From: Matthew Watkins Date: Mon, 8 Dec 2025 12:10:53 +0000 (+0000) Subject: CI: Update CBOM workflow for IT-28494 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=8ad992a9fe6d7a4f462ca8b1f78900a5d8de62df;p=ccsdk%2Fdistribution.git CI: Update CBOM workflow for IT-28494 Issue-ID: CIMAN-33 Change-Id: Ib4ee4a01ed49e248e8f7ad09de5d338d68b8f128 Signed-off-by: Matthew Watkins --- diff --git a/.github/workflows/cbom.yaml b/.github/workflows/cbom.yaml deleted file mode 100644 index 081f0c7f..00000000 --- a/.github/workflows/cbom.yaml +++ /dev/null @@ -1,150 +0,0 @@ ---- -# SPDX-License-Identifier: Apache-2.0 -# SPDX-FileCopyrightText: 2025 The Linux Foundation - -name: '🔑 Generate PQCA CBOM' - -on: - workflow_dispatch: - push: - branches: - - master - -permissions: {} - -concurrency: - group: "${{ github.workflow }}-${{ github.ref }}" - cancel-in-progress: true - -jobs: - cbom-scan: - name: 'Generate PQCA CBOM' - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - timeout-minutes: 45 # Set this timeout value as needed - steps: - - # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit - - - name: 'Checkout repository' - # yamllint disable-line rule:line-length - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: 'Setup JDK' - # yamllint disable-line rule:line-length - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 - with: - java-version: '17' - distribution: 'temurin' - - - name: 'Setup Maven' - # yamllint disable-line rule:line-length - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - java-version: '17' - maven-version: '3.8.2' - - - name: Create Maven global settings.xml - run: | - cat > global-settings.xml << 'EOF' - - - - ecomp-releases - cps - ${{ secrets.NEXUS_PASSWORD }} - - - ecomp-snapshots - cps - ${{ secrets.NEXUS_PASSWORD }} - - - onap-releases - cps - ${{ secrets.NEXUS_PASSWORD }} - - - onap-snapshots - cps - ${{ secrets.NEXUS_PASSWORD }} - - - nexus3.onap.org:10003 - cps - ${{ secrets.NEXUS_PASSWORD }} - - - - - onap-public - * - https://nexus.onap.org/content/groups/public/ - - - - - onap-nexus - - - onap-public - https://nexus.onap.org/content/groups/public/ - true - true - - - - - onap-public - https://nexus.onap.org/content/groups/public/ - true - true - - - - - - onap-nexus - - - EOF - - - name: 'Build with Maven' - # When scanning Java code, the build should be completed beforehand - run: | - echo "Maven build starting with global settings" - cat global-settings.xml - mvn -B clean package -DskipTests \ - --global-settings global-settings.xml \ - -Ddocker.push.registry=nexus3.onap.org:10003 \ - -Ddocker.pull.registry=nexus3.onap.org:10003 \ - -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo \ - -Dmaven.repo.local=/tmp/r \ - -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r \ - -Djib.skip=true \ - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - - - name: 'Create CBOM' - # yamllint disable-line rule:line-length - uses: PQCA/cbomkit-action@a13ffe2a31c50dcc222ecc49d79897f5acff6d14 # v2.1.0 - id: cbom - env: - CBOMKIT_LANGUAGES: java, python # or java or python - - - name: 'Commit changes to new branch' - # Allows persisting the CBOMs after job completion and - # sharing them with another job in the same workflow. - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: 'CBOM' - path: ${{ steps.cbom.outputs.pattern }} - if-no-files-found: warn diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml new file mode 100644 index 00000000..fb9efb07 --- /dev/null +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -0,0 +1,343 @@ +--- +# SPDX-License-Identifier: Apache-2.0 +# SPDX-FileCopyrightText: 2025 The Linux Foundation + +name: '🔑 Generate PQCA CBOM' + +on: + push: + branches: + - master + + workflow_dispatch: + inputs: + GERRIT_BRANCH: + description: "Branch that change is against" + required: false + type: string + GERRIT_CHANGE_ID: + description: "The ID for the change" + required: false + type: string + GERRIT_CHANGE_NUMBER: + description: "The Gerrit number" + required: false + type: string + GERRIT_CHANGE_URL: + description: "URL to the change" + required: false + type: string + GERRIT_EVENT_TYPE: + description: "Type of Gerrit event" + required: false + type: string + GERRIT_PATCHSET_NUMBER: + description: "The patch number for the change" + required: false + type: string + GERRIT_PATCHSET_REVISION: + description: "The revision sha" + required: false + type: string + GERRIT_PROJECT: + description: "Project in Gerrit" + required: false + type: string + GERRIT_REFSPEC: + description: "Gerrit refspec of change" + required: false + type: string + GERRIT_DISABLED: + description: "Run without Gerrit components" + required: false + default: false + type: boolean + +permissions: {} + +concurrency: + group: "gerrit-merge-cbom-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}" + cancel-in-progress: true + +jobs: + notify: + if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + + - name: Notify job start + # yamllint disable-line rule:line-length + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: clear + - name: Allow replication + run: sleep 10s + + cbom-create: + name: 'Generate PQCA CBOM' + runs-on: ubuntu-latest + if: always() + needs: [notify] + permissions: + contents: write + pull-requests: write + timeout-minutes: 45 # Set this timeout value as needed + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + + # yamllint disable-line rule:line-length + - uses: lfreleng-actions/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + + - name: 'Find Python projects' + id: find-python + run: | + # Find all directories containing setup.py or pyproject.toml + PYTHON_DIRS=() + while IFS= read -r file; do + if [ -n "$file" ]; then + dir=$(dirname "$file" | sed 's|^\./||') + PYTHON_DIRS+=("$dir") + fi + done < <(find . -type f \( -name "setup.py" -o -name "pyproject.toml" \)) + + echo "Found ${#PYTHON_DIRS[@]} Python project(s)" + + if [ ${#PYTHON_DIRS[@]} -gt 0 ]; then + echo "has-python=true" >> "$GITHUB_OUTPUT" + echo "Python projects found in:" + printf '%s\n' "${PYTHON_DIRS[@]}" + + # Save directories for iteration + printf '%s\n' "${PYTHON_DIRS[@]}" > /tmp/python_dirs.txt + echo "DEBUG: has-python output set to: true" + else + echo "has-python=false" >> "$GITHUB_OUTPUT" + echo "No Python projects found" + echo "DEBUG: has-python output set to: false" + fi + + - name: 'Check for pom.xml' + id: check-pom-xml + # yamllint disable-line rule:line-length + uses: lfreleng-actions/path-check-action@9606e61c870025bc956e63156d1d55c5df54426c # v0.2.0 + with: + path: 'pom.xml' + + - name: 'Build Python projects' + id: python-build + if: steps.find-python.outputs.has-python == 'true' + run: | + # Build each Python project found + while IFS= read -r python_dir; do + echo "Building Python project in: $python_dir" + cd "$GITHUB_WORKSPACE/$python_dir" + + # Determine Python version and build + if [ -f "pyproject.toml" ]; then + echo "Using pyproject.toml build" + python -m pip install --upgrade pip build + python -m build + elif [ -f "setup.py" ]; then + echo "Using setup.py build" + python -m pip install --upgrade pip setuptools wheel + python setup.py sdist bdist_wheel + fi + + cd "$GITHUB_WORKSPACE" + done < /tmp/python_dirs.txt + + - name: 'Extract project name from .gitreview' + id: extract-project + if: steps.check-pom-xml.outputs.exists == 'true' + run: | + if [ -f .gitreview ]; then + PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') + echo "project-name=${PROJECT_NAME}" >> $GITHUB_OUTPUT + echo "Detected project: ${PROJECT_NAME}" + else + echo "Error: .gitreview file not found" + exit 1 + fi + + - name: Load secret from 1Password + if: steps.check-pom-xml.outputs.exists == 'true' + uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + NEXUS_PASSWORD: "op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password" + + - name: 'Output SHA1 sum of password' + if: steps.check-pom-xml.outputs.exists == 'true' + env: + NEXUS_PASSWORD: $NEXUS_PASSWORD + run: | + # Output SHA1 sum of password + VALUE_SHA1=$(printf '%s' "$NEXUS_PASSWORD" | shasum -a 1 | awk '{print $1}') + echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" + + - name: 'Generate Maven global settings content' + id: create-settings + if: steps.check-pom-xml.outputs.exists == 'true' + env: + NEXUS_PASSWORD: ${{ env.NEXUS_PASSWORD }} + run: | + # Extract project name from .gitreview file + if [ -f .gitreview ]; then + PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') + echo "Detected project: ${PROJECT_NAME}" + else + echo "Error: .gitreview file not found" + exit 1 + fi + + # Generate settings content for maven-build-action + { + echo 'settings-content< + + + ecomp-releases + ${PROJECT_NAME} + ${NEXUS_PASSWORD} + + + ecomp-snapshots + ${PROJECT_NAME} + ${NEXUS_PASSWORD} + + + onap-releases + ${PROJECT_NAME} + ${NEXUS_PASSWORD} + + + onap-snapshots + ${PROJECT_NAME} + ${NEXUS_PASSWORD} + + + nexus3.onap.org:10003 + ${PROJECT_NAME} + ${NEXUS_PASSWORD} + + + + + onap-public + * + https://nexus.onap.org/content/groups/public/ + + + + + onap-nexus + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + + onap-nexus + + + EOF + echo 'SETTINGS_EOF' + } >> $GITHUB_OUTPUT + + - name: 'Build with Maven' + if: steps.check-pom-xml.outputs.exists == 'true' + # yamllint disable-line rule:line-length + uses: lfreleng-actions/maven-build-action@5be56aed8bed4f0bf9d699f2817eaef37c94ac02 # v0.2.0 + with: + java-version: | + 17 + 21 + distribution: 'temurin' + mvn-version: '3.9.5' + mvn-phases: 'clean package' + mvn-params: '-DskipTests -Djib.skip=true' + # yamllint disable-line rule:line-length + mvn-opts: '-Ddocker.push.registry=nexus3.onap.org:10003 -Ddocker.pull.registry=nexus3.onap.org:10003 -Dmaven.repo.local=/tmp/r -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn' + global-settings: | + ${{ steps.create-settings.outputs.settings-content }} + run-jacoco: 'false' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: 'Create CBOM' + if: steps.check-pom-xml.outputs.exists == 'true' || steps.find-python.outputs.has-python == 'true' + # yamllint disable-line rule:line-length + uses: PQCA/cbomkit-action@fe04ae510fe80fcfa7d145859fcba8e5dbd0b649 # v2.1.2 + id: cbom + env: + CBOMKIT_LANGUAGES: java, python # or java or python + + - name: 'Commit changes to new branch' + # Allows persisting the CBOMs after job completion and + # sharing them with another job in the same workflow. + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: 'CBOM' + path: ${{ steps.cbom.outputs.pattern }} + if-no-files-found: warn + + report-status: + if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }} + needs: [notify, cbom-create] + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + + - name: Get workflow conclusion + uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3 + + - name: Report workflow conclusion + # yamllint disable-line rule:line-length + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: ${{ env.WORKFLOW_CONCLUSION }}