-
Notifications
You must be signed in to change notification settings - Fork 4
355 lines (324 loc) · 16.4 KB
/
license-generation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
name: License Bundle Generation
permissions:
contents: write
id-token: write
actions: write
on:
workflow_dispatch:
inputs:
zowe_version:
description: Version number of Zowe license bundle
type: string
required: true
default: '2.13.0'
publish_release:
description: Should the license bundle be published to libs-release-local
type: boolean
required: true
default: false
overwrite_release:
description: Should the license bundle overwrite and replace an existing artifact
type: boolean
required: false
default: false
release_suffix:
description: Should the license bundle have a suffix (useful during RC testing)
type: string
required: false
default: ''
zowe_sources_branch:
description: The branch of zowe-install-packaging used to determine sources included in the scan
required: true
default: 'v2.x/rc'
dummy_build:
description: Creates empty zip files, bypassing license scans. For test purposes only.
required: false
type: choice
default: 'false'
options:
- 'true'
- 'false'
ort_log_level:
description: Set ORT's Log Level. Defaults to 'warn'
required: false
type: choice
default: 'warn'
options:
- 'warn'
- 'info'
- 'error'
- 'debug'
env:
PUBLISH_RELEASE: ${{ github.event.inputs.publish_release }}
RELEASE_SUFFIX: ${{ github.event.inputs.release_suffix }}
REPLACE_EXISTING_RELEASE: ${{ github.event.inputs.replace_release }}
ZOWE_RELEASE_BRANCH: ${{ github.event.inputs.zowe_sources_branch }}
PENDING_APPROVAL_REPORT_NAME: dependency_approval_action_aggregates.json
DEPENDENCY_SCAN_HOME: licenses/dependency-scan
MARKDOWN_REPORT_NAME: markdown_dependency_report.md
MARKDOWN_CLI_REPORT: cli_dependency_report.md
MARKDOWN_VSCODE_REPORT: vscode_dependency_report.md
MARKDOWN_ZOS_REPORT: zos_dependency_report.md
NOTICES_AGGREGATE_FILE: notices_aggregate.txt
NOTICES_CLI_FILE: notices_cli.txt
NOTICES_VSCODE_FILE: notices_vscode.txt
NOTICES_ZOS_FILE: notices_zos.txt
NOTICES_PYTHONSDK_FILE: notices_pythonsdk.txt
ARTIFACT_PATH: org/zowe/licenses
ARTIFACT_PATH_SBOM: init_in_step_one
VERSION: ${{ github.event.inputs.zowe_version }}
AGG_ARTIFACT_NAME: zowe_licenses_full.zip
CLI_ARTIFACT_NAME: zowe_licenses_cli.zip
VSCODE_ARTIFACT_NAME: zowe_licenses_vscode.zip
ZOS_ARTIFACT_NAME: zowe_licenses_zos.zip
PYTHON_ARTIFACT_NAME: zowe_licenses_pythonsdk.zip
AGG_SBOM_ARTIFACT_NAME: sbom_aggregate.spdx.yml
CLI_SBOM_ARTIFACT_NAME: sbom_cli.spdx.yml
VSCODE_SBOM_ARTIFACT_NAME: sbom_vscode.spdx.yml
ZOS_SBOM_ARTIFACT_NAME: sbom_zos.spdx.yml
PYTHON_SBOM_ARTIFACT_NAME: sbom_pythonsdk.spdx.yml
FILENAME_PATTERN: init_in_step_one
ARTIFACT_REPO: init_in_step_one
ARTIFACT_VERSION: init_in_step_one
ORT_VERSION: 12.0.0
ORT_LOG_LEVEL: ${{ github.event.inputs.ort_log_level }}
jobs:
license-runner-tag:
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.get-version.outputs.image_tag }}
steps:
- name: Determine which docker image to use
id: get-version
run: |
MAJOR_VERS=$(printf %.1s "${{ github.event.inputs.zowe_version }}")
## all of v3+ uses latest image, which is Java 17. v1 and v2 share J8/J11 image.
if [[ $MAJOR_VERS > 2 ]]; then
echo "image_tag=latest" >> $GITHUB_OUTPUT
else
echo "image_tag=v2-latest" >> $GITHUB_OUTPUT
fi
create-licenses:
runs-on: ubuntu-latest
needs: [license-runner-tag]
container:
image: zowe-docker-release.jfrog.io/ompzowe/zowecicd-license-base:${{ needs.license-runner-tag.outputs.image_tag }}
steps:
- name: Update variables if releasing
run: |
if [ "$PUBLISH_RELEASE" = true ]; then
echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}/sbom" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV
else
echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV
echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV
echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}-SNAPSHOT/sbom" >> $GITHUB_ENV
echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV
fi
- name: Checkout current repo
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: '[Zowe Actions] Prepare workflow'
uses: zowe-actions/shared-actions/prepare-workflow@main
- name: 'Setup jFrog CLI'
uses: jfrog/setup-jfrog-cli@v4
env:
JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}
- name: '[TEST-ONLY] Dummy scan step'
if: ${{ github.event.inputs.dummy_build == 'true' }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_vscode_licenses
mkdir -p zowe_zos_licenses
mkdir -p zowe_pythonsdk_licenses
echo "HI" >> dummy.txt
cp dummy.txt zowe_licenses
cp dummy.txt zowe_cli_licenses
cp dummy.txt zowe_vscode_licenses
cp dummy.txt zowe_zos_licenses
cp dummy.txt zowe_pythonsdk_licenses
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
zip -j ${{ env.PYTHON_ARTIFACT_NAME }} zowe_pythonsdk_licenses/*
echo "" > ${{ env.AGG_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.CLI_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
echo "" > ${{ env.PYTHON_SBOM_ARTIFACT_NAME }}
- name: Scan Licenses on Branch ${{ env.ZOWE_RELEASE_BRANCH }}
if: ${{ github.event.inputs.dummy_build == 'false' }}
env:
APP_NOTICES_SCAN: true
APP_LICENSE_SCAN: true
ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }}
working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
run: |
# Rustup is set to default in the container, but it's not picked up in this run block
rustup default stable
npm install -g pnpm@8
yarn install && yarn build
node lib/index.js
cd build
zip -r logs.zip logs/
zip -r license_reports.zip license_reports/
zip -r notice_reports.zip notice_reports/
cd ..
