIT_DESCRIBE_TAG}" | |
| mkdir -p build/conda | |
| conda build \ | |
| -c defaults \ | |
| -c conda-forge \ | |
| -c datalayer \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud/label/dev \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_CONNECTOR_TOKEN }}/anaconda-connector \ | |
| --output-folder build/conda \ | |
| conda-build | |
| - name: Create environment from built package | |
| run: | | |
| PACKAGE_PATH=$(find build/conda -type f \( -name "*.conda" -o -name "*.tar.bz2" \) | head -n 1) | |
| if [ -z "$PACKAGE_PATH" ]; then | |
| echo "::error::No built conda package found in build/conda" | |
| exit 1 | |
| fi | |
| echo "Using package: $PACKAGE_PATH" | |
| # Install from a local channel so conda resolves and installs transitive run dependencies. | |
| conda index build/conda | |
| conda create -y -n sbom-anaconda-mcp \ | |
| --override-channels \ | |
| -c "file://${{ github.workspace }}/build/conda" \ | |
| -c defaults \ | |
| -c conda-forge \ | |
| -c datalayer \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_ORG_ANACONDA_CLOUD_CHANNEL_TOKEN }}/anaconda-cloud/label/dev \ | |
| -c https://conda.anaconda.org/t/${{ secrets.ANACONDA_CONNECTOR_TOKEN }}/anaconda-connector \ | |
| anaconda-mcp | |
| - name: Export dependency inventory (SBOM inputs) | |
| run: | | |
| mkdir -p sbom | |
| source "$(conda info --base)/etc/profile.d/conda.sh" | |
| conda activate sbom-anaconda-mcp | |
| conda list --json > sbom/conda-packages.json | |
| conda list --explicit > sbom/conda-packages-explicit.txt | |
| conda env export --no-builds > sbom/environment.yml | |
| echo "Generated SBOM files:" | |
| ls -lh sbom/ | |
| - name: Show SBOM artifacts to upload | |
| run: | | |
| echo "SBOM artifact files:" | |
| find sbom -maxdepth 1 -type f -print0 | xargs -0 ls -lh | |
| echo | |
| echo "SBOM artifact contents:" | |
| for file in sbom/*; do | |
| if [ -f "$file" ]; then | |
| echo "========================================" | |
| echo "FILE: $file" | |
| echo "----------------------------------------" | |
| cat "$file" | |
| echo | |
| fi | |
| done | |
| - name: Upload SBOM artifact | |
| if: ${{ github.event_name != 'push' || startsWith(github.ref, 'refs/tags/') }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: conda-sbom-${{ github.ref_name || github.sha }} | |
| path: sbom/ | |
| retention-days: 30 |