From: ModeSevenIndustrialSolutions Date: Fri, 26 Sep 2025 11:38:59 +0000 (+0100) Subject: CI: Add gerrit-merge-cbom.yaml workflow X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;p=ccsdk%2Fapps.git CI: Add gerrit-merge-cbom.yaml workflow Issue-ID: CIMAN-33 Change-Id: Idb98a3036497db360a9264765e5df5a6adc6e231 Signed-off-by: ModeSevenIndustrialSolutions --- diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml new file mode 100644 index 00000000..31e08941 --- /dev/null +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -0,0 +1,258 @@ +--- +# SPDX-License-Identifier: Apache-2.0 +# SPDX-FileCopyrightText: 2025 The Linux Foundation + +name: '🔑 Generate PQCA CBOM' + +on: + push: + branches: + - master + + workflow_dispatch: + inputs: + GERRIT_BRANCH: + description: "Branch that change is against" + required: true + type: string + GERRIT_CHANGE_ID: + description: "The ID for the change" + required: true + type: string + GERRIT_CHANGE_NUMBER: + description: "The Gerrit number" + required: true + type: string + GERRIT_CHANGE_URL: + description: "URL to the change" + required: true + type: string + GERRIT_EVENT_TYPE: + description: "Type of Gerrit event" + required: true + type: string + GERRIT_PATCHSET_NUMBER: + description: "The patch number for the change" + required: true + type: string + GERRIT_PATCHSET_REVISION: + description: "The revision sha" + required: true + type: string + GERRIT_PROJECT: + description: "Project in Gerrit" + required: true + type: string + GERRIT_REFSPEC: + description: "Gerrit refspec of change" + required: true + type: string + +permissions: {} + +concurrency: + group: "gerrit-merge-cbom-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}" + cancel-in-progress: true + +jobs: + notify: + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - name: Notify job start + # yamllint disable-line rule:line-length + uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: clear + - name: Allow replication + run: sleep 10s + + cbom-create: + name: 'Generate PQCA CBOM' + runs-on: ubuntu-latest + needs: [notify] + permissions: + contents: write + pull-requests: write + timeout-minutes: 45 # Set this timeout value as needed + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - name: Load secret from 1Password + uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/ccsdk-apps/password + + - name: 'Output SHA1 sum of password' + env: + NEXUS_PASSWORD: $NEXUS_PASSWORD + run: | + # Output SHA1 sum of password + VALUE_SHA1=$(echo -n "$NEXUS_PASSWORD" | sha1sum | awk '{print $1}') + echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" + + # yamllint disable-line rule:line-length + - uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + + - name: 'Setup JDK' + # yamllint disable-line rule:line-length + uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 + with: + java-version: '17' + distribution: 'temurin' + + - name: 'Setup Maven' + # yamllint disable-line rule:line-length + uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 + with: + java-version: '17' + maven-version: '3.8.2' + + - name: Create Maven global settings.xml + env: + NEXUS_PASSWORD: $NEXUS_PASSWORD + run: | + cat > global-settings.xml << 'EOF' + + + + ecomp-releases + cps + ${NEXUS_PASSWORD} + + + ecomp-snapshots + cps + ${NEXUS_PASSWORD} + + + onap-releases + cps + ${NEXUS_PASSWORD} + + + onap-snapshots + cps + ${NEXUS_PASSWORD} + + + nexus3.onap.org:10003 + cps + ${NEXUS_PASSWORD} + + + + + onap-public + * + https://nexus.onap.org/content/groups/public/ + + + + + onap-nexus + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + + onap-nexus + + + EOF + + - name: 'Build with Maven' + # When scanning Java code, the build should be completed beforehand + run: | + echo "Maven build starting with global settings" + cat global-settings.xml + mvn -B clean package -DskipTests \ + --global-settings global-settings.xml \ + -Ddocker.push.registry=nexus3.onap.org:10003 \ + -Ddocker.pull.registry=nexus3.onap.org:10003 \ + -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo \ + -Dmaven.repo.local=/tmp/r \ + -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r \ + -Djib.skip=true \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NEXUS_PASSWORD: $NEXUS_PASSWORD + + - name: 'Create CBOM' + # yamllint disable-line rule:line-length + uses: PQCA/cbomkit-action@a13ffe2a31c50dcc222ecc49d79897f5acff6d14 # v2.1.0 + id: cbom + env: + CBOMKIT_LANGUAGES: java, python # or java or python + + - name: 'Commit changes to new branch' + # Allows persisting the CBOMs after job completion and + # sharing them with another job in the same workflow. + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: 'CBOM' + path: ${{ steps.cbom.outputs.pattern }} + if-no-files-found: warn + + report-status: + if: ${{ always() }} + needs: [notify, cbom-create] + runs-on: ubuntu-latest + steps: + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - name: Get workflow conclusion + uses: technote-space/workflow-conclusion-action@v3 + + - name: Report workflow conclusion + # yamllint disable-line rule:line-length + uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: ${{ env.WORKFLOW_CONCLUSION }}