License Bundle Generation #71
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: License Bundle Generation | |
permissions: | |
contents: read | |
id-token: write | |
on: | |
workflow_dispatch: | |
inputs: | |
zowe_version: | |
description: Version number of Zowe license bundle | |
type: string | |
required: true | |
default: '2.13.0' | |
publish_release: | |
description: Should the license bundle be published to libs-release-local | |
type: boolean | |
required: true | |
default: false | |
overwrite_release: | |
description: Should the license bundle overwrite and replace an existing artifact | |
type: boolean | |
required: false | |
default: false | |
release_suffix: | |
description: Should the license bundle have a suffix (useful during RC testing) | |
type: string | |
required: false | |
default: '' | |
zowe_sources_branch: | |
description: The branch of zowe-install-packaging used to determine sources included in the scan | |
required: true | |
default: 'v2.x/rc' | |
dummy_build: | |
description: Creates empty zip files, bypassing license scans. For test purposes only. | |
required: false | |
type: choice | |
default: 'false' | |
options: | |
- 'true' | |
- 'false' | |
env: | |
PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }} | |
RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }} | |
REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }} | |
ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }} | |
PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json | |
DEPENDENCY_SCAN_HOME: licenses/dependency-scan | |
MARKDOWN_REPORT_NAME: markdown_dependency_report.md | |
MARKDOWN_CLI_REPORT: cli_dependency_report.md | |
MARKDOWN_ZOS_REPORT: zos_dependency_report.md | |
NOTICES_AGGREGATE_FILE: notices_aggregate.txt | |
NOTICES_CLI_FILE: notices_cli.txt | |
NOTICES_ZOS_FILE: notices_zos.txt | |
ARTIFACT_PATH: org/zowe/licenses | |
VERSION: ${{ github.event.inputs.zowe_version }} | |
AGG_ARTIFACT_NAME: zowe_licenses_full.zip | |
CLI_ARTIFACT_NAME: zowe_licenses_cli.zip | |
ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip | |
AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml | |
CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml | |
ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml | |
FILENAME_PATTERN: init_in_step_one | |
ARTIFACT_REPO: init_in_step_one | |
ARTIFACT_VERSION: init_in_step_one | |
ORT_VERSION: 12.0.0 | |
jobs: | |
create-licenses: | |
runs-on: ubuntu-latest | |
container: | |
image: zowe-docker-snapshot.jfrog.io/ompzowe/zowecicd-license-base:latest | |
steps: | |
- name: Update variables if releasing | |
run: | | |
if [ "$PUBLISH_RELEASE" = true ]; then | |
echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV | |
echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV | |
echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV | |
else | |
echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV | |
echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV | |
echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV | |
fi | |
- name: Checkout current repo | |
uses: actions/checkout@v4 | |
- name: Install Cosign | |
uses: sigstore/[email protected] | |
- uses: actions/setup-node@v2 | |
with: | |
node-version: '16' | |
- name: 'Install Ansible' | |
uses: zowe-actions/shared-actions/prepare-workflow@main | |
- name: '[Zowe Actions] Prepare workflow' | |
uses: zowe-actions/shared-actions/prepare-workflow@main | |
- name: 'Setup jFrog CLI' | |
uses: jfrog/setup-jfrog-cli@v2 | |
env: | |
JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }} | |
- name: '[TEST-ONLY] Dummy scan step' | |
if: ${{ github.event.inputs.dummy_build == 'true' }} | |
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }} | |
run: | | |
mkdir -p zowe_licenses | |
mkdir -p zowe_cli_licenses | |
mkdir -p zowe_zos_licenses | |
echo "HI" >> dummy.txt | |
cp dummy.txt zowe_licenses | |
cp dummy.txt zowe_cli_licenses | |
cp dummy.txt zowe_zos_licenses | |
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/* | |
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/* | |
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/* | |
echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
- name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }} | |
if: ${{ github.event.inputs.dummy_build == 'false' }} | |
env: | |
APP_NOTICES_SCAN: true | |
APP_LICENSE_SCAN: true | |
ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }} | |
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }} | |
run: | | |
yarn install && yarn build | |
node lib/index.js | |
cd build | |
zip -r logs.zip logs/ | |
zip -r license_reports.zip license_reports/ | |
zip -r notice_reports.zip notice_reports/ | |
cd .. | |
mkdir -p zowe_licenses | |
mkdir -p zowe_cli_licenses | |
mkdir -p zowe_zos_licenses | |
cp ../resources/* zowe_licenses/ | |
cp ../resources/* zowe_cli_licenses/ | |
cp ../resources/* zowe_zos_licenses/ | |
# Aggregate | |
cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md | |
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/* | |
# CLI | |
cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md | |
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/* | |
# z/OS | |
cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt | |
cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md | |
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/* | |
# SBOMs | |
cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
- name: Cosign experiments | |
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }} | |
run: | | |
cosign sign-blob ${{ env.AGG_SBOM_ARTIFACT_NAME }} --bundle ${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle | |
- name: Archive Aggregates | |
uses: actions/upload-artifact@v3 | |
with: | |
path: | | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
- name: Remove existing artifacts | |
id: cleanup | |
if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }} | |
run: | | |
jfrog rt del \ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }} | |
jfrog rt del \ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
jfrog rt del\ | |
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \ | |
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \ | |
--url https://zowe.jfrog.io/artifactory \ | |
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} | |
- name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)' | |
if: ${{ github.event.inputs.publish_release }} | |
id: debug-git | |
run: | | |
git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline | |
- name: Publish to Artifactory | |
id: publish | |
timeout-minutes: 10 | |
uses: zowe-actions/shared-actions/publish@main | |
with: | |
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }} | |
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/ | |
perform-release: ${{ env.PUBLISH_RELEASE }} | |
artifacts: | | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }} | |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }} |