License Bundle Generation #148
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: License Bundle Generation | |
permissions: | |
contents: write | |
id-token: write | |
actions: write | |
on: | |
workflow_dispatch: | |
inputs: | |
zowe_version: | |
description: Version number of Zowe license bundle | |
type: string | |
required: true | |
default: '3.0.0' | |
publish_release: | |
description: Should the license bundle be published to libs-release-local | |
type: boolean | |
required: true | |
default: false | |
overwrite_release: | |
description: Should the license bundle overwrite and replace an existing artifact | |
type: boolean | |
required: false | |
default: false | |
release_suffix: | |
description: Should the license bundle have a suffix (useful during RC testing) | |
type: string | |
required: false | |
default: '' | |
zowe_sources_branch: | |
description: The branch of zowe-install-packaging used to determine sources included in the scan | |
required: true | |
default: 'v3.x/rc' | |
dummy_build: | |
description: Creates empty zip files, bypassing license scans. For test purposes only. | |
required: false | |
type: choice | |
default: 'false' | |
options: | |
- 'true' | |
- 'false' | |
ort_log_level: | |
description: Set ORT's Log Level. Defaults to 'warn' | |
required: false | |
type: choice | |
default: 'warn' | |
options: | |
- 'warn' | |
- 'info' | |
- 'error' | |
- 'debug' | |
env: | |
PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }} | |
RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }} | |
REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }} | |
ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }} | |
PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json | |
DEPENDENCY_SCAN_HOME: licenses/dependency-scan | |
MARKDOWN_REPORT_NAME: markdown_dependency_report.md | |
MARKDOWN_CLI_REPORT: cli_dependency_report.md | |
MARKDOWN_VSCODE_REPORT: vscode_dependency_report.md | |
MARKDOWN_ZOS_REPORT: zos_dependency_report.md | |
NOTICES_AGGREGATE_FILE: notices_aggregate.txt | |
NOTICES_CLI_FILE: notices_cli.txt | |
NOTICES_VSCODE_FILE: notices_vscode.txt | |
NOTICES_ZOS_FILE: notices_zos.txt | |
NOTICES_PYTHONSDK_FILE: notices_pythonsdk.txt | |
ARTIFACT_PATH: org/zowe/licenses | |
ARTIFACT_PATH_SBOM: init_in_step_one | |
VERSION: ${{ github.event.inputs.zowe_version }} | |
AGG_ARTIFACT_NAME: zowe_licenses_full.zip | |
CLI_ARTIFACT_NAME: zowe_licenses_cli.zip | |
VSCODE_ARTIFACT_NAME: zowe_licenses_vscode.zip | |
ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip | |
PYTHON_ARTIFACT_NAME: zowe_licenses_pythonsdk.zip | |
AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml | |
CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml | |
VSCODE_SBOM_ARTIFACT_NAME: sbom_vscode.spdx.yml | |
ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml | |
PYTHON_SBOM_ARTIFACT_NAME: sbom_pythonsdk.spdx.yml | |
FILENAME_PATTERN: init_in_step_one | |
ARTIFACT_REPO: init_in_step_one | |
ARTIFACT_VERSION: init_in_step_one | |
ORT_VERSION: 12.0.0 | |
ORT_LOG_LEVEL: ${{ github.event.inputs.ort_log_level }} | |
jobs: | |
license-runner-tag: | |
runs-on: ubuntu-latest | |
outputs: | |
image_tag: ${{ steps.get-version.outputs.image_tag }} | |
steps: | |
- name: Determine which docker image to use | |
id: get-version | |
run: | | |
MAJOR_VERS=$(printf %.1s "${{ github.event.inputs.zowe_version }}") | |
## all of v3+ uses latest image, which is Java 17. v1 and v2 share J8/J11 image. | |
if [[ $MAJOR_VERS > 2 ]]; then | |
echo "image_tag=latest" >> $GITHUB_OUTPUT | |
else | |
echo "image_tag=v2-latest" >> $GITHUB_OUTPUT | |
fi | |
create-licenses: | |
runs-on: ubuntu-latest | |
needs: [license-runner-tag] | |
container: | |
image: zowe-docker-release.jfrog.io/ompzowe/zowecicd-license-base:${{ needs.license-runner-tag.outputs.image_tag }} | |
steps: | |
- name: Update variables if releasing | |
run: | | |
if [ "$PUBLISH_RELEASE" = true ]; then | |
echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV | |
echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV | |
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}/sbom" >> $GITHUB_ENV | |
echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV | |
else | |
echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV | |
echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV | |
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}-SNAPSHOT/sbom" >> $GITHUB_ENV | |
echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV | |
fi | |
- name: Checkout current repo | |
uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '20' | |
- name: '[Zowe Actions] Prepare workflow' | |
uses: zowe-actions/shared-actions/prepare-workflow@main | |
- name: 'Setup jFrog CLI' | |
uses: jfrog/setup-jfrog-cli@v4 | |
env: | |
JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }} | |
