feature/143-aai-eft Generate and merge SBOMs (squash later)

puzzle · Oct 24, 2024 · 8e97873 · 8e97873
1 parent 240de8c
commit 8e97873
Showing 1 changed file with 89 additions and 92 deletions.
diff --git a/.github/workflows/release-docker-image.yml b/.github/workflows/release-docker-image.yml
@@ -2,99 +2,99 @@ name: Release Docker Image
 
 on:
   push:
-#    tags:
-#      - '[0-9]+.[0-9]+.[0-9]+.[a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9]'
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+.[a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9][a-fA-F0-9]'
 
 jobs:
-#  create-release:
-#    runs-on: ubuntu-24.04
-#    permissions:
-#      packages: write
-#      id-token: write
-#      contents: write
-#      attestations: write
-#    steps:
-#      - name: Checkout
-#        uses: actions/checkout@v4
-#        with:
-#          ref: ${{ github.sha }}
-#
-#      - name: Set up JDK 21
-#        uses: actions/setup-java@v4
-#        with:
-#          java-version: 21
-#          distribution: 'temurin'
-#
-#      - name: Store semver version from POM
-#        run: echo "SEMVER_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout | cut -d '-' -f 1)" >> $GITHUB_ENV
-#
-#      - name: Store short commit hash
-#        run: echo "SHORT_COMMIT_HASH=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
-#
-#      - name: Assert semver version matches version in pom
-#        run: |
-#          semver_version_from_tag=$(echo ${{ github.ref_name }} | cut -d "." -f 1-3)
-#          if [[ "$semver_version_from_tag" != ${{ env.SEMVER_VERSION }} ]]; then
-#            echo "Warning: Canceling workflow because semver version from tag didn't match semver version in pom"
-#            exit 1
-#          fi
-#
-#      - name: Assert short commit hash is correct
-#        run: |
-#          hash_from_tag=$(echo ${{ github.ref_name }} | cut -d "." -f 4)
-#          if [[ "$hash_from_tag" != ${{ env.SHORT_COMMIT_HASH }} ]]; then
-#            echo "Warning: Canceling workflow because short commit hash from tag didn't match short commit hash of tagged commit"
-#            exit 1
-#          fi
-#
-#      - name: Build and test jar
-#        run: mvn clean package
-#
-#      - name: Create release
-#        env:
-#          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#          RELEASE_TAG: ${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
-#        run: gh release create ${{ env.RELEASE_TAG }} --title ${{ github.event.repository.name }} --verify-tag
-#
-#      - name: Login to GHCR
-#        uses: docker/login-action@v3
-#        with:
-#          registry: ghcr.io
-#          username: ${{ github.actor }}
-#          password: ${{ secrets.GITHUB_TOKEN }}
-#
-#      - name: Build and push application Docker image
-#        id: push-app
-#        uses: docker/build-push-action@v6
-#        with:
-#          context: .
-#          push: true
-#          tags: ghcr.io/${{ github.repository }}:${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
-#
-#      - name: Build and push Shibboleth Docker image
-#        id: push-shibboleth
-#        uses: docker/build-push-action@v6
-#        with:
-#            context: ./shibboleth
-#            push: true
-#            tags: ghcr.io/${{ github.repository }}:${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
-#
-#      - name: Generate artifact attestation for application
-#        uses: actions/attest-build-provenance@v1
-#        with:
-#          subject-name: ghcr.io/${{ github.repository }}
-#          subject-digest: ${{ steps.push-app.outputs.digest }}
-#          push-to-registry: true
-#
-#      - name: Generate artifact attestation for Shibboleth
-#        uses: actions/attest-build-provenance@v1
-#        with:
-#          subject-name: ghcr.io/${{ github.repository }}
-#          subject-digest: ${{ steps.push-shibboleth.outputs.digest }}
-#          push-to-registry: true
+  create-release:
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
+      attestations: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+
+      - name: Store semver version from POM
+        run: echo "SEMVER_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout | cut -d '-' -f 1)" >> $GITHUB_ENV
+
+      - name: Store short commit hash
+        run: echo "SHORT_COMMIT_HASH=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
+
+      - name: Assert semver version matches version in pom
+        run: |
+          semver_version_from_tag=$(echo ${{ github.ref_name }} | cut -d "." -f 1-3)
+          if [[ "$semver_version_from_tag" != ${{ env.SEMVER_VERSION }} ]]; then
+            echo "Warning: Canceling workflow because semver version from tag didn't match semver version in pom"
+            exit 1
+          fi
+
+      - name: Assert short commit hash is correct
+        run: |
+          hash_from_tag=$(echo ${{ github.ref_name }} | cut -d "." -f 4)
+          if [[ "$hash_from_tag" != ${{ env.SHORT_COMMIT_HASH }} ]]; then
+            echo "Warning: Canceling workflow because short commit hash from tag didn't match short commit hash of tagged commit"
+            exit 1
+          fi
+
+      - name: Build and test jar
+        run: mvn clean package
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
+        run: gh release create ${{ env.RELEASE_TAG }} --title ${{ github.event.repository.name }} --verify-tag
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push application Docker image
+        id: push-app
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ghcr.io/${{ github.repository }}:${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
+
+      - name: Build and push Shibboleth Docker image
+        id: push-shibboleth
+        uses: docker/build-push-action@v6
+        with:
+            context: ./shibboleth
+            push: true
+            tags: ghcr.io/${{ github.repository }}:${{ env.SEMVER_VERSION }}.${{ env.SHORT_COMMIT_HASH }}
+
+      - name: Generate artifact attestation for application
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push-app.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate artifact attestation for Shibboleth
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push-shibboleth.outputs.digest }}
+          push-to-registry: true
 
   generate-and-push-sbom:
-#    needs: create-release
+    needs: create-release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
@@ -134,9 +134,6 @@ jobs:
       - name: Merge SBOMs
         run: /opt/hostedtoolcache/CycloneDX/cyclonedx-cli/v0.27.1/linux-x64/cyclonedx-linux-x64 merge --input-files application-image.xml shibboleth-image.xml target/bom.xml --output-file sbom.xml
 
-      - name: Debug 2
-        run: cat sbom.xml
-
       - name: Get semver version from pom and store major and minor version as deptrack version
         run: echo "DEPTRACK_PROJECT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout | cut -d '-' -f 1 | cut -d '.' -f 1-2).x" >> $GITHUB_ENV