Skip to content

License Bundle Generation #139

License Bundle Generation

License Bundle Generation #139

name: License Bundle Generation
permissions:
contents: write
id-token: write
actions: write
on:
workflow_dispatch:
inputs:
zowe_version:
description: Version number of Zowe license bundle
type: string
required: true
default: '2.13.0'
publish_release:
description: Should the license bundle be published to libs-release-local
type: boolean
required: true
default: false
overwrite_release:
description: Should the license bundle overwrite and replace an existing artifact
type: boolean
required: false
default: false
release_suffix:
description: Should the license bundle have a suffix (useful during RC testing)
type: string
required: false
default: ''
zowe_sources_branch:
description: The branch of zowe-install-packaging used to determine sources included in the scan
required: true
default: 'v2.x/rc'
dummy_build:
description: Creates empty zip files, bypassing license scans. For test purposes only.
required: false
type: choice
default: 'false'
options:
- 'true'
- 'false'
ort_log_level:
description: Set ORT's Log Level. Defaults to 'warn'
required: false
type: choice
default: 'warn'
options:
- 'warn'
- 'info'
- 'error'
- 'debug'
env:
PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }}
RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }}
REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }}
ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }}
PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json
DEPENDENCY_SCAN_HOME: licenses/dependency-scan
MARKDOWN_REPORT_NAME: markdown_dependency_report.md
MARKDOWN_CLI_REPORT: cli_dependency_report.md
MARKDOWN_VSCODE_REPORT: vscode_dependency_report.md
MARKDOWN_ZOS_REPORT: zos_dependency_report.md
NOTICES_AGGREGATE_FILE: notices_aggregate.txt
NOTICES_CLI_FILE: notices_cli.txt
NOTICES_VSCODE_FILE: notices_vscode.txt
NOTICES_ZOS_FILE: notices_zos.txt
ARTIFACT_PATH: org/zowe/licenses
ARTIFACT_PATH_SBOM: init_in_step_one
VERSION: ${{ github.event.inputs.zowe_version }}
AGG_ARTIFACT_NAME: zowe_licenses_full.zip
CLI_ARTIFACT_NAME: zowe_licenses_cli.zip
VSCODE_ARTIFACT_NAME: zowe_licenses_vscode.zip
ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip
AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml
CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml
VSCODE_SBOM_ARTIFACT_NAME: sbom_vscode.spdx.yml
ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml
FILENAME_PATTERN: init_in_step_one
ARTIFACT_REPO: init_in_step_one
ARTIFACT_VERSION: init_in_step_one
ORT_VERSION: 12.0.0
ORT_LOG_LEVEL: ${{ github.event.inputs.ort_log_level }}
jobs:
create-licenses:
runs-on: ubuntu-latest
container:
image: zowe-docker-release.jfrog.io/ompzowe/zowecicd-license-base:latest
steps:
- name: Update variables if releasing
run: |
if [ "$PUBLISH_RELEASE" = true ]; then
echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}/sbom" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV
else
echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}-SNAPSHOT/sbom" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV
fi
- name: Checkout current repo
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: '[Zowe Actions] Prepare workflow'
uses: zowe-actions/shared-actions/prepare-workflow@main
- name: 'Setup jFrog CLI'
uses: jfrog/setup-jfrog-cli@v4
env:
JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}
- name: '[TEST-ONLY] Dummy scan step'
if: ${{ github.event.inputs.dummy_build == 'true' }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_vscode_licenses
mkdir -p zowe_zos_licenses
echo "HI" >> dummy.txt
cp dummy.txt zowe_licenses
cp dummy.txt zowe_cli_licenses
cp dummy.txt zowe_vscode_licenses
cp dummy.txt zowe_zos_licenses
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }}
if: ${{ github.event.inputs.dummy_build == 'false' }}
env:
APP_NOTICES_SCAN: true
APP_LICENSE_SCAN: true
ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
# Rustup is set to default in the container, but it's not picked up in this run block
rustup default stable
npm install -g pnpm@8
yarn install && yarn build
node lib/index.js
cd build
zip -r logs.zip logs/
zip -r license_reports.zip license_reports/
zip -r notice_reports.zip notice_reports/
cd ..
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_vscode_licenses
mkdir -p zowe_zos_licenses
cp ../resources/* zowe_licenses/
cp ../resources/* zowe_cli_licenses/
cp ../resources/* zowe_vscode_licenses/
cp ../resources/* zowe_zos_licenses/
zip -r logs.zip build/logs/*
# Aggregate
cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt
cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
# CLI
cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt
cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
# VSCode
cp build/notice_reports/${{ env.NOTICES_VSCODE_FILE }} zowe_vscode_licenses/zowe_vscode_notices.txt
cp build/license_reports/${{ env.MARKDOWN_VSCODE_REPORT }} zowe_vscode_licenses/zowe_vscode_dependency_list.md
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*
# z/OS
cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt
cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
# SBOMs
cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: Remove existing artifacts
id: cleanup
if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }}
run: |
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }}
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)'
if: ${{ github.event.inputs.publish_release }}
id: debug-git
run: |
git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline
- name: Publish to Artifactory
id: publish-license
timeout-minutes: 10
uses: zowe-actions/shared-actions/publish@main
with:
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/
perform-release: ${{ env.PUBLISH_RELEASE }}
sigstore-sign-artifacts: true
artifacts: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
- name: Publish to Artifactory
id: publish-sbom
timeout-minutes: 10
uses: zowe-actions/shared-actions/publish@main
with:
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH_SBOM }}/ # version is embedded in the path_sbom var
perform-release: ${{ env.PUBLISH_RELEASE }}
sigstore-sign-artifacts: true
artifacts: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: Archive Aggregates
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
path: |
${{ env.DEPENDENCY_SCAN_HOME }}/logs.zip
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}.bundle