-
Notifications
You must be signed in to change notification settings - Fork 48
129 lines (116 loc) · 3.99 KB
/
generate-sbom.yaml
File metadata and controls
129 lines (116 loc) · 3.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: "Generate sbom"
on:
workflow_dispatch:
inputs:
ref:
description: "the git revision to checkout"
required: false
type: string
artifacts-url:
description: >-
URL from which to retrieve an OS image and all metalk8s artifacts
(defaults to the current workflow run artifacts)
type: string
required: false
default: ""
workflow_call:
inputs:
ref:
description: "the git revision to checkout"
default: ${{ github.ref }}
required: false
type: string
artifacts-url:
description: >-
URL from which to retrieve an OS image and all metalk8s artifacts
(defaults to the current workflow run artifacts)
type: string
required: false
default: ""
jobs:
generate-sbom:
runs-on: ubuntu-24.04
env:
BASE_PATH: ${{ github.workspace }}/metalk8s_sbom
SBOM_PATH: ${{ github.workspace }}/artifacts/sbom
steps:
- name: Checkout repo
uses: actions/checkout@v5
with:
ref: ${{ inputs.ref }}
- name: Cleanup some unused ressources
run: |-
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Create directories
shell: bash
run: |
mkdir -p ${{ env.BASE_PATH }}/iso
mkdir -p ${{ env.SBOM_PATH }}
- name: Get artifacts URL
if: ${{ ! inputs.artifacts-url }}
uses: scality/action-artifacts@v4
id: artifacts
with:
method: setup
url: https://artifacts.scality.net
user: ${{ secrets.ARTIFACTS_USER }}
password: ${{ secrets.ARTIFACTS_PASSWORD }}
- name: Donwload artifacts
shell: bash
env:
ARTIFACTS_URL: ${{ inputs.artifacts-url || steps.artifacts.outputs.link }}
ARTIFACTS_USER: ${{ secrets.ARTIFACTS_USER }}
ARTIFACTS_PASSWORD: ${{ secrets.ARTIFACTS_PASSWORD }}
run: |
echo "Downloading metalk8s.iso from $ARTIFACTS_URL"
curl -sSfL -o ${{ env.BASE_PATH }}/iso/metalk8s.iso -u $ARTIFACTS_USER:$ARTIFACTS_PASSWORD $ARTIFACTS_URL/metalk8s.iso
- name: Retrieve product.txt from artifacts
run: >
curl --fail -LO -u ${{ secrets.ARTIFACTS_USER }}:${{ secrets.ARTIFACTS_PASSWORD }}
${{ inputs.artifacts-url || steps.artifacts.outputs.link }}/product.txt
- name: Get full MetalK8s version
run: |
source product.txt
echo "METALK8S_VERSION=$VERSION" >> $GITHUB_ENV
- name: Generate sbom for extracted ISO
uses: scality/sbom@v2.1.0
with:
target: ${{ env.BASE_PATH }}/iso/metalk8s.iso
target_type: iso
output_dir: ${{ env.SBOM_PATH }}
version: ${{ env.METALK8S_VERSION }}
vuln: true
vuln_output_format: cyclonedx-json, html
merge: true
merge_hierarchical: true
- name: Generate archive
shell: bash
run: |
cd ${{ env.SBOM_PATH }}
tar -czf sbom_metalk8s.tar.gz *.json *.html
- name: Clean up
shell: bash
run: |
rm -rf ${{ env.BASE_PATH }}/iso
find ${{ env.SBOM_PATH }} -mindepth 1 \
-not -name 'sbom_metalk8s.tar.gz' \
-not -name '*_merged_sbom_vuln.html' \
-exec rm -rf {} +
- name: Generate Job result
if: always()
uses: ./.github/actions/generate-job-result
with:
name: generate-sbom
ARTIFACTS_USER: ${{ secrets.ARTIFACTS_USER }}
ARTIFACTS_PASSWORD: ${{ secrets.ARTIFACTS_PASSWORD }}
GIT_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload artifacts
if: always()
uses: scality/action-artifacts@v4
with:
method: upload
url: https://artifacts.scality.net
user: ${{ secrets.ARTIFACTS_USER }}
password: ${{ secrets.ARTIFACTS_PASSWORD }}
source: artifacts