Generate SBOMs for a release #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Generate SBOMs for a release | |
on: | |
workflow_dispatch: | |
inputs: | |
#checkov:skip=CKV_GHA_7:This is a false positive | |
release: | |
description: 'SecObserve release (without the v)' | |
required: true | |
permissions: read-all | |
jobs: | |
generate_sboms: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
node-version: 20 | |
- | |
name: Checkout | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
ref: 'v${{ github.event.inputs.release }}' | |
- | |
name: Install programs | |
env: | |
CDXGEN_VERSION: 10.9.4 | |
SBOM_UTILITY_VERSION: 0.16.0 | |
CYCLONE_DX_CLI_VERSION: 0.25.1 | |
run: | | |
npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION" | |
cd /usr/local/bin | |
wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf - | |
wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64 | |
cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx | |
chmod +x /usr/local/bin/cyclonedx | |
- | |
name: Generate SBOM for backend application | |
env: | |
VERSION: ${{ github.event.inputs.release }} | |
FETCH_LICENSE: 1 | |
working-directory: ./sbom | |
run: | | |
mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic | |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json | |
cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json | |
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \ | |
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json | |
sbom-utility validate --input-file sbom_backend_application_"$VERSION".json | |
rm sbom_backend_application.json | |
mv ../backend/poetry_requirements.sic ../backend/poetry_requirements.txt | |
- | |
name: Generate SBOM for frontend application | |
env: | |
VERSION: ${{ github.event.inputs.release }} | |
working-directory: ./sbom | |
run: | | |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json | |
cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json | |
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \ | |
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json | |
sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json | |
rm sbom_frontend_application.json | |
- | |
name: Generate SBOM for backend container | |
env: | |
VERSION: ${{ github.event.inputs.release }} | |
working-directory: ./sbom | |
run: | | |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json | |
cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json | |
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \ | |
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json | |
sbom-utility validate --input-file sbom_backend_container_"$VERSION".json | |
rm sbom_backend_container.json | |
- | |
name: Generate SBOM for frontend container | |
env: | |
VERSION: ${{ github.event.inputs.release }} | |
working-directory: ./sbom | |
run: | | |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json | |
cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json | |
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \ | |
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json | |
sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json | |
rm sbom_frontend_container.json | |
- | |
name: Merge SBOMs | |
env: | |
VERSION: ${{ github.event.inputs.release }} | |
working-directory: ./sbom | |
run: | | |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_complete.json | |
cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \ | |
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json | |
sbom-utility validate --input-file sbom_"$VERSION".json | |
- | |
name: Commit SBOMs | |
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5 | |
with: | |
skip_fetch: true | |
create_branch: true | |
commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}" | |
branch: "chore/sboms_release_${{ github.event.inputs.release }}" | |
file_pattern: "sbom/sbom*.json" |