From: Matthew Watkins Date: Thu, 13 Nov 2025 12:37:24 +0000 (+0000) Subject: CI: Add CBOM workflow, add .gitreview, fix broken submodule X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=eda548f15906144078ea0a53886fa2e55db56c79;p=oom%2Fregistrator.git CI: Add CBOM workflow, add .gitreview, fix broken submodule Enumerates local repository information dynamically from the .gitreview file. Also updates all the workflow action calls, and now uses the centralised Maven build action (lfreleng-actions/maven-build-action). This repository appears to have some legacy setup problems. The last commit was five years ago. Issue-ID: CIMAN-33 Change-Id: I47294f4ddf4b01e82b55e7480c8529322d871178 Signed-off-by: Matthew Watkins --- diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml new file mode 100644 index 0000000..539e03e --- /dev/null +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -0,0 +1,258 @@ +--- +# SPDX-License-Identifier: Apache-2.0 +# SPDX-FileCopyrightText: 2025 The Linux Foundation + +name: '🔑 Generate PQCA CBOM' + +on: + push: + branches: + - master + + workflow_dispatch: + inputs: + GERRIT_BRANCH: + description: "Branch that change is against" + required: true + type: string + GERRIT_CHANGE_ID: + description: "The ID for the change" + required: true + type: string + GERRIT_CHANGE_NUMBER: + description: "The Gerrit number" + required: true + type: string + GERRIT_CHANGE_URL: + description: "URL to the change" + required: true + type: string + GERRIT_EVENT_TYPE: + description: "Type of Gerrit event" + required: true + type: string + GERRIT_PATCHSET_NUMBER: + description: "The patch number for the change" + required: true + type: string + GERRIT_PATCHSET_REVISION: + description: "The revision sha" + required: true + type: string + GERRIT_PROJECT: + description: "Project in Gerrit" + required: true + type: string + GERRIT_REFSPEC: + description: "Gerrit refspec of change" + required: true + type: string + +permissions: {} + +concurrency: + group: "gerrit-merge-cbom-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}" + cancel-in-progress: true + +jobs: + notify: + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Notify job start + # yamllint disable-line rule:line-length + uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: clear + - name: Allow replication + run: sleep 10s + + cbom-create: + name: 'Generate PQCA CBOM' + runs-on: ubuntu-latest + needs: [notify] + permissions: + contents: write + pull-requests: write + timeout-minutes: 45 # Set this timeout value as needed + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Load secret from 1Password + uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/ccsdk-apps/password + + - name: 'Output SHA1 sum of password' + env: + NEXUS_PASSWORD: $NEXUS_PASSWORD + run: | + # Output SHA1 sum of password + VALUE_SHA1=$(echo -n "$NEXUS_PASSWORD" | sha1sum | awk '{print $1}') + echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" + + # yamllint disable-line rule:line-length + - uses: lfreleng-actions/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + + - name: 'Setup JDK' + # yamllint disable-line rule:line-length + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 + with: + java-version: '17' + distribution: 'temurin' + + - name: 'Setup Maven' + # yamllint disable-line rule:line-length + uses: s4u/setup-maven-action@6c4e9964d4ecb8f1026310cd8618791fd51a8016 # v1.19.0 + with: + java-version: '17' + maven-version: '3.8.2' + + - name: Create Maven global settings.xml + env: + NEXUS_PASSWORD: $NEXUS_PASSWORD + run: | + cat > global-settings.xml << 'EOF' + + + + ecomp-releases + cps + ${NEXUS_PASSWORD} + + + ecomp-snapshots + cps + ${NEXUS_PASSWORD} + + + onap-releases + cps + ${NEXUS_PASSWORD} + + + onap-snapshots + cps + ${NEXUS_PASSWORD} + + + nexus3.onap.org:10003 + cps + ${NEXUS_PASSWORD} + + + + + onap-public + * + https://nexus.onap.org/content/groups/public/ + + + + + onap-nexus + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + + onap-nexus + + + EOF + + - name: 'Build with Maven' + # When scanning Java code, the build should be completed beforehand + run: | + echo "Maven build starting with global settings" + cat global-settings.xml + mvn -B clean package -DskipTests \ + --global-settings global-settings.xml \ + -Ddocker.push.registry=nexus3.onap.org:10003 \ + -Ddocker.pull.registry=nexus3.onap.org:10003 \ + -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo \ + -Dmaven.repo.local=/tmp/r \ + -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r \ + -Djib.skip=true \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NEXUS_PASSWORD: $NEXUS_PASSWORD + + - name: 'Create CBOM' + # yamllint disable-line rule:line-length + uses: PQCA/cbomkit-action@fe04ae510fe80fcfa7d145859fcba8e5dbd0b649 # v2.1.2 + id: cbom + env: + CBOMKIT_LANGUAGES: java, python # or java or python + + - name: 'Commit changes to new branch' + # Allows persisting the CBOMs after job completion and + # sharing them with another job in the same workflow. + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: 'CBOM' + path: ${{ steps.cbom.outputs.pattern }} + if-no-files-found: warn + + report-status: + if: ${{ always() }} + needs: [notify, cbom-create] + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Get workflow conclusion + uses: technote-space/workflow-conclusion-action@v3 + + - name: Report workflow conclusion + # yamllint disable-line rule:line-length + uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: ${{ env.WORKFLOW_CONCLUSION }} diff --git a/.gitreview b/.gitreview new file mode 100644 index 0000000..a822dcf --- /dev/null +++ b/.gitreview @@ -0,0 +1,5 @@ +[gerrit] +host=gerrit.onap.org +port=29418 +project=oom/registrator +defaultbranch=master diff --git a/src/kube2msb/vendor/golang.org/x/tour b/src/kube2msb/vendor/golang.org/x/tour deleted file mode 160000 index ced884f..0000000 --- a/src/kube2msb/vendor/golang.org/x/tour +++ /dev/null @@ -1 +0,0 @@ -Subproject commit ced884f4700c5c9657569036e287a0653481574b