mkdir -p zowe_licenses
mkdir -p zowe_cli_licenses
mkdir -p zowe_vscode_licenses
mkdir -p zowe_zos_licenses
mkdir -p zowe_pythonsdk_licenses
cp ../resources/* zowe_licenses/
cp ../resources/* zowe_cli_licenses/
cp ../resources/* zowe_vscode_licenses/
cp ../resources/* zowe_zos_licenses/
cp ../resources/* zowe_pythonsdk_licenses/
zip -r logs.zip build/logs/*
# Aggregate
cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt
cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md
zip -j ${{ env.AGG_ARTIFACT_NAME }} zowe_licenses/*
# CLI
cp build/notice_reports/${{ env.NOTICES_CLI_FILE }} zowe_cli_licenses/zowe_cli_notices.txt
cp build/license_reports/${{ env.MARKDOWN_CLI_REPORT }} zowe_cli_licenses/zowe_cli_dependency_list.md
zip -j ${{ env.CLI_ARTIFACT_NAME }} zowe_cli_licenses/*
# VSCode
cp build/notice_reports/${{ env.NOTICES_VSCODE_FILE }} zowe_vscode_licenses/zowe_vscode_notices.txt
cp build/license_reports/${{ env.MARKDOWN_VSCODE_REPORT }} zowe_vscode_licenses/zowe_vscode_dependency_list.md
zip -j ${{ env.VSCODE_ARTIFACT_NAME }} zowe_vscode_licenses/*
# z/OS
cp build/notice_reports/${{ env.NOTICES_ZOS_FILE }} zowe_zos_licenses/zowe_zos_notices.txt
cp build/license_reports/${{ env.MARKDOWN_ZOS_REPORT }} zowe_zos_licenses/zowe_zos_dependency_list.md
zip -j ${{ env.ZOS_ARTIFACT_NAME }} zowe_zos_licenses/*
# Python
cp build/notice_reports/${{ env.NOTICES_PYTHONSDK_FILE }} zowe_pythonsdk_licenses/zowe_pythonsdk_notices.txt
zip -j ${{ env.PYTHON_ARTIFACT_NAME }} zowe_pythonsdk_licenses/*
# SBOMs
cp build/sbom_reports/${{ env.AGG_SBOM_ARTIFACT_NAME }} ${{ env.AGG_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.VSCODE_SBOM_ARTIFACT_NAME }} ${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
cp build/sbom_reports/${{ env.PYTHON_SBOM_ARTIFACT_NAME }} ${{ env.PYTHON_SBOM_ARTIFACT_NAME }}
- name: Remove existing artifacts
id: cleanup
if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }}
run: |
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_ARTIFACT_NAME }}
jfrog rt del \
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.PYTHON_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
jfrog rt del\
--user ${{ secrets.ZOWE_JFROG_ELEVATED_USER }} \
--password ${{secrets.ZOWE_JFROG_ELEVATED_KEY }} \
--url https://zowe.jfrog.io/artifactory \
${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }}
- name: '[PUBLISH] Fix local git configuration (container+runner UID mismatch)'
if: ${{ github.event.inputs.publish_release }}
id: debug-git
run: |
git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline
- name: Publish to Artifactory
id: publish-license
timeout-minutes: 10
uses: zowe-actions/shared-actions/publish@main
with:
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH }}/${{ env.ARTIFACT_VERSION }}/
perform-release: ${{ env.PUBLISH_RELEASE }}
sigstore-sign-artifacts: true
artifacts: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }}
- name: Publish to Artifactory
id: publish-sbom
timeout-minutes: 10
uses: zowe-actions/shared-actions/publish@main
with:
publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH_SBOM }}/ # version is embedded in the path_sbom var
perform-release: ${{ env.PUBLISH_RELEASE }}
sigstore-sign-artifacts: true
artifacts: |
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }}
- name: Archive Aggregates
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
path: |
${{ env.DEPENDENCY_SCAN_HOME }}/logs.zip
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.VSCODE_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}.bundle
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }}
${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.PYTHON_SBOM_ARTIFACT_NAME }}.bundle