- name: '[TEST-ONLY] Dummy scan step' | |
if: ${{ github.event.inputs.dummy_build == 'true' }} | |
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }} | |
run: | | |
mkdir -p zowe_licenses | |
mkdir -p zowe_cli_licenses | |
mkdir -p zowe_vscode_licenses | |
mkdir -p zowe_zos_licenses | |
mkdir -p zowe_pythonsdk_licenses | |
echo "HI" >> dummy.txt | |
cp dummy.txt zowe_licenses | |
cp dummy.txt zowe_cli_licenses | |
cp dummy.txt zowe_vscode_licenses | |
cp dummy.txt zowe_zos_licenses | |
cp dummy.txt zowe_pythonsdk_licenses | |
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/* | |
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/* | |
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/* | |
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/* | |
zip -j ${{ env.PYTHON_ARTIFACT_NAME }} zowe_pythonsdk_licenses/* | |
echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.VSCODE_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.PYTHON_SBOM_ARTIFACT_NAME }} | |
- name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }} | |
if: ${{ github.event.inputs.dummy_build == 'false' }} | |
env: | |
APP_NOTICES_SCAN: true | |
APP_LICENSE_SCAN: true | |
ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }} | |
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }} | |
run: | | |
# Rustup is set to default in the container, but it's not picked up in this run block | |
rustup default stable | |
npm install -g pnpm@8 | |
yarn install && yarn build | |
node lib/index.js | |
cd build | |
zip -r logs.zip logs/ | |
zip -r license_reports.zip license_reports/ | |
zip -r notice_reports.zip notice_reports/ | |
cd .. | |
mkdir -p zowe_licenses | |
mkdir -p zowe_cli_licenses | |
mkdir -p zowe_vscode_licenses | |
mkdir -p zowe_zos_licenses | |
mkdir -p zowe_pythonsdk_licenses | |
cp ../resources/* zowe_licenses/ | |
cp ../resources/* zowe_cli_licenses/ | |
cp ../resources/* zowe_vscode_licenses/ | |
cp ../resources/* zowe_zos_licenses/ | |
cp ../resources/* zowe_pythonsdk_licenses/ | |
zip -r logs.zip build/logs/* | |
# Aggregate | |
cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md | |
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/* | |
# CLI | |
cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md | |
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/* | |
# VSCode | |
cp build/notice_reports/${{ env.NOTICES_VSCODE_FILE }} zowe_vscode_licenses/zowe_vscode_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_VSCODE_REPORT }} zowe_vscode_licenses/zowe_vscode_dependency_list.md | |
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/* | |
# z/OS | |
cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md | |
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/* | |
# Python | |
cp build/notice_reports/${{ env.NOTICES_PYTHONSDK_FILE }} zowe_pythonsdk_licenses/zowe_pythonsdk_notices.txt | |
zip -j ${{ env.PYTHON_ARTIFACT_NAME }} zowe_pythonsdk_licenses/* | |
# SBOMs | |
cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} ${{ env.VSCODE_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.PYTHON_SBOM_ARTIFACT_NAME }} ${{ env.PYTHON_SBOM_ARTIFACT_NAME }} | |
- name: Remove existing artifacts | |
id: cleanup | |
if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }} | |
run: | | |
jfrog rt del \ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }} | |
jfrog rt del \ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.PYTHON_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }} | |
- name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)' | |
if: ${{ github.event.inputs.publish_release }} | |
id: debug-git | |
run: | | |
git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline | |
- name: Publish to Artifactory | |
id: publish-license | |
timeout-minutes: 10 | |
uses: zowe-actions/shared-actions/publish@main | |
with: | |
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }} | |
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/ | |
perform-release: ${{ env.PUBLISH_RELEASE }} | |
sigstore-sign-artifacts: true | |
artifacts: | | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }} | |
- name: Publish to Artifactory | |
id: publish-sbom | |
timeout-minutes: 10 | |
uses: zowe-actions/shared-actions/publish@main | |
with: | |
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }} | |
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH_SBOM }}/ # version is embedded in the path_sbom var | |
perform-release: ${{ env.PUBLISH_RELEASE }} | |
sigstore-sign-artifacts: true | |
artifacts: | | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }} | |
- name: Archive Aggregates | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() }} | |
with: | |
path: | | |
${{ env.DEPENDENCY_SCAN_HOME }}/logs.zip | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}.bundle | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }}.bundle | |