.github/workflows/license-generation.yml

name: License Bundle Generation

permissions:
  contents: write
  id-token: write
  actions: write

on:
  workflow_dispatch:
    inputs:
      zowe_version:
        description: Version number of Zowe license bundle
        type: string
        required: true
        default: '2.13.0'
      publish_release:
        description: Should the license bundle be published to libs-release-local
        type: boolean
        required: true
        default: false
      overwrite_release:
        description: Should the license bundle overwrite and replace an existing artifact
        type: boolean
        required: false
        default: false
      release_suffix:
        description: Should the license bundle have a suffix (useful during RC testing)
        type: string
        required: false
        default: ''
      zowe_sources_branch:
        description: The branch of zowe-install-packaging used to determine sources included in the scan
        required: true
        default: 'v2.x/rc'
      dummy_build:
        description: Creates empty zip files, bypassing license scans. For test purposes only.
        required: false
        type: choice
        default: 'false'
        options:
          - 'true'
          - 'false'
      ort_log_level:
        description: Set ORT's Log Level. Defaults to 'warn'
        required: false
        type: choice
        default: 'warn'
        options:
          - 'warn'
          - 'info'
          - 'error'
          - 'debug'

env:
  PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }}
  RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }}
  REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }}
  ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }}
  PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json
  DEPENDENCY_SCAN_HOME: licenses/dependency-scan
  MARKDOWN_REPORT_NAME: markdown_dependency_report.md
  MARKDOWN_CLI_REPORT: cli_dependency_report.md
  MARKDOWN_VSCODE_REPORT: vscode_dependency_report.md
  MARKDOWN_ZOS_REPORT: zos_dependency_report.md
  NOTICES_AGGREGATE_FILE: notices_aggregate.txt
  NOTICES_CLI_FILE: notices_cli.txt
  NOTICES_VSCODE_FILE: notices_vscode.txt
  NOTICES_ZOS_FILE: notices_zos.txt
  ARTIFACT_PATH: org/zowe/licenses
  ARTIFACT_PATH_SBOM: init_in_step_one
  VERSION: ${{ github.event.inputs.zowe_version }}
  AGG_ARTIFACT_NAME: zowe_licenses_full.zip
  CLI_ARTIFACT_NAME: zowe_licenses_cli.zip
  VSCODE_ARTIFACT_NAME: zowe_licenses_vscode.zip
  ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip
  AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml
  CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml
  VSCODE_SBOM_ARTIFACT_NAME: sbom_vscode.spdx.yml
  ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml
  FILENAME_PATTERN: init_in_step_one
  ARTIFACT_REPO: init_in_step_one
  ARTIFACT_VERSION: init_in_step_one
  ORT_VERSION: 12.0.0
  ORT_LOG_LEVEL: ${{ github.event.inputs.ort_log_level }}

jobs:

  create-licenses:

    runs-on: ubuntu-latest

    container:
      image: zowe-docker-snapshot.jfrog.io/ompzowe/zowecicd-license-base:test-timothy

    steps:
      - name: Update variables if releasing
        run: |
          if [ "$PUBLISH_RELEASE" = true ]; then
              echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV
              echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV
              echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}/sbom" >> $GITHUB_ENV
              echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV
          else
              echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV
              echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV
              echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}-SNAPSHOT/sbom" >> $GITHUB_ENV
              echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV
          fi

      - name: Checkout current repo
        uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: '[Zowe Actions] Prepare workflow'
        uses: zowe-actions/shared-actions/prepare-workflow@main

      - name: 'Setup jFrog CLI'
        uses: jfrog/setup-jfrog-cli@v4
        env:
          JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}

      - name: '[TEST-ONLY] Dummy scan step'
        if: ${{ github.event.inputs.dummy_build == 'true' }}
        working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
        run: |
          mkdir -p zowe_licenses
          mkdir -p zowe_cli_licenses
          mkdir -p zowe_vscode_licenses
          mkdir -p zowe_zos_licenses
          echo "HI" >> dummy.txt
          cp dummy.txt zowe_licenses
          cp dummy.txt zowe_cli_licenses
          cp dummy.txt zowe_vscode_licenses
          cp dummy.txt zowe_zos_licenses

          zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
          zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
          zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*
          zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
          echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }}
          echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }}
          echo "" > ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
          echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }}


      - name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }}
        if: ${{ github.event.inputs.dummy_build == 'false' }}
        env:
          APP_NOTICES_SCAN: true
          APP_LICENSE_SCAN: true
          ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }}
        working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
        run: |
          # Rustup is set to default in the container, but it's not picked up in this run block
          rustup default stable
          npm install -g pnpm@8
          yarn install && yarn build
          node lib/index.js
          cd build
          zip -r logs.zip logs/
          zip -r license_reports.zip license_reports/
          zip -r notice_reports.zip notice_reports/
          cd ..
          mkdir -p zowe_licenses
          mkdir -p zowe_cli_licenses
          mkdir -p zowe_vscode_licenses
          mkdir -p zowe_zos_licenses
          cp ../resources/* zowe_licenses/
          cp ../resources/* zowe_cli_licenses/
          cp ../resources/* zowe_vscode_licenses/
          cp ../resources/* zowe_zos_licenses/

          zip -r logs.zip build/logs/*

          # Aggregate
          cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt
          cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md
          zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*

          # CLI
          cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt
          cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md
          zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*

          # VSCode
          cp build/notice_reports/${{ env.NOTICES_VSCODE_FILE }} zowe_vscode_licenses/zowe_vscode_notices.txt
          cp build/license_reports/${{ env.MARKDOWN_VSCODE_REPORT }} zowe_vscode_licenses/zowe_vscode_dependency_list.md
          zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*

          # z/OS
          cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt
          cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md
          zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*

          # SBOMs
          cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }}
          cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }}
          cp build/sbom_reports/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
          cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }}


      - name: Remove existing artifacts
        id: cleanup
        if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }}
        run: |
          jfrog rt del \
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }}
          jfrog rt del \
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
          jfrog rt del\
            --user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
            --password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
            --url https://zowe.jfrog.io/artifactory \
            ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}

      - name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)'
        if: ${{ github.event.inputs.publish_release }}
        id: debug-git
        run: |
          git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline

      - name: Publish to Artifactory
        id: publish-license
        timeout-minutes: 10
        uses: zowe-actions/shared-actions/publish@main
        with:
          publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
          publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/
          perform-release: ${{ env.PUBLISH_RELEASE }}
          sigstore-sign-artifacts: true
          artifacts: |
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}

      - name: Publish to Artifactory
        id: publish-sbom
        timeout-minutes: 10
        uses: zowe-actions/shared-actions/publish@main
        with:
          publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
          publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH_SBOM }}/  # version is embedded in the path_sbom var
          perform-release: ${{ env.PUBLISH_RELEASE }}
          sigstore-sign-artifacts: true
          artifacts: |
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}

      - name: Archive Aggregates
        uses: actions/upload-artifact@v4
        if: ${{ always() }}
        with:
          path: |
            ${{ env.DEPENDENCY_SCAN_HOME }}/logs.zip
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}.bundle
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
            ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}.bundle