From 01e48d429a04cde7eb49925ab69b572be9ac9a09 Mon Sep 17 00:00:00 2001 From: Evan Fetsko Date: Tue, 18 Feb 2025 15:45:13 -0500 Subject: [PATCH 1/9] silkbomb 2.0 updates --- sbom/action.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/sbom/action.yml b/sbom/action.yml index efc5d40..21d46cf 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -1,25 +1,37 @@ -name: Download the Augmented SBOM -description: Downloads the Augmented SBOM for the project +name: Augment the SBOM +description: Augments the SBOM for the project inputs: + # no longer used silk_asset_group: description: The Silk Asset Group for the Project - required: true + required: false + sbom_in: + description: The name of the input sbom file. + default: sbom.json sbom_file_name: description: The name of the augmented sbom file. default: cyclonedx.sbom.json + kondukto_sub_project: + description: The Kondukto sub-project name (appended to the branch name) + required: false artifactory_image: description: Image to use for artifactory - default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 + default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 runs: using: composite steps: - - name: Download the Augmented SBOM file to the release assets and s3 assets folders + - name: Augments the SBOM file and writes it to the release assets and s3 assets folders shell: bash run: | set -eux + if [ -n "${{ inputs.kondukto_sub_project }}" ]; then + KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${{ inputs.kondukto_sub_project }}" + else + KONDUKTO_BRANCH="${GITHUB_REF_NAME}" + fi podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${SILKBOMB_ENVFILE} \ ${{ inputs.artifactory_image }} \ - download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json + augment --sbom-in /pwd/${{ inputs.sbom_in }} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }} \ No newline at end of file From 3c6989799f9fb8a1ec303e89f1b799e037e34b09 Mon Sep 17 00:00:00 2001 From: Evan Fetsko Date: Tue, 18 Feb 2025 15:51:57 -0500 Subject: [PATCH 2/9] sbom_in_path for clarity --- sbom/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbom/action.yml b/sbom/action.yml index 21d46cf..c6930ec 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -5,8 +5,8 @@ inputs: silk_asset_group: description: The Silk Asset Group for the Project required: false - sbom_in: - description: The name of the input sbom file. + sbom_in_path: + description: The path of the input sbom file. default: sbom.json sbom_file_name: description: The name of the augmented sbom file. @@ -33,5 +33,5 @@ runs: podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${SILKBOMB_ENVFILE} \ ${{ inputs.artifactory_image }} \ - augment --sbom-in /pwd/${{ inputs.sbom_in }} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json + augment --sbom-in /pwd/${{ inputs.sbom_in_path }} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }} \ No newline at end of file From 58700f3054b47b1ba69bca6225886900eeb872e4 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 08:49:10 -0600 Subject: [PATCH 3/9] Add KONDUKTO_TOKEN usage --- sbom/action.yml | 10 +++++----- setup/setup.sh | 8 ++++++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/sbom/action.yml b/sbom/action.yml index c6930ec..4de386a 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -1,10 +1,6 @@ name: Augment the SBOM description: Augments the SBOM for the project inputs: - # no longer used - silk_asset_group: - description: The Silk Asset Group for the Project - required: false sbom_in_path: description: The path of the input sbom file. default: sbom.json @@ -17,6 +13,10 @@ inputs: artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 + # no longer used + silk_asset_group: + description: The Silk Asset Group for the Project + required: false runs: using: composite @@ -31,7 +31,7 @@ runs: KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ - --env-file=${SILKBOMB_ENVFILE} \ + --env-file=${KONDUKTO_ENVFILE} \ ${{ inputs.artifactory_image }} \ augment --sbom-in /pwd/${{ inputs.sbom_in_path }} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }} \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index e95cb69..20cecb4 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -34,6 +34,13 @@ SILK_CLIENT_SECRET=${SILKBOMB_KEY} EOF fi +if [ -n "${KONDUKTO_TOKEN:-}" ]; then + echo "Setting up envfile for Kondukto" + KONDUKTO_ENVFILE=/tmp/kondukto-envfile + cat << EOF > $KONDUKTO_ENVFILE +KONDUKTO_TOKEN=${KONDUKTO_TOKEN} +EOF + echo "Set up output directories" export RELEASE_ASSETS=/tmp/release-assets mkdir $RELEASE_ASSETS @@ -48,6 +55,7 @@ GPG_KEY_ID=$GPG_KEY_ID GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} +KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS From 18df4cde11485ced8291b47f90b66f3a17988b87 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 08:51:24 -0600 Subject: [PATCH 4/9] syntax --- setup/setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/setup.sh b/setup/setup.sh index 20cecb4..7cc98d0 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -40,6 +40,7 @@ if [ -n "${KONDUKTO_TOKEN:-}" ]; then cat << EOF > $KONDUKTO_ENVFILE KONDUKTO_TOKEN=${KONDUKTO_TOKEN} EOF +fi echo "Set up output directories" export RELEASE_ASSETS=/tmp/release-assets From d7d93c6cc281d5601fa5d5455f014d852c6d7e9a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 09:25:36 -0600 Subject: [PATCH 5/9] use branch --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index 4a5840b..1b215fb 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -41,7 +41,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: blink1073/drivers-github-tools/sbom@fetsko/gha-sbom-action-silkbomb-2.0 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 2563a58..061525a 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -58,7 +58,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: blink1073/drivers-github-tools/full-report@fetsko/gha-sbom-action-silkbomb-2.0 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} From f479bd80babf56d3ff058156dbcabd28e5437488 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 09:33:21 -0600 Subject: [PATCH 6/9] debug --- sbom/action.