From 831ad6ea309b4deb58123f5cb3407eda69143a47 Mon Sep 17 00:00:00 2001 From: Matthew Watkins Date: Thu, 13 Nov 2025 12:14:08 +0000 Subject: [PATCH] CI: Update CBOM workflow Enumerates local repository information dynamically from the .gitreview file. Also updates all the workflow action calls, and now uses the centralised Maven build action (lfreleng-actions/maven-build-action). Issue-ID: CIMAN-33 Change-Id: I475d85d224556828b59756cebc7075898c5adab7 Signed-off-by: Matthew Watkins --- .github/workflows/gerrit-merge-cbom.yaml | 116 +++++++++++++++++-------------- 1 file changed, 64 insertions(+), 52 deletions(-) diff --git a/.github/workflows/gerrit-merge-cbom.yaml b/.github/workflows/gerrit-merge-cbom.yaml index 31e08941..d7616fd2 100644 --- a/.github/workflows/gerrit-merge-cbom.yaml +++ b/.github/workflows/gerrit-merge-cbom.yaml @@ -60,13 +60,13 @@ jobs: steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Notify job start # yamllint disable-line rule:line-length - uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }} @@ -89,17 +89,36 @@ jobs: steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit + # yamllint disable-line rule:line-length + - uses: lfreleng-actions/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + + - name: 'Extract project name from .gitreview' + id: extract-project + run: | + if [ -f .gitreview ]; then + PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') + echo "project-name=${PROJECT_NAME}" >> $GITHUB_OUTPUT + echo "Detected project: ${PROJECT_NAME}" + else + echo "Error: .gitreview file not found" + exit 1 + fi + - name: Load secret from 1Password uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0 with: export-env: true env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/ccsdk-apps/password + NEXUS_PASSWORD: op://elnqtgip7eqavqvgodjbiiaqd4/${{ steps.extract-project.outputs.project-name }}/password - name: 'Output SHA1 sum of password' env: @@ -109,57 +128,46 @@ jobs: VALUE_SHA1=$(echo -n "$NEXUS_PASSWORD" | sha1sum | awk '{print $1}') echo "SHA1 sum of NEXUS_PASSWORD is: $VALUE_SHA1" - # yamllint disable-line rule:line-length - - uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 - with: - gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} - gerrit-url: ${{ vars.GERRIT_URL }} - delay: "0s" - - - name: 'Setup JDK' - # yamllint disable-line rule:line-length - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 - with: - java-version: '17' - distribution: 'temurin' - - - name: 'Setup Maven' - # yamllint disable-line rule:line-length - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - java-version: '17' - maven-version: '3.8.2' - - - name: Create Maven global settings.xml + - name: 'Generate Maven global settings' + id: create-settings env: - NEXUS_PASSWORD: $NEXUS_PASSWORD + NEXUS_PASSWORD: ${{ env.NEXUS_PASSWORD }} run: | - cat > global-settings.xml << 'EOF' + # Extract project name from .gitreview file + if [ -f .gitreview ]; then + PROJECT_NAME=$(grep '^project=' .gitreview | cut -d'=' -f2 | sed 's/\.git$//' | tr '/' '-') + echo "Detected project: ${PROJECT_NAME}" + else + echo "Error: .gitreview file not found" + exit 1 + fi + + cat > global-settings.xml << EOF ecomp-releases - cps + ${PROJECT_NAME} ${NEXUS_PASSWORD} ecomp-snapshots - cps + ${PROJECT_NAME} ${NEXUS_PASSWORD} onap-releases - cps + ${PROJECT_NAME} ${NEXUS_PASSWORD} onap-snapshots - cps + ${PROJECT_NAME} ${NEXUS_PASSWORD} nexus3.onap.org:10003 - cps + ${PROJECT_NAME} ${NEXUS_PASSWORD} @@ -196,28 +204,32 @@ jobs: EOF + { + echo 'settings-content<> $GITHUB_OUTPUT - name: 'Build with Maven' - # When scanning Java code, the build should be completed beforehand - run: | - echo "Maven build starting with global settings" - cat global-settings.xml - mvn -B clean package -DskipTests \ - --global-settings global-settings.xml \ - -Ddocker.push.registry=nexus3.onap.org:10003 \ - -Ddocker.pull.registry=nexus3.onap.org:10003 \ - -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo \ - -Dmaven.repo.local=/tmp/r \ - -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r \ - -Djib.skip=true \ - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + # yamllint disable-line rule:line-length + uses: lfreleng-actions/maven-build-action@main + with: + jdk-version: '17' + distribution: 'temurin' + mvn-version: '3.8.2' + mvn-phases: 'clean package' + mvn-params: '-DskipTests -Djib.skip=true' + # yamllint disable-line rule:line-length + mvn-opts: '-Ddocker.push.registry=nexus3.onap.org:10003 -Ddocker.pull.registry=nexus3.onap.org:10003 -Dmaven.repo.local=/tmp/r -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r -DaltDeploymentRepository=staging::default::file:"${GITHUB_WORKSPACE}"/m2repo -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn' + global-settings: | + ${{ steps.create-settings.outputs.settings-content }} + run-jacoco: 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NEXUS_PASSWORD: $NEXUS_PASSWORD - name: 'Create CBOM' # yamllint disable-line rule:line-length - uses: PQCA/cbomkit-action@a13ffe2a31c50dcc222ecc49d79897f5acff6d14 # v2.1.0 + uses: PQCA/cbomkit-action@fe04ae510fe80fcfa7d145859fcba8e5dbd0b649 # v2.1.2 id: cbom env: CBOMKIT_LANGUAGES: java, python # or java or python @@ -225,7 +237,7 @@ jobs: - name: 'Commit changes to new branch' # Allows persisting the CBOMs after job completion and # sharing them with another job in the same workflow. - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: 'CBOM' path: ${{ steps.cbom.outputs.pattern }} @@ -238,7 +250,7 @@ jobs: steps: # Harden the runner used by this workflow # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit @@ -247,7 +259,7 @@ jobs: - name: Report workflow conclusion # yamllint disable-line rule:line-length - uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9 with: host: ${{ vars.GERRIT_SERVER }} username: ${{ vars.GERRIT_SSH_USER }} @@ -255,4 +267,4 @@ jobs: known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} - vote-type: ${{ env.WORKFLOW_CONCLUSION }} + vote-type: ${{ env.WORKFLOW_CONCLUSION }} \ No newline at end of file -- 2.16.6