From: Matthew Watkins Date: Mon, 8 Dec 2025 12:02:30 +0000 (+0000) Subject: CI: Update CBOM workflow for IT-28494 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F87%2F142687%2F2;p=ccsdk%2Fapps.git CI: Update CBOM workflow for IT-28494 Issue-ID: CIMAN-33 Change-Id: I5b32655979bc496f16f219b9349244717cdc1361 Signed-off-by: Matthew Watkins --- diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml index d7616fd2..96c58e8c 100644 --- a/.github/workflows/gerrit-merge-cbom.yaml +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -13,40 +13,45 @@ on: inputs: GERRIT_BRANCH: description: "Branch that change is against" - required: true + required: false type: string GERRIT_CHANGE_ID: description: "The ID for the change" - required: true + required: false type: string GERRIT_CHANGE_NUMBER: description: "The Gerrit number" - required: true + required: false type: string GERRIT_CHANGE_URL: description: "URL to the change" - required: true + required: false type: string GERRIT_EVENT_TYPE: description: "Type of Gerrit event" - required: true + required: false type: string GERRIT_PATCHSET_NUMBER: description: "The patch number for the change" - required: true + required: false type: string GERRIT_PATCHSET_REVISION: description: "The revision sha" - required: true + required: false type: string GERRIT_PROJECT: description: "Project in Gerrit" - required: true + required: false type: string GERRIT_REFSPEC: description: "Gerrit refspec of change" - required: true + required: false type: string + GERRIT_DISABLED: + description: "Run without Gerrit components" + required: false + default: false + type: boolean permissions: {} @@ -56,17 +61,18 @@ concurrency: jobs: notify: + if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true runs-on: ubuntu-latest steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Notify job start # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }} @@ -81,6 +87,7 @@ jobs: cbom-create: name: 'Generate PQCA CBOM' runs-on: ubuntu-latest + if: always() needs: [notify] permissions: contents: write @@ -89,7 +96,7 @@ jobs: steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit @@ -100,8 +107,67 @@ jobs: gerrit-url: ${{ vars.GERRIT_URL }} delay: "0s" + - name: 'Find Python projects' + id: find-python + run: | + # Find all directories containing setup.py or pyproject.toml + PYTHON_DIRS=() + while IFS= read -r file; do + if [ -n "$file" ]; then + dir=$(dirname "$file" | sed 's|^\./||') + PYTHON_DIRS+=("$dir") + fi + done < <(find . -type f \( -name "setup.py" -o -name "pyproject.toml" \)) + + echo "Found ${#PYTHON_DIRS[@]} Python project(s)" + + if [ ${#PYTHON_DIRS[@]} -gt 0 ]; then + echo "has-python=true" >> "$GITHUB_OUTPUT" + echo "Python projects found in:" + printf '%s\n' "${PYTHON_DIRS[@]}" + + # Save directories for iteration + printf '%s\n' "${PYTHON_DIRS[@]}" > /tmp/python_dirs.txt + echo "DEBUG: has-python output set to: true" + else + echo "has-python=false" >> "$GITHUB_OUTPUT" + echo "No Python projects found" + echo "DEBUG: has-python output set to: false" + fi + + - name: 'Check for pom.xml' + id: check-pom-xml + # yamllint disable-line rule:line-length + uses: lfreleng-actions/path-check-action@9606e61c870025bc956e63156d1d55c5df54426c # v0.2.0 + with: + path: 'pom.xml' + + - name: 'Build Python projects' + id: python-build + if: steps.find-python.outputs.has-python == 'true' + run: | + # Build each Python project found + while IFS= read -r python_dir; do + echo "Building Python project in: $python_dir" + cd "$GITHUB_WORKSPACE/$python_dir" + + # Determine Python version and build + if [ -f "pyproject.toml" ]; then + echo "Using pyproject.toml build" + python -m pip install --upgrade pip build + python -m build + elif [ -f "setup.py" ]; then + echo "Using setup.py build" + python -m pip install --upgrade pip setuptools wheel + python setup.py sdist bdist_wheel + fi + + cd "$GITHUB_WORKSPACE" + done < /tmp/python_dirs.txt + - name: 'Extract project name from .gitreview' id: extract-project + if: steps.check-pom-xml.outputs.exists == 'true' run: | if [ -f .gitreview ]; then PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') @@ -113,23 +179,26 @@ jobs: fi - name: Load secret from 1Password + if: steps.check-pom-xml.outputs.exists == 'true' uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 with: export-env: true env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password + NEXUS_PASSWORD: "op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password" - name: 'Output SHA1 sum of password' + if: steps.check-pom-xml.outputs.exists == 'true' env: NEXUS_PASSWORD: $NEXUS_PASSWORD run: | # Output SHA1 sum of password - VALUE_SHA1=$(echo -n "$NEXUS_PASSWORD" | sha1sum | awk '{print $1}') + VALUE_SHA1=$(printf '%s' "$NEXUS_PASSWORD" | shasum -a 1 | awk '{print $1}') echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" - - name: 'Generate Maven global settings' + - name: 'Generate Maven global settings content' id: create-settings + if: steps.check-pom-xml.outputs.exists == 'true' env: NEXUS_PASSWORD: ${{ env.NEXUS_PASSWORD }} run: | @@ -141,8 +210,11 @@ jobs: echo "Error: .gitreview file not found" exit 1 fi - - cat > global-settings.xml << EOF + + # Generate settings content for maven-build-action + { + echo 'settings-content< @@ -204,21 +276,22 @@ jobs: EOF - { - echo 'settings-content<> $GITHUB_OUTPUT - name: 'Build with Maven' + if: steps.check-pom-xml.outputs.exists == 'true' + continue-on-error: true # yamllint disable-line rule:line-length - uses: lfreleng-actions/maven-build-action@main + uses: lfreleng-actions/maven-build-action@5be56aed8bed4f0bf9d699f2817eaef37c94ac02 # v0.2.0 with: - jdk-version: '17' + java-version: | + 17 + 21 distribution: 'temurin' - mvn-version: '3.8.2' + mvn-version: '3.9.5' mvn-phases: 'clean package' - mvn-params: '-DskipTests -Djib.skip=true' + mvn-params: '-DskipTests -Djib.skip=true --fail-at-end' # yamllint disable-line rule:line-length mvn-opts: '-Ddocker.push.registry=nexus3.onap.org:10003 -Ddocker.pull.registry=nexus3.onap.org:10003 -Dmaven.repo.local=/tmp/r -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn' global-settings: | @@ -228,6 +301,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: 'Create CBOM' + if: steps.check-pom-xml.outputs.exists == 'true' || steps.find-python.outputs.has-python == 'true' # yamllint disable-line rule:line-length uses: PQCA/cbomkit-action@fe04ae510fe80fcfa7d145859fcba8e5dbd0b649 # v2.1.2 id: cbom @@ -244,22 +318,22 @@ jobs: if-no-files-found: warn report-status: - if: ${{ always() }} + if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }} needs: [notify, cbom-create] runs-on: ubuntu-latest steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Get workflow conclusion - uses: technote-space/workflow-conclusion-action@v3 + uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3 - name: Report workflow conclusion # yamllint disable-line rule:line-length - uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 + uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }} @@ -267,4 +341,4 @@ jobs: known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} - vote-type: ${{ env.WORKFLOW_CONCLUSION }} \ No newline at end of file + vote-type: ${{ env.WORKFLOW_CONCLUSION }}