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/sbom/action.yml b/sbom/action.yml index 4de386a..ad21107 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -23,15 +23,22 @@ runs: steps: - name: Augments the SBOM file and writes it to the release assets and s3 assets folders shell: bash + env: + SBOM_IN_PATH: ${{ inputs.sbom_in_path }} + KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }} + ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} + SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | set -eux - if [ -n "${{ inputs.kondukto_sub_project }}" ]; then - KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${{ inputs.kondukto_sub_project }}" + if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then + KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}" else KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi + echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${KONDUKTO_ENVFILE} \ - ${{ inputs.artifactory_image }} \ - augment --sbom-in /pwd/${{ inputs.sbom_in_path }} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json - cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }} \ No newline at end of file + ${ARTIFACTORY_IMAGE} \ + augment --sbom-in /pwd/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json + cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME} + echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done." \ No newline at end of file From 1d41cab5f5214f94745c57d990861e292809f986 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 09:48:58 -0600 Subject: [PATCH 7/9] fix handling of input file --- sbom/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbom/action.yml b/sbom/action.yml index ad21107..5634ecb 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -36,9 +36,9 @@ runs: KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ + podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ - augment --sbom-in /pwd/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json + augment --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME} echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done." \ No newline at end of file From 380ca5b3a2da428495b967038fbb520e6b56066e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 10:30:30 -0600 Subject: [PATCH 8/9] clean up handling of silk --- README.md | 4 ++-- full-report/action.yml | 11 ++++++++++- python/post-publish/action.yml | 11 ++++++++++- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 816d1d8..61ccf6b 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`. - name: Create SBOM uses: mongodb-labs/drivers-github-tools/sbom@v2 with: - silk_asset_group: mongodb-python-driver + sbom_in_path: sbom.json ``` ### Code Scanning Alerts @@ -228,7 +228,7 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo with: product_name: winkerberos release_version: ${{ inputs.version }} - silk_asset_group: winkerberos + sbom_in_path: sbom.json dist_filenames: dist/* ``` diff --git a/full-report/action.yml b/full-report/action.yml index 1b215fb..16de7b3 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -9,9 +9,16 @@ inputs: required: true sarif_report_target_ref: description: The git ref (usually the target release branch) to pull sarif reports from. + sbom_in_path: + description: The path of the input sbom file. + default: sbom.json + kondukto_sub_project: + description: The Kondukto sub-project name (appended to the branch name) + required: false sbom_file_name: description: The name of the augmented sbom file. default: cyclonedx.sbom.json + # No longer used. silk_asset_group: description: The Silk Asset Group for the Project third_party_dependency_tool: @@ -40,11 +47,13 @@ runs: token: ${{ inputs.token }} - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. - if: ${{ inputs.silk_asset_group }} + if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} uses: blink1073/drivers-github-tools/sbom@fetsko/gha-sbom-action-silkbomb-2.0 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} + kondukto_sub_project: ${{ inputs.kondukto_sub_project }} + sbom_in_path: ${{ inputs.sbom_in_path }} - name: Generate Sarif File uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 with: diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 061525a..df3894a 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -14,9 +14,16 @@ inputs: product_name: description: The name of the product required: true + sbom_in_path: + description: The path of the input sbom file. + default: sbom.json + kondukto_sub_project: + description: The Kondukto sub-project name (appended to the branch name) + required: false + # No longer used. silk_asset_group: description: The Silk Asset Group for the Project - required: true + required: false evergreen_project: description: The evergreen project name. required: true @@ -64,6 +71,8 @@ runs: release_version: ${{ inputs.version }} sarif_report_target_ref: ${{ inputs.version }} dist_filenames: dist/* + kondukto_sub_project: ${{ inputs.kondukto_sub_project }} + sbom_in_path: ${{ inputs.sbom_in_path }} silk_asset_group: ${{ inputs.silk_asset_group }} evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} From d6693fb478e4d16153ebca4118e6ec08c08b54d1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 11:12:19 -0600 Subject: [PATCH 9/9] revert to upstream --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index 16de7b3..ddce9c9 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -48,7 +48,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: blink1073/drivers-github-tools/sbom@fetsko/gha-sbom-action-silkbomb-2.0 + uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index df3894a..2585ea6 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -65,7 +65,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: blink1073/drivers-github-tools/full-report@fetsko/gha-sbom-action-silkbomb-2.0 + - uses: mongodb-labs/drivers-github-tools/full-report@v2 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }}