From 613dbb7900ab27f0e73c6681b9b6c921fd190c89 Mon Sep 17 00:00:00 2001 From: Matthew Watkins Date: Thu, 13 Nov 2025 12:19:57 +0000 Subject: [PATCH] CI: Update CBOM workflow Enumerates local repository information dynamically from the .gitreview file. Also updates all the workflow action calls, and now uses the centralised Maven build action (lfreleng-actions/maven-build-action). Issue-ID: CIMAN-33 Change-Id: I277112c8e56c83eca5cb1ef83b3f2f47a5705207 Signed-off-by: Matthew Watkins --- .github/workflows/cbom.yaml | 150 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 .github/workflows/cbom.yaml diff --git a/.github/workflows/cbom.yaml b/.github/workflows/cbom.yaml new file mode 100644 index 00000000..081f0c7f --- /dev/null +++ b/.github/workflows/cbom.yaml @@ -0,0 +1,150 @@ +--- +# SPDX-License-Identifier: Apache-2.0 +# SPDX-FileCopyrightText: 2025 The Linux Foundation + +name: '🔑 Generate PQCA CBOM' + +on: + workflow_dispatch: + push: + branches: + - master + +permissions: {} + +concurrency: + group: "${{ github.workflow }}-${{ github.ref }}" + cancel-in-progress: true + +jobs: + cbom-scan: + name: 'Generate PQCA CBOM' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + timeout-minutes: 45 # Set this timeout value as needed + steps: + + # Harden the runner used by this workflow + # yamllint disable-line rule:line-length + - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - name: 'Checkout repository' + # yamllint disable-line rule:line-length + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: 'Setup JDK' + # yamllint disable-line rule:line-length + uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 + with: + java-version: '17' + distribution: 'temurin' + + - name: 'Setup Maven' + # yamllint disable-line rule:line-length + uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 + with: + java-version: '17' + maven-version: '3.8.2' + + - name: Create Maven global settings.xml + run: | + cat > global-settings.xml << 'EOF' + + + + ecomp-releases + cps + ${{ secrets.NEXUS_PASSWORD }} + + + ecomp-snapshots + cps + ${{ secrets.NEXUS_PASSWORD }} + + + onap-releases + cps + ${{ secrets.NEXUS_PASSWORD }} + + + onap-snapshots + cps + ${{ secrets.NEXUS_PASSWORD }} + + + nexus3.onap.org:10003 + cps + ${{ secrets.NEXUS_PASSWORD }} + + + + + onap-public + * + https://nexus.onap.org/content/groups/public/ + + + + + onap-nexus + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + onap-public + https://nexus.onap.org/content/groups/public/ + true + true + + + + + + onap-nexus + + + EOF + + - name: 'Build with Maven' + # When scanning Java code, the build should be completed beforehand + run: | + echo "Maven build starting with global settings" + cat global-settings.xml + mvn -B clean package -DskipTests \ + --global-settings global-settings.xml \ + -Ddocker.push.registry=nexus3.onap.org:10003 \ + -Ddocker.pull.registry=nexus3.onap.org:10003 \ + -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo \ + -Dmaven.repo.local=/tmp/r \ + -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r \ + -Djib.skip=true \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} + + - name: 'Create CBOM' + # yamllint disable-line rule:line-length + uses: PQCA/cbomkit-action@a13ffe2a31c50dcc222ecc49d79897f5acff6d14 # v2.1.0 + id: cbom + env: + CBOMKIT_LANGUAGES: java, python # or java or python + + - name: 'Commit changes to new branch' + # Allows persisting the CBOMs after job completion and + # sharing them with another job in the same workflow. + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: 'CBOM' + path: ${{ steps.cbom.outputs.pattern }} + if-no-files-found: warn -- 2.16.6