-
Notifications
You must be signed in to change notification settings - Fork 4
247 lines (221 loc) · 10.7 KB
/
license-generation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
name: License Bundle Generation
permissions: read-all
on:
workflow_dispatch:
inputs:
zowe_version:
description: Version number of Zowe license bundle
type: string
required: true
default: '2.13.0'
publish_release:
description: Should the license bundle be published to libs-release-local
type: boolean
required: true
default: false
overwrite_release:
description: Should the license bundle overwrite and replace an existing artifact
type: boolean
required: false
default: false
release_suffix:
description: Should the license bundle have a suffix (useful during RC testing)
type: string
required: false
default: ''
zowe_sources_branch:
description: The branch of zowe-install-packaging used to determine sources included in the scan
required: true
default: 'v2.x/rc'
dummy_build:
description: Creates empty zip files, bypassing license scans. For test purposes only.
required: false
type: choice
default: 'false'
options:
- 'true'
- 'false'
env:
PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }}
RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }}
REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }}
ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }}
PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json
DEPENDENCY_SCAN_HOME: licenses/dependency-scan
MARKDOWN_REPORT_NAME: markdown_dependency_report.md
MARKDOWN_CLI_REPORT: cli_dependency_report.md
MARKDOWN_ZOS_REPORT: zos_dependency_report.md
NOTICES_AGGREGATE_FILE: notices_aggregate.txt
NOTICES_CLI_FILE: notices_cli.txt
NOTICES_ZOS_FILE: notices_zos.txt
ARTIFACT_PATH: org/zowe/licenses
VERSION: ${{ github.event.inputs.zowe_version }}
AGG_ARTIFACT_NAME: zowe_licenses_full.zip
CLI_ARTIFACT_NAME: zowe_licenses_cli.zip
ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip
AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml
CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml
ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml
FILENAME_PATTERN: init_in_step_one
ARTIFACT_REPO: init_in_step_one
ARTIFACT_VERSION: init_in_step_one
ORT_VERSION: 12.0.0
jobs:
create-licenses:
runs-on: ubuntu-latest
container:
image: zowe-docker-snapshot.jfrog.io/ompzowe/license-scan-build:v2x
steps:
- name: Update variables if releasing
run: |
if [ "$PUBLISH_RELEASE" = true ]; then
echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV
else
echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV
fi
- name: Checkout current repo
uses: actions/checkout@v4
- name: Install ORT
run: |
curl "https://github.com/oss-review-toolkit/ort/releases/download/${{ env.ORT_VERSION }}/ort-${{ env.ORT_VERSION }}.zip" -o ort.zip
unzip ort.zip
echo `pwd`/ort-${{ env.ORT_VERSION }}/bin >> $GITHUB_PATH
- name: Install Cosign
uses: sigstore/[email protected]
- uses: actions/setup-node@v2
with:
node-version: '16'
- name: 'Install Ansible'
uses: zowe-actions/shared-actions/prepare-workflow@main
- name: '[Zowe Actions] Prepare workflow'
uses: zowe-actions/shared-actions/prepare-workflow@main
- name: 'Setup jFrog CLI'
uses: jfrog/setup-jfrog-cli@v2
env:
JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}
- name: '[TEST-ONLY] Dummy scan step'
if: ${{ github.event.inputs.dummy_build == 'true' }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_zos_licenses
echo "HI" >> dummy.txt
cp dummy.txt zowe_licenses
cp dummy.txt zowe_cli_licenses
cp dummy.txt zowe_zos_licenses
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }}
- name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }}
if: ${{ github.event.inputs.dummy_build == 'false' }}
env:
APP_NOTICES_SCAN: true
APP_LICENSE_SCAN: true
ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
yarn install && yarn build
node lib/index.js
cd build
zip -r logs.zip logs/
zip -r license_reports.zip license_reports/
zip -r notice_reports.zip notice_reports/
cd ..
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_zos_licenses
cp ../resources/* zowe_licenses/
cp ../resources/* zowe_cli_licenses/
cp ../resources/* zowe_zos_licenses/
# Aggregate
cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt
cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
# CLI
cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt
cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
# z/OS
cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt
cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
# SBOMs
cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: Cosign experiments
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
cosign sign-blob ${{ env.AGG_SBOM_ARTIFACT_NAME }} --bundle ${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle --oidc-provider=github-actions
- name: Archive Aggregates
uses: actions/upload-artifact@v3
with:
path: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: Remove existing artifacts
id: cleanup
if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }}
run: |
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }}
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
- name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)'
if: ${{ github.event.inputs.publish_release }}
id: debug-git
run: |
git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline
- name: Publish to Artifactory
id: publish
timeout-minutes: 10
uses: zowe-actions/shared-actions/publish@main
with:
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/
perform-release: ${{ env.PUBLISH_RELEASE }}
artifacts: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}