From 68bb5a0467683ab881ef53bb0efd3e4695050b12 Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Mon, 2 Dec 2024 13:32:20 -0500 Subject: [PATCH 1/6] Add create_sbom input to node-build action --- .github/actions/node-build/action.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/actions/node-build/action.yml b/.github/actions/node-build/action.yml index 72dc342..ff10651 100644 --- a/.github/actions/node-build/action.yml +++ b/.github/actions/node-build/action.yml @@ -9,10 +9,10 @@ inputs: env_path: description: 'Path to .env file' required: true - is_dev: - description: 'Is dev build' + create_sbom: + description: 'Create SBOM' required: false - default: "false" + default: "true" runs: using: composite @@ -26,9 +26,12 @@ runs: working-directory: ${{ inputs.repository_dir }} env: ENV_FILE_PATH: ${{ inputs.env_path }} - IS_DEV: ${{ inputs.is_dev }} + CREATE_SBOM: ${{ inputs.create_sbom }} run: | export $(grep -v '^[#|SIGNING|PASS_CORE_POLICY]' $ENV_FILE_PATH | xargs -d '\n') pnpm install --frozen-lockfile pnpm run build + if [ "CREATE_SBOM" == "true" ]; then + pnpm run create_sbom + fi pnpm run build:docker From d827a09981bd615f12f29825e1c1999a1ce5a69b Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Mon, 2 Dec 2024 14:04:23 -0500 Subject: [PATCH 2/6] Remove is_dev input It is obsolete --- .github/workflows/pass-complete-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pass-complete-release.yml b/.github/workflows/pass-complete-release.yml index 87ad357..5e7bd3f 100644 --- a/.github/workflows/pass-complete-release.yml +++ b/.github/workflows/pass-complete-release.yml @@ -200,7 +200,6 @@ jobs: with: repository_dir: combined/pass-ui env_path: ../pass-docker/.env - is_dev: "true" - name: Push Snapshot Docker images to GHCR ~ pass-ui if: ${{ ! env.PASS_UI_TAG_EXISTS }} From 591c46c371ba1e14b9bdff027fee5ff36666422e Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Tue, 3 Dec 2024 10:04:24 -0500 Subject: [PATCH 3/6] Remove sbom before create --- .github/actions/node-build/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/node-build/action.yml b/.github/actions/node-build/action.yml index ff10651..a5a5c07 100644 --- a/.github/actions/node-build/action.yml +++ b/.github/actions/node-build/action.yml @@ -32,6 +32,7 @@ runs: pnpm install --frozen-lockfile pnpm run build if [ "CREATE_SBOM" == "true" ]; then + rm -f *-cyclonedx.json pnpm run create_sbom fi pnpm run build:docker From 534252ba78c0a71837fcc14b627924a8c005f177 Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Tue, 3 Dec 2024 14:55:55 -0500 Subject: [PATCH 4/6] Upload sboms to gh release --- .github/workflows/pass-complete-release.yml | 24 +++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pass-complete-release.yml b/.github/workflows/pass-complete-release.yml index 5e7bd3f..f1b2113 100644 --- a/.github/workflows/pass-complete-release.yml +++ b/.github/workflows/pass-complete-release.yml @@ -160,8 +160,24 @@ jobs: gh release create "$RELEASE" --repo=eclipse-pass/main --generate-notes gh release delete "$RELEASE" --repo=eclipse-pass/pass-core || true gh release create "$RELEASE" --repo=eclipse-pass/pass-core --generate-notes + cp combined/pass-core/pass-core-main/target/classes/META-INF/sbom/application.cdx.json pass-core-main-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-core pass-core-main-$RELEASE-cyclonedx-sbom.json gh release delete "$RELEASE" --repo=eclipse-pass/pass-support || true gh release create "$RELEASE" --repo=eclipse-pass/pass-support --generate-notes + cp combined/pass-support/pass-data-client/target/classes/META-INF/sbom/application.cdx.json pass-data-client-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support pass-data-client-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-deposit-services/deposit-core/target/classes/META-INF/sbom/application.cdx.json deposit-core-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support deposit-core-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-grant-loader/target/classes/META-INF/sbom/application.cdx.json pass-grant-loader-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support pass-grant-loader-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-journal-loader/pass-journal-loader-nih/target/classes/META-INF/sbom/application.cdx.json pass-journal-loader-nih-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support pass-journal-loader-nih-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-nihms-loader/nihms-data-harvest/target/classes/META-INF/sbom/application.cdx.json nihms-data-harvest-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support nihms-data-harvest-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-nihms-loader/nihms-data-transform-load/target/classes/META-INF/sbom/application.cdx.json nihms-data-transform-load-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support nihms-data-transform-load-$RELEASE-cyclonedx-sbom.json + cp combined/pass-support/pass-notification-service/target/classes/META-INF/sbom/application.cdx.json pass-notification-service-$RELEASE-cyclonedx-sbom.json + gh release upload "$RELEASE" --repo=eclipse-pass/pass-support pass-notification-service-$RELEASE-cyclonedx-sbom.json env: GITHUB_TOKEN: ${{ secrets.JAVA_RELEASE_PAT }} @@ -183,7 +199,9 @@ jobs: - name: Push Release Docker images to GHCR ~ pass-ui if: ${{ ! env.PASS_UI_TAG_EXISTS }} - run: docker push ghcr.io/eclipse-pass/pass-ui:$RELEASE + run: | + docker push ghcr.io/eclipse-pass/pass-ui:$RELEASE + cp combined/pass-ui/pass-ui-$RELEASE-cyclonedx-sbom.json pass-ui-$RELEASE-cyclonedx-sbom.json - name: Set Snapshot/commit ~ pass-ui if: ${{ ! env.PASS_UI_TAG_EXISTS }} @@ -211,7 +229,9 @@ jobs: - name: Create GitHub main release ~ pass-ui if: ${{ ! env.PASS_UI_TAG_EXISTS }} - run: gh release create "$RELEASE" --repo=eclipse-pass/pass-ui --generate-notes + run: | + gh release create "$RELEASE" --repo=eclipse-pass/pass-ui --generate-notes + gh release upload "$RELEASE" --repo=eclipse-pass/pass-ui pass-ui-$RELEASE-cyclonedx-sbom.json env: GITHUB_TOKEN: ${{ secrets.JAVA_RELEASE_PAT }} From e25cedb3cead030908613f40f2a1814fa6588c0f Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Tue, 3 Dec 2024 15:06:46 -0500 Subject: [PATCH 5/6] Add -sbom to maven cyclonedx plugin classifier --- pom.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/pom.xml b/pom.xml index f367f04..cf73dd6 100644 --- a/pom.xml +++ b/pom.xml @@ -298,6 +298,7 @@ ${project.build.outputDirectory}/META-INF/sbom json application.cdx + cyclonedx-sbom From b8903921ceb53bc3e178c83c07e6867cd26f0b7e Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Tue, 3 Dec 2024 15:11:37 -0500 Subject: [PATCH 6/6] Update node-build for new sbom filename --- .github/actions/node-build/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/node-build/action.yml b/.github/actions/node-build/action.yml index a5a5c07..ba0d24c 100644 --- a/.github/actions/node-build/action.yml +++ b/.github/actions/node-build/action.yml @@ -32,7 +32,7 @@ runs: pnpm install --frozen-lockfile pnpm run build if [ "CREATE_SBOM" == "true" ]; then - rm -f *-cyclonedx.json + rm -f *-cyclonedx-sbom.json pnpm run create_sbom fi pnpm run build:docker