From aba4ba16ae83b84b2a2c2a718a1cf4ba567314a0 Mon Sep 17 00:00:00 2001 From: Will Ratner <4613914+wratner@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:51:13 -0500 Subject: [PATCH] chore(ci): update to silkbomb 2.0 (#2375) --- .evergreen.yml | 21 ++++++++++++++++--- ...download-crypt-shared-and-generate-sbom.sh | 16 +++++--------- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/.evergreen.yml b/.evergreen.yml index d5c5657a94..8f6cd45894 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -3780,6 +3780,23 @@ functions: # - signature_tag (either 'signed' or 'unsigned') ### add_crypt_shared_and_sbom: + - command: ec2.assume_role + display_name: Assume IAM role with permissions to pull Kondukto API token + params: + role_arn: ${kondukto_role_arn} + - command: shell.exec + display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file + params: + silent: true + shell: bash + working_dir: src + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: | + set -e + # use AWS CLI to get the Kondukto API token from AWS Secrets Manager + kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) + # set the KONDUKTO_TOKEN environment variable + echo "KONDUKTO_TOKEN=$kondukto_token" > /tmp/kondukto_credentials.env - command: subprocess.exec params: working_dir: src @@ -3791,9 +3808,7 @@ functions: ARTIFACTORY_USERNAME: ${artifactory_username} ARTIFACTORY_PASSWORD: ${artifactory_password} # for Silk SBOM integration - SILK_ASSET_GROUP: mongosh-${executable_os_id} - SILK_CLIENT_ID: ${silk_client_id} - SILK_CLIENT_SECRET: ${silk_client_secret} + KONDUKTO_BRANCH: ${branch_name}_${executable_os_id} create_static_analysis_report: - command: s3.get params: diff --git a/.evergreen/download-crypt-shared-and-generate-sbom.sh b/.evergreen/download-crypt-shared-and-generate-sbom.sh index 71b24f9380..a74d52f321 100755 --- a/.evergreen/download-crypt-shared-and-generate-sbom.sh +++ b/.evergreen/download-crypt-shared-and-generate-sbom.sh @@ -11,21 +11,15 @@ cat dist/.purls.txt set +x echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin -cat << EOF > silkbomb.env -SILK_CLIENT_ID=${SILK_CLIENT_ID} -SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET} -EOF set -x trap_handler() { - rm -f silkbomb.env + rm -f /tmp/kondukto_credentials.env } trap trap_handler ERR EXIT -docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 -docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \ +docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 +docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \ --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json -docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \ - --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json -docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \ - --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json +docker run --env-file /tmp/kondukto_credentials.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \ + --repo mongodb-js/mongosh --branch ${KONDUKTO_BRANCH} --sbom-in /pwd/dist/.sbom-lite.json --sbom-out /pwd/dist/.sbom.json