Update license scans to node20 (#135)

* update license scans to node20 Signed-off-by: MarkAckert <[email protected]> * add log level and publish logs Signed-off-by: MarkAckert <[email protected]> * fix env name, set env in workflow Signed-off-by: MarkAckert <[email protected]> * always publish artifacts to gha Signed-off-by: MarkAckert <[email protected]> * move log level before subcommand Signed-off-by: MarkAckert <[email protected]> * zip logs before copying files; avoid errors preventing logs upload Signed-off-by: MarkAckert <[email protected]> * update node in docker container Signed-off-by: MarkAckert <[email protected]> * remove -j from logs zip Signed-off-by: MarkAckert <[email protected]> * setup larger runner for license build Signed-off-by: MarkAckert <[email protected]> * license macos-12 Signed-off-by: MarkAckert <[email protected]> * try macos-13 again Signed-off-by: MarkAckert <[email protected]> * abandon mac runner, set cpu option (default unknown) Signed-off-by: MarkAckert <[email protected]> * bad text Signed-off-by: MarkAckert <[email protected]> * use docker-release for license dockerfile Signed-off-by: MarkAckert <[email protected]> * downgrade java to 11 in ort dockerfile Signed-off-by: MarkAckert <[email protected]> * fix some scans which weren't working Signed-off-by: MarkAckert <[email protected]> * build ort from source in dockerfile Signed-off-by: MarkAckert <[email protected]> * allow parallel scanning to try and reduce build time Signed-off-by: MarkAckert <[email protected]> * update snyk pipeline to 20 Signed-off-by: MarkAckert <[email protected]> * fix cli scan, default ort yaml mutation (bug) Signed-off-by: MarkAckert <[email protected]> * adjust action library versions, sbom publish in subfolder of zowe distributions Signed-off-by: MarkAckert <[email protected]> * action performance degradation - remove cpu option (default=0) Signed-off-by: MarkAckert <[email protected]> * fix quotes Signed-off-by: MarkAckert <[email protected]> * more action maintenance Signed-off-by: MarkAckert <[email protected]> --------- Signed-off-by: MarkAckert <[email protected]>
zowe · Feb 6, 2024 · 00bf66d · 00bf66d
1 parent c9ae3ac
commit 00bf66d
Show file tree

Hide file tree

Showing 14 changed files with 1,156 additions and 1,358 deletions.
diff --git a/.dockerfiles/ort.Dockerfile b/.dockerfiles/ort.Dockerfile
@@ -4,14 +4,13 @@ FROM debian:bullseye
 #####################################################
 # version the Dockerfile, so we can do release bump
 LABEL version="1.0.0"
-ARG ORT_VERSION=12.0.0
 
 USER root
 
 RUN apt-get update -y && apt-get upgrade -y
 RUN apt-get install -y curl bash python3 zip unzip wget software-properties-common python3-pip git
-RUN curl -sL https://deb.nodesource.com/setup_18.x | bash -
-RUN apt-get update -y && apt-get install -y nodejs openjdk-17-jdk pkg-config
+RUN curl -sL https://deb.nodesource.com/setup_20.x | bash -
+RUN apt-get update -y && apt-get install -y nodejs openjdk-11-jdk pkg-config
 
 RUN	mkdir /report
 RUN mkdir -p /home/build
@@ -50,9 +49,18 @@ RUN rustup install stable && rustup default stable
 RUN cargo install cargo-license
 RUN cargo install get-license-helper
 
-RUN wget  -O ort.zip "https://github.com/oss-review-toolkit/ort/releases/download/$ORT_VERSION/ort-$ORT_VERSION.zip"
-RUN unzip ort.zip
-ENV PATH=/home/build/ort-$ORT_VERSION/bin:$PATH
+ARG ORT_VERSION=15.1.0
+
+RUN git clone https://github.com/oss-review-toolkit/ort
+WORKDIR /home/build/ort
+RUN git checkout "$ORT_VERSION"
+RUN git submodule update --init --recursive
+RUN ./gradlew installDist
+
+## ORT Binary install - requires Java 17+, which causes issues with some of our v2 projects (Java 11)
+# RUN wget  -O ort.zip "https://github.com/oss-review-toolkit/ort/releases/download/$ORT_VERSION/ort-$ORT_VERSION.zip"
+# RUN unzip ort.zip
+ENV PATH=/home/build/ort/cli/build/install/ort/bin:$PATH
 
