From: Matthew Watkins Date: Mon, 8 Dec 2025 12:05:23 +0000 (+0000) Subject: CI: Update CBOM workflow for IT-28494 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=7c13cb29b55fb71ff17984f5d2741a4dac0a8483;p=ccsdk%2Fsli.git CI: Update CBOM workflow for IT-28494 Issue-ID: CIMAN-33 Change-Id: I485a09741816e32857865140563e22fd7a191f35 Signed-off-by: Matthew Watkins --- diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml index 48f0cb38c..fb9efb074 100644 --- a/.github/workflows/gerrit-merge-cbom.yaml +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -13,40 +13,45 @@ on: inputs: GERRIT_BRANCH: description: "Branch that change is against" - required: true + required: false type: string GERRIT_CHANGE_ID: description: "The ID for the change" - required: true + required: false type: string GERRIT_CHANGE_NUMBER: description: "The Gerrit number" - required: true + required: false type: string GERRIT_CHANGE_URL: description: "URL to the change" - required: true + required: false type: string GERRIT_EVENT_TYPE: description: "Type of Gerrit event" - required: true + required: false type: string GERRIT_PATCHSET_NUMBER: description: "The patch number for the change" - required: true + required: false type: string GERRIT_PATCHSET_REVISION: description: "The revision sha" - required: true + required: false type: string GERRIT_PROJECT: description: "Project in Gerrit" - required: true + required: false type: string GERRIT_REFSPEC: description: "Gerrit refspec of change" - required: true + required: false type: string + GERRIT_DISABLED: + description: "Run without Gerrit components" + required: false + default: false + type: boolean permissions: {} @@ -56,18 +61,18 @@ concurrency: jobs: notify: - if: github.event_name == 'workflow_dispatch' + if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true runs-on: ubuntu-latest steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Notify job start # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }} @@ -91,7 +96,7 @@ jobs: steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit @@ -102,8 +107,67 @@ jobs: gerrit-url: ${{ vars.GERRIT_URL }} delay: "0s" + - name: 'Find Python projects' + id: find-python + run: | + # Find all directories containing setup.py or pyproject.toml + PYTHON_DIRS=() + while IFS= read -r file; do + if [ -n "$file" ]; then + dir=$(dirname "$file" | sed 's|^\./||') + PYTHON_DIRS+=("$dir") + fi + done < <(find . -type f \( -name "setup.py" -o -name "pyproject.toml" \)) + + echo "Found ${#PYTHON_DIRS[@]} Python project(s)" + + if [ ${#PYTHON_DIRS[@]} -gt 0 ]; then + echo "has-python=true" >> "$GITHUB_OUTPUT" + echo "Python projects found in:" + printf '%s\n' "${PYTHON_DIRS[@]}" + + # Save directories for iteration + printf '%s\n' "${PYTHON_DIRS[@]}" > /tmp/python_dirs.txt + echo "DEBUG: has-python output set to: true" + else + echo "has-python=false" >> "$GITHUB_OUTPUT" + echo "No Python projects found" + echo "DEBUG: has-python output set to: false" + fi + + - name: 'Check for pom.xml' + id: check-pom-xml + # yamllint disable-line rule:line-length + uses: lfreleng-actions/path-check-action@9606e61c870025bc956e63156d1d55c5df54426c # v0.2.0 + with: + path: 'pom.xml' + + - name: 'Build Python projects' + id: python-build + if: steps.find-python.outputs.has-python == 'true' + run: | + # Build each Python project found + while IFS= read -r python_dir; do + echo "Building Python project in: $python_dir" + cd "$GITHUB_WORKSPACE/$python_dir" + + # Determine Python version and build + if [ -f "pyproject.toml" ]; then + echo "Using pyproject.toml build" + python -m pip install --upgrade pip build + python -m build + elif [ -f "setup.py" ]; then + echo "Using setup.py build" + python -m pip install --upgrade pip setuptools wheel + python setup.py sdist bdist_wheel + fi + + cd "$GITHUB_WORKSPACE" + done < /tmp/python_dirs.txt + - name: 'Extract project name from .gitreview' id: extract-project + if: steps.check-pom-xml.outputs.exists == 'true' run: | if [ -f .gitreview ]; then PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') @@ -115,23 +179,26 @@ jobs: fi - name: Load secret from 1Password + if: steps.check-pom-xml.outputs.exists == 'true' uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 with: export-env: true env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password + NEXUS_PASSWORD: "op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password" - name: 'Output SHA1 sum of password' + if: steps.check-pom-xml.outputs.exists == 'true' env: NEXUS_PASSWORD: $NEXUS_PASSWORD run: | # Output SHA1 sum of password - VALUE_SHA1=$(echo -n "$NEXUS_PASSWORD" | sha1sum | awk '{print $1}') + VALUE_SHA1=$(printf '%s' "$NEXUS_PASSWORD" | shasum -a 1 | awk '{print $1}') echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" - - name: 'Generate Maven global settings' + - name: 'Generate Maven global settings content' id: create-settings + if: steps.check-pom-xml.outputs.exists == 'true' env: NEXUS_PASSWORD: ${{ env.NEXUS_PASSWORD }} run: | @@ -144,7 +211,10 @@ jobs: exit 1 fi - cat > global-settings.xml << EOF + # Generate settings content for maven-build-action + { + echo 'settings-content< @@ -206,17 +276,15 @@ jobs: EOF - { - echo 'settings-content<> $GITHUB_OUTPUT - name: 'Build with Maven' + if: steps.check-pom-xml.outputs.exists == 'true' # yamllint disable-line rule:line-length - uses: lfreleng-actions/maven-build-action@main + uses: lfreleng-actions/maven-build-action@5be56aed8bed4f0bf9d699f2817eaef37c94ac02 # v0.2.0 with: - jdk-version: | + java-version: | 17 21 distribution: 'temurin' @@ -232,6 +300,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: 'Create CBOM' + if: steps.check-pom-xml.outputs.exists == 'true' || steps.find-python.outputs.has-python == 'true' # yamllint disable-line rule:line-length uses: PQCA/cbomkit-action@fe04ae510fe80fcfa7d145859fcba8e5dbd0b649 # v2.1.2 id: cbom @@ -248,22 +317,22 @@ jobs: if-no-files-found: warn report-status: - if: ${{ always() && github.event_name == 'workflow_dispatch' }} + if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }} needs: [notify, cbom-create] runs-on: ubuntu-latest steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Get workflow conclusion - uses: technote-space/workflow-conclusion-action@v3 + uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3 - name: Report workflow conclusion # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }}