Add sonatype scan step

finos · Jul 23, 2024 · 084e359 · 084e359
1 parent a4dd426
commit 084e359
Showing 1 changed file with 66 additions and 1 deletion.
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -14,6 +14,11 @@ env:
   scala_212_version: "2.12.18"
   scala_213_version: "2.13.12"
   scala_3_version: "3.3.1"
+  SonatypeUrl: 'https://finos.sonatype.app/platform/'
+  SonatypeAppId: morphir-jvm
+  SonatypeStage: 'build' 
+  SonatypeScanTarget: '.' # depCache/coursier/v1/https/repo1.maven.org/maven2/
+  ExcludeDirectory: " -D fileExcludes='*.class, **/website/, **/docs/, **/.*' "
 
 # cancel older runs of a pull request;
 # this will not cancel anything for normal git pushes
@@ -149,8 +154,68 @@ jobs:
             out/morphir/${{matrix.scala}}/**/native/
           key: ${{ runner.os }}-mill-native-${{matrix.java}}-${{ matrix.scala }}-${{ github.sha }}-${{ hashFiles('out') }}
 
-  cd:    
+  ############### SONATYPE SCAN ###############
+  sonatype-scan:
+    if: always()
     needs: [ci]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Cache scala dependencies
+      uses: coursier/cache-action@v6
+
+    - name: Get OUT cache
+      uses: actions/cache/restore@v4
+      with:
+        path: out/
+        key: ${{ runner.os }}-*
+
+    - name: Copy Cache for SCA Scan
+      run: |
+        mkdir depCache/ #Create local copy of cache for Sonatype Scanner
+        cp -r /home/runner/.cache/coursier/ depCache/
+    # - name: Save resolvedIvyDeps.json
+    #   run: ./mill show __.resolvedIvyDeps > depCache/resolvedIvyDeps.json
+
+    # - name: Upload Dependency Cache (optional)
+    #   uses: actions/upload-artifact@v4
+    #   with:
+    #     name: Dependency Cache
+    #     path: depCache/
+
+    - name: Sonatype Lifecycle SCA Scan
+      uses: sonatype-nexus-community/iq-github-action@main
+      with:
+        username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+        password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+        serverUrl: ${{ env.SonatypeUrl }}
+        applicationId: ${{ env.SonatypeAppId }}
+        stage: ${{ env.SonatypeStage }}
+        target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }}
+
+    - name: Retrieve Sonatype SBOM (SPDX)
+      if: always()
+      run: |
+        mkdir reports/
+        iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}"
+        echo 'Get internal app ID for public ID: '$SonatypeAppId
+        res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId)
+        IFS='"' read -a array <<< "$res"
+        echo 'Internal app ID: '${array[5]}
+        internalID=${array[5]}
+        curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json
+        echo 'Sonatype SBOM (SPDX): '
+        cat reports/$SonatypeAppId.spdx.json
+        
+    - name: Upload Sonatype SBOM (SPDX)
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ env.SonatypeAppId }} Sonatype SBOM (SPDX) 
+        path: reports/
+  #############################################               
+
+  cd:    
+    needs: [sonatype-scan, ci]
 
     runs-on: ubuntu-latest
     # when in primary repo: all commits to main branch and all additional tags