 WORKDIR /home/build
 

diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -11,10 +11,10 @@ jobs:
   cleanup-artifactory:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: 'Setup jFrog CLI'
-        uses: jfrog/setup-jfrog-cli@v2
+        uses: jfrog/setup-jfrog-cli@v4
         # env:
         #   JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}
 
@@ -45,7 +45,7 @@ jobs:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Cleanup ${{ matrix.servers.name }}
         run: |
@@ -69,7 +69,7 @@ jobs:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Cleanup ${{ matrix.servers.name }}
         run: |

diff --git a/.github/workflows/license-generation.yml b/.github/workflows/license-generation.yml
@@ -40,6 +40,16 @@ on:
         options:
           - 'true'
           - 'false'
+      ort_log_level:
+        description: Set ORT's Log Level. Defaults to 'warn'
+        required: false
+        type: choice
+        default: 'warn'
+        options:
+          - 'warn'
+          - 'info'
+          - 'error'
+          - 'debug'
 
 env:
   PUBLISH_RELEASE:  ${{ github.event.inputs.publish_release }}
@@ -55,6 +65,7 @@ env:
   NOTICES_CLI_FILE: notices_cli.txt
   NOTICES_ZOS_FILE: notices_zos.txt
   ARTIFACT_PATH: org/zowe/licenses
+  ARTIFACT_PATH_SBOM: init_in_step_one
   VERSION: ${{ github.event.inputs.zowe_version }}
   AGG_ARTIFACT_NAME: zowe_licenses_full.zip
   CLI_ARTIFACT_NAME: zowe_licenses_cli.zip
@@ -66,6 +77,7 @@ env:
   ARTIFACT_REPO: init_in_step_one
   ARTIFACT_VERSION: init_in_step_one
   ORT_VERSION: 12.0.0
+  ORT_LOG_LEVEL: ${{ github.event.inputs.ort_log_level }}
 
 jobs:
 
@@ -74,35 +86,35 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      image: zowe-docker-snapshot.jfrog.io/ompzowe/zowecicd-license-base:latest
+      image: zowe-docker-release.jfrog.io/ompzowe/zowecicd-license-base:latest
 
     steps:
-
       - name: Update variables if releasing
         run: | 
           if [ "$PUBLISH_RELEASE" = true ]; then
               echo "ARTIFACT_REPO=libs-release-local" >> $GITHUB_ENV
               echo "ARTIFACT_VERSION=$VERSION" >> $GITHUB_ENV
+              echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}/sbom" >> $GITHUB_ENV
               echo "FILENAME_PATTERN={filename}${{ env.RELEASE_SUFFIX }}{fileext}" >> $GITHUB_ENV
           else
               echo "ARTIFACT_REPO=libs-snapshot-local" >> $GITHUB_ENV
               echo "ARTIFACT_VERSION=$VERSION-SNAPSHOT" >> $GITHUB_ENV
+              echo "ARTIFACT_PATH_SBOM=org/zowe/${{ env.VERSION }}-SNAPSHOT/sbom" >> $GITHUB_ENV
               echo "FILENAME_PATTERN={filename}-${{ env.VERSION }}-SNAPSHOT{timestamp}{fileext}" >> $GITHUB_ENV
           fi
     
       - name: Checkout current repo
         uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
-          node-version: '16'
-      - name: 'Install Ansible'
-        uses: zowe-actions/shared-actions/prepare-workflow@main
+          node-version: '20'
+
       - name: '[Zowe Actions] Prepare workflow'
         uses: zowe-actions/shared-actions/prepare-workflow@main
 
       - name: 'Setup jFrog CLI'
-        uses: jfrog/setup-jfrog-cli@v2
+        uses: jfrog/setup-jfrog-cli@v4
         env:
           JF_ENV_1: ${{ secrets.JF_ARTIFACTORY_TOKEN }}
 
@@ -134,6 +146,8 @@ jobs:
           ZOWE_MANIFEST_BRANCH: ${{ env.ZOWE_RELEASE_BRANCH }}
         working-directory: ${{ env.DEPENDENCY_SCAN_HOME }}
         run: |
+          # Rustup is set to default in the container, but it's not picked up in this run block
+          rustup default stable  
           yarn install && yarn build
           node lib/index.js
           cd build
@@ -148,6 +162,8 @@ jobs:
           cp ../resources/* zowe_cli_licenses/
           cp ../resources/* zowe_zos_licenses/
 
+          zip -r logs.zip build/logs/*
+     
           # Aggregate
           cp build/notice_reports/${{ env.NOTICES_AGGREGATE_FILE }} zowe_licenses/zowe_full_notices.txt
           cp build/license_reports/${{ env.MARKDOWN_REPORT_NAME }} zowe_licenses/zowe_full_dependency_list.md
@@ -167,6 +183,8 @@ jobs:
           cp build/sbom_reports/${{ env.CLI_SBOM_ARTIFACT_NAME }} ${{ env.CLI_SBOM_ARTIFACT_NAME }}
           cp build/sbom_reports/${{ env.ZOS_SBOM_ARTIFACT_NAME }} ${{ env.ZOS_SBOM_ARTIFACT_NAME }}
 
+
+
       - name: Remove existing artifacts
         id: cleanup
         if: ${{ github.event.inputs.publish_release }} && ${{ github.event.inputs.overwrite_release }}
@@ -209,7 +227,7 @@ jobs:
           git config --global --add safe.directory /__w/zowe-dependency-scan-pipeline/zowe-dependency-scan-pipeline
 
       - name: Publish to Artifactory
-        id: publish
+        id: publish-license
         timeout-minutes: 10
         uses: zowe-actions/shared-actions/publish@main
         with:
@@ -221,14 +239,27 @@ jobs:
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}  
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_ARTIFACT_NAME }}
+
+      - name: Publish to Artifactory
+        id: publish-sbom
+        timeout-minutes: 10
+        uses: zowe-actions/shared-actions/publish@main
+        with:
+          publish-target-file-pattern: ${{ env.FILENAME_PATTERN }}
+          publish-target-path-pattern: ${{ env.ARTIFACT_REPO }}/${{ env.ARTIFACT_PATH_SBOM }}/  # version is embedded in the path_sbom var
+          perform-release: ${{ env.PUBLISH_RELEASE }}
+          sigstore-sign-artifacts: true
+          artifacts: |
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_SBOM_ARTIFACT_NAME }}
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_SBOM_ARTIFACT_NAME }}
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.ZOS_SBOM_ARTIFACT_NAME }}
 
       - name: Archive Aggregates  
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
+        if: ${{ always() }}
         with:
           path: |
+            ${{ env.DEPENDENCY_SCAN_HOME }}/logs.zip
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.AGG_ARTIFACT_NAME }}.bundle
             ${{ env.DEPENDENCY_SCAN_HOME }}/${{ env.CLI_ARTIFACT_NAME }}  

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -99,13 +99,13 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           repository: zowe/${{ matrix.repository }}
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
-          node-version: '14'
+          node-version: '20'
 
       - name: Run npm install
         continue-on-error: true
@@ -146,7 +146,7 @@ jobs:
           command: ${{ env.SNYK_SCAN_COMMAND }}
           args: --sarif-file-output=${{ env.SCAN_REPORT_DIR }}/snyk.sarif --all-projects
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v3
         with:
           name: snyk-report
           path: .snyk-reports/
@@ -164,13 +164,13 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           repository: zowe/${{ matrix.repository }}
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
-          node-version: '14'
+          node-version: '18'
 
       - name: Run npm install
         continue-on-error: true
@@ -211,7 +211,7 @@ jobs:
           command: ${{ env.SNYK_SCAN_COMMAND }}
           args: --sarif-file-output=${{ env.SCAN_REPORT_DIR }}/snyk.sarif --all-projects
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v3
         with:
           name: snyk-report
           path: .snyk-reports/
@@ -222,12 +222,12 @@ jobs:
       - snyk-gradle
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           repository: zowe/security-reports
           token: ${{ secrets.ZOWE_ROBOT_TOKEN }}
 
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v3
         with:
           name: snyk-report
           path: Snyk/