-
Notifications
You must be signed in to change notification settings - Fork 0
178 lines (154 loc) · 5.52 KB
/
sbom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
name: Generate and push an SBOM dependency list
on:
push:
# Only when tagging a new version which will be deployed
tags:
- '*'
workflow_dispatch:
jobs:
generate-and-push-sbom:
runs-on: 'ubuntu-20.04'
env:
HEADLESS: true
RAILS_DB_ADAPTER: mysql2
RAILS_DB_HOST: 127.0.0.1
RAILS_DB_PORT: 33066
RAILS_DB_USERNAME: hitobito
RAILS_DB_PASSWORD: hitobito
RAILS_DB_NAME: hitobito_test
RAILS_TEST_DB_NAME: hitobito_test
services:
mysql:
image: 'mysql:5.7'
env:
MYSQL_USER: 'hitobito'
MYSQL_PASSWORD: 'hitobito'
MYSQL_DATABASE: 'hitobito_test'
MYSQL_ROOT_PASSWORD: 'root'
ports:
- '33066:3306'
options: >-
--health-cmd "mysqladmin ping"
--health-interval 10s
--health-timeout 10s
--health-retries 10
memcached:
image: 'memcached'
ports: [ '11211:11211' ]
steps:
- name: 'Checkout composition repository'
uses: actions/checkout@v3
- name: 'Checkout hitobito core submodule and wagon submodules'
run: git submodule update --init --recursive
- name: 'Set up Ruby'
env:
ImageOS: ubuntu20
uses: ruby/setup-ruby@v1
with:
working-directory: hitobito
- name: 'Set up Node'
uses: actions/setup-node@v2
with:
node-version: '14'
- name: 'Setup OS'
run: |
sudo apt-get -qq update
sudo apt-get install sphinxsearch
echo "ruby version: $(ruby -v)"
echo "node version: $(node -v)"
echo "yarn version: $(yarn -v)"
- name: 'Copy Wagonfile.ci'
working-directory: hitobito
run: |
cp -v Wagonfile.ci Wagonfile
- name: 'Create cache key'
working-directory: hitobito
run: cp Gemfile.lock Gemfile.lock.backup
- uses: actions/cache@v3
with:
path: hitobito/vendor/bundle
key: ${{ runner.os }}-ruby-bundle-${{ hashFiles('**/Gemfile.lock.backup') }}
restore-keys: |
${{ runner.os }}-ruby-bundle-
- uses: actions/cache@v3
if: ${{ inputs.wagon_dependency_repository != '' }}
with:
path: ${{ inputs.wagon_dependency_repository }}/vendor/bundle
key: ${{ runner.os }}-ruby-bundle-${{ hashFiles('**/Gemfile.lock.backup') }}
restore-keys: |
${{ runner.os }}-ruby-bundle-
# Commented out for now because we would have to loop over all used wagons doing this
# - uses: actions/cache@v3
# with:
# path: ${{ env.WAGON_NAME }}/vendor/bundle
# key: ${{ runner.os }}-ruby-bundle-${{ hashFiles('**/Gemfile.lock.backup') }}
# restore-keys: |
# ${{ runner.os }}-ruby-bundle-
- name: 'Bundle install core'
working-directory: hitobito
run: |
bundle install --jobs 4 --retry 3 --path vendor/bundle
- name: 'Make changes to Gemfile.lock transparent'
working-directory: hitobito
run: |
git diff Gemfile.lock || true
# - name: 'Bundle install wagons'
# run: |
# hitobito_dir=$(realpath ./)
# for d in $hitobito_dir/../hitobito_*; do
# cd $d
# cp -v $hitobito_dir/Gemfile.lock ./
# bundle install --jobs 4 --retry 3 --path vendor/bundle
# done
- uses: actions/cache@v3
with:
path: hitobito/node_modules
key: ${{ runner.os }}-node_modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node_modules-
- name: 'Yarn install'
working-directory: hitobito
run: |
yarn install --frozen-lockfile
- name: 'Remove installed dependency code, because lockfiles in there would yield false positives with cdxgen. We are only interested in our own lockfiles.'
working-directory: hitobito
run: |
rm -rf vendor
rm -rf node_modules
- name: 'Generate SBOM for ruby dependencies'
working-directory: hitobito
env:
SCAN_DEBUG_MODE: debug
run: |
npm install -g @appthreat/cdxgen
cdxgen -o ./sbom-ruby.xml -t ruby .
- name: 'Generate SBOM for npm dependencies'
working-directory: hitobito
run: |
npm install -g @appthreat/cdxgen
cdxgen -o ./sbom-npm.xml -t npm .
- name: 'Merge frontend and backend SBOMs'
working-directory: hitobito
run: |
docker run --rm -v $(pwd):/data cyclonedx/cyclonedx-cli merge --input-files data/sbom-ruby.xml data/sbom-npm.xml --output-file data/sbom.xml
- name: 'Push merged SBOM to dependency track'
env:
PROJECT_NAME: hitobito-die-mitte
PROJECT_VERSION: ${{ github.ref_name }}
working-directory: hitobito
run: |
curl --verbose -s --location --request POST ${{ secrets.DEPENDENCY_TRACK_URL }}/api/v1/bom \
--header "X-Api-Key: ${{ secrets.DEPENDENCY_TRACK_API_KEY }}" \
--header "Content-Type: multipart/form-data" \
--form "autoCreate=true" \
--form "projectName=${PROJECT_NAME:-$GITHUB_REPOSITORY}" \
--form "projectVersion=${PROJECT_VERSION:-$GITHUB_REF}" \
--form "[email protected]"
- uses: actions/upload-artifact@v2
if: always()
with:
name: sboms
path: |
./hitobito/sbom-npm.xml
./hitobito/sbom-ruby.xml
./hitobito/sbom.xml