From b14c1db23ef1efe7880f6647652b00c058cdbcd6 Mon Sep 17 00:00:00 2001 From: Alexander Plattel Date: Wed, 23 Oct 2024 12:12:14 -0400 Subject: [PATCH 1/5] Update ci-cd.yml --- .github/workflows/ci-cd.yml | 56 ++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b937160..bbcd6fe 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -178,28 +178,50 @@ jobs: # path: depCache/ - name: Sonatype Lifecycle SCA Scan - uses: sonatype-nexus-community/iq-github-action@main + uses: sonatype/actions/evaluate@v1 with: + iq-server-url: ${{ env.SonatypeUrl }} username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }} - serverUrl: ${{ env.SonatypeUrl }} - applicationId: ${{ env.SonatypeAppId }} + application-id: ${{ env.SonatypeAppId }} stage: ${{ env.SonatypeStage }} - target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }} + scan-targets: ${{ env.SonatypeScanTarget }} + module-exclude: ${{ env.ExcludeDirectory }} - - name: Retrieve Sonatype SBOM (SPDX) - if: always() - run: | - mkdir reports/ - iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}" - echo 'Get internal app ID for public ID: '$SonatypeAppId - res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId) - IFS='"' read -a array <<< "$res" - echo 'Internal app ID: '${array[5]} - internalID=${array[5]} - curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json - echo 'Sonatype SBOM (SPDX): ' - cat reports/$SonatypeAppId.spdx.json + - name: Save Sonatype SBOM + uses: sonatype/actions/fetch-sbom@v1 + if: ( success() || failure() ) && steps.evaluate.outputs.scan-id + with: + iq-server-url: https://finos.sonatype.app/platform/ + username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} + password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }} + application-id: ${{ env.SonatypeAppId }} + scan-id: ${{ steps.evaluate.outputs.scan-id }} + sbom-standard: spdx + sbom-version: 2.3 + artifact-name: ${{ env.SonatypeAppId }}-bom + # uses: sonatype-nexus-community/iq-github-action@main + # with: + # username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} + # password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }} + # serverUrl: ${{ env.SonatypeUrl }} + # applicationId: ${{ env.SonatypeAppId }} + # stage: ${{ env.SonatypeStage }} + # target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }} + + # - name: Retrieve Sonatype SBOM (SPDX) + # if: always() + # run: | + # mkdir reports/ + # iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}" + # echo 'Get internal app ID for public ID: '$SonatypeAppId + # res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId) + # IFS='"' read -a array <<< "$res" + # echo 'Internal app ID: '${array[5]} + # internalID=${array[5]} + # curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json + # echo 'Sonatype SBOM (SPDX): ' + # cat reports/$SonatypeAppId.spdx.json - name: Upload Sonatype SBOM (SPDX) if: always() From 5eaf2560acba77110c8becc45a5c4872808c84ea Mon Sep 17 00:00:00 2001 From: Alexander Plattel Date: Wed, 23 Oct 2024 12:17:57 -0400 Subject: [PATCH 2/5] Update ci-cd.yml --- .github/workflows/ci-cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index bbcd6fe..97ec755 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -151,7 +151,7 @@ jobs: ############### SONATYPE SCAN ############### sonatype-scan: - if: github.repository_owner == 'finos' + # if: github.repository_owner == 'finos' needs: [ci] runs-on: ubuntu-latest steps: From 5adf9128a607b1c4c06eb632d09562596ea5714d Mon Sep 17 00:00:00 2001 From: Alexander Plattel Date: Wed, 23 Oct 2024 12:28:57 -0400 Subject: [PATCH 3/5] Update ci-cd.yml --- .github/workflows/ci-cd.yml | 37 +++++-------------------------------- 1 file changed, 5 insertions(+), 32 deletions(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 97ec755..08f1263 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -149,7 +149,9 @@ jobs: out/morphir/${{matrix.scala}}/**/native/ key: ${{ runner.os }}-mill-native-${{matrix.java}}-${{ matrix.scala }}-${{ github.sha }}-${{ hashFiles('out') }} - ############### SONATYPE SCAN ############### + ########################### + ## Sonatype SCA Scanning ## + ########################### sonatype-scan: # if: github.repository_owner == 'finos' needs: [ci] @@ -190,7 +192,7 @@ jobs: - name: Save Sonatype SBOM uses: sonatype/actions/fetch-sbom@v1 - if: ( success() || failure() ) && steps.evaluate.outputs.scan-id + if: alway() && steps.evaluate.outputs.scan-id with: iq-server-url: https://finos.sonatype.app/platform/ username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} @@ -200,36 +202,7 @@ jobs: sbom-standard: spdx sbom-version: 2.3 artifact-name: ${{ env.SonatypeAppId }}-bom - # uses: sonatype-nexus-community/iq-github-action@main - # with: - # username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} - # password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }} - # serverUrl: ${{ env.SonatypeUrl }} - # applicationId: ${{ env.SonatypeAppId }} - # stage: ${{ env.SonatypeStage }} - # target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }} - - # - name: Retrieve Sonatype SBOM (SPDX) - # if: always() - # run: | - # mkdir reports/ - # iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}" - # echo 'Get internal app ID for public ID: '$SonatypeAppId - # res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId) - # IFS='"' read -a array <<< "$res" - # echo 'Internal app ID: '${array[5]} - # internalID=${array[5]} - # curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json - # echo 'Sonatype SBOM (SPDX): ' - # cat reports/$SonatypeAppId.spdx.json - - - name: Upload Sonatype SBOM (SPDX) - if: always() - uses: actions/upload-artifact@v4 - with: - name: ${{ env.SonatypeAppId }} Sonatype SBOM (SPDX) - path: reports/ - ############################################# + cd: needs: [sonatype-scan, ci] From 5e4c9c39d9f7c38b3073b64fa5ac1aaa075c2d28 Mon Sep 17 00:00:00 2001 From: Alexander Plattel Date: Wed, 23 Oct 2024 12:50:43 -0400 Subject: [PATCH 4/5] Update ci-cd.yml --- .github/workflows/ci-cd.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 08f1263..af14c40 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -192,7 +192,7 @@ jobs: - name: Save Sonatype SBOM uses: sonatype/actions/fetch-sbom@v1 - if: alway() && steps.evaluate.outputs.scan-id + if: always() && steps.evaluate.outputs.scan-id with: iq-server-url: https://finos.sonatype.app/platform/ username: ${{ secrets.SONATYPE_SCANNER_USERNAME }} @@ -206,7 +206,6 @@ jobs: cd: needs: [sonatype-scan, ci] - runs-on: ubuntu-latest # when in primary repo: all commits to main branch and all additional tags if: github.repository == 'finos/morphir-jvm' && ( github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) ) From 85c6d4a442974569f6fc6e40533f9712e4395fdd Mon Sep 17 00:00:00 2001 From: Alexander Plattel Date: Fri, 25 Oct 2024 11:05:37 -0400 Subject: [PATCH 5/5] Update ci-cd.yml --- .github/workflows/ci-cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index af14c40..da2157f 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -153,7 +153,7 @@ jobs: ## Sonatype SCA Scanning ## ########################### sonatype-scan: - # if: github.repository_owner == 'finos' + if: github.repository_owner == 'finos' needs: [ci] runs-on: ubuntu-latest steps: