generate-sbom #482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create SBOM for the release | |
# Inherited variables: | |
# github.event.client_payload.agentSpec - Current YAML Label | |
# github.event.client_payload.ReleaseID - Current release ID | |
# github.event.client_payload.imageVersion - AzDO image version "major.minor" | |
# github.event.client_payload.ReleaseBranchName - Necessary to identify workflow run | |
# | |
# Current SYFT tool issues: | |
# macOS (major): prompt privilegies that blocking process indefinetely (https://github.com/anchore/syft/issues/1367) | |
on: | |
repository_dispatch: | |
types: [generate-sbom] | |
defaults: | |
run: | |
shell: pwsh | |
jobs: | |
#Checking current release for SBOM | |
sbom-check: | |
outputs: | |
check_status: ${{ steps.check.outputs.status }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check release for ${{ github.event.client_payload.ReleaseBranchName }} | |
id: check | |
shell: pwsh | |
run: | | |
$apiUrl = "https://api.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}" | |
$response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck | |
if ($response.message -ilike "Not Found") { | |
echo "status=release_not_found" >> $env:GITHUB_OUTPUT | |
Write-Error "Release ${{ github.event.client_payload.ReleaseID }} wasn't found" | |
exit 1 | |
} | |
foreach ($asset in $response.assets) { | |
if ($asset.name -like '*sbom*') { | |
echo "status=sbom_exists" >> $env:GITHUB_OUTPUT | |
return "Release ${{ github.event.client_payload.ReleaseID }} already contains a SBOM" | |
} | |
} | |
Write-Host "Release has been found, SBOM is not attached, starting generation." | |
echo "status=okay" >> $env:GITHUB_OUTPUT | |
#Generating SBOM | |
building-sbom: | |
needs: sbom-check | |
if: ${{ needs.sbom-check.outputs.check_status == 'okay' }} | |
runs-on: ${{ github.event.client_payload.agentSpec }} | |
steps: | |
- name: Available image version check for ${{ github.event.client_payload.ReleaseBranchName }} | |
run: | | |
$imageVersionComponents = $env:ImageVersion.Split('.') | |
$imageMajorVersion = $imageVersionComponents[0] | |
$imageMinorVersion = $imageVersionComponents[1] | |
if ("$imageMajorVersion.$imageMinorVersion" -ne '${{ github.event.client_payload.imageVersion }}') { | |
throw "Current runner $imageMajorVersion.$imageMinorVersion image version doesn't match ${{ github.event.client_payload.imageVersion }}." | |
} | |
- name: Install SYFT tool on Windows | |
if: ${{ runner.os == 'Windows' }} | |
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b D:/syft | |
- name: Install SYFT tool on Ubuntu or macOS | |
if: ${{ runner.os != 'Windows' }} | |
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.100.0 | |
#Running section. | |
- name: Run SYFT on Windows | |
if: ${{ runner.os == 'Windows' }} | |
run: D:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json | |
- name: Run SYFT on Ubuntu | |
if: ${{ runner.os == 'Linux' }} | |
run: syft dir:/ -vv -o spdx-json=sbom.json | |
- name: Run SYFT on macOS | |
if: ${{ runner.os == 'macOS' }} | |
run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private | |
shell: bash | |
#Preparing artifact (raw SBOM.json is too big) | |
- name: Compress SBOM file | |
run: Compress-Archive sbom.json sbom.json.zip | |
#Upload artifact action | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-${{ github.event.client_payload.agentSpec }}-${{ github.event.client_payload.imageVersion }} | |
path: sbom.json.zip | |
if-no-files-found: warn | |
#Upload release asset action | |
#Might be changed to softprops/action-gh-release after additional check | |
- name: Upload release asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}/assets{?name,label}" | |
asset_path: ./sbom.json.zip | |
asset_name: sbom.${{ github.event.client_payload.agentSpec }}.json.zip | |
asset_content_type: application/zip |