Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload to GitHub api #201

Merged
merged 5 commits into from Mar 18, 2022
Merged

Upload to GitHub api #201

merged 5 commits into from Mar 18, 2022

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Feb 17, 2022
edited

This implements #190 - uploading to a dependency snapshot API. Syft has added support for exporting this format, this action fills in the missing pieces relating to the commit and job and also automatically uploads this if the dependency-snapshot option is provided. It is possible to test this PR directly if the snapshot API is enabled using something like:

- uses: kzantow-anchore/sbom-action@upload-to-github-api
  with:
    path: .
    dependency-snapshot: true

As part of this work, it was necessary to run against Syft changes that were not in a release, so a syft-version flag has been added, which, if it matches a repository download URL allows running from a specific repo/branch. This happens to also fix #126.

@kzantow kzantow linked an issue Feb 18, 2022 that may be closed by this pull request
Support GitHub API integration #190
Closed
kzantow
kzantow commented Mar 16, 2022
View reviewed changes
src/github/SyftDownloader.ts
const repo =
/https:..github.com.([-\w]+).([-\w]+).archive.refs.heads.([-\w]+).zip/;

export async function downloadSyftFromZip(url: string): Promise<string> {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might want to remove this; it is useful for testing something in a Syft PR

@kzantow kzantow marked this pull request as ready for review March 16, 2022 18:04
@kzantow kzantow requested a review from a team March 16, 2022 18:05
@kzantow
Add support for uploading to GitHub dependency API
f5323ff 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow mentioned this pull request Mar 16, 2022
Merged
@kzantow
Don't mock @actions/tool-cache for GitHubSnapshot test
d7ddc5f 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Return absolute path to syft binary
964401c 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Fix tests for absolute syft path
140711e 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
luhring
luhring reviewed Mar 18, 2022
View reviewed changes
action.yml Outdated Show resolved Hide resolved
src/github/SyftGithubAction.ts Outdated Show resolved Hide resolved
src/github/GithubClient.ts Show resolved Hide resolved
tests/integration/GitHubSnapshot.test.ts Outdated Show resolved Hide resolved
tests/integration/GitHubSnapshot.test.ts Show resolved Hide resolved
@kzantow
Address PR comments
b6ba1ac 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
luhring
luhring approved these changes Mar 18, 2022
View reviewed changes
Copy link
Contributor

@luhring luhring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool!

@kzantow kzantow merged commit 8162166 into anchore:main Mar 18, 2022
@kzantow kzantow deleted the upload-to-github-api branch March 18, 2022 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luhring luhring luhring approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support GitHub API integration allow to specify which version of Syft they want to use
2 participants
@kzantow @luhring