-
Notifications
You must be signed in to change notification settings - Fork 1
128 lines (117 loc) · 5.24 KB
/
generate-sboms.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: Generate SBOMs for all projects
# TODO: add trigger to run after we have published a release
# TODO: use GitHub's dependency submission API to submit the SBOMs to GitHub's dependency graph:
# https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
on:
workflow_dispatch:
jobs:
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4
- name: setup java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
cache: 'gradle'
- name: generate a cyclonedx sbom for each project
run: >
./gradlew clean
core-api-library:library:cyclonedxBom
health-api-library:library:cyclonedxBom
bank-api-library:library:cyclonedxBom
health-sdk:sdk:cyclonedxBom
capture-sdk:sdk:cyclonedxBom
capture-sdk:default-network:cyclonedxBom
bank-sdk:sdk:cyclonedxBom
-PcreateSBOM=true
- name: validate cyclonedx sboms
shell: bash
run: |
curl -Lo cyclonedx https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.25.0/cyclonedx-linux-x64
chmod +x cyclonedx
./cyclonedx validate --input-file core-api-library/library/build/reports/gini-internal-core-api-lib-sbom.json
./cyclonedx validate --input-file health-api-library/library/build/reports/gini-health-api-lib-sbom.json
./cyclonedx validate --input-file bank-api-library/library/build/reports/gini-bank-api-lib-sbom.json
./cyclonedx validate --input-file health-sdk/sdk/build/reports/gini-health-sdk-sbom.json
./cyclonedx validate --input-file capture-sdk/sdk/build/reports/gini-capture-sdk-sbom.json
./cyclonedx validate --input-file capture-sdk/default-network/build/reports/gini-capture-sdk-default-network-sbom.json
./cyclonedx validate --input-file bank-sdk/sdk/build/reports/gini-bank-sdk-sbom.json
- name: zip the cyclonedx sboms
run: >
zip -rj sbom-jsons.zip
core-api-library/library/build/reports/gini-internal-core-api-lib-sbom.json
health-api-library/library/build/reports/gini-health-api-lib-sbom.json
bank-api-library/library/build/reports/gini-bank-api-lib-sbom.json
health-sdk/sdk/build/reports/gini-health-sdk-sbom.json
capture-sdk/sdk/build/reports/gini-capture-sdk-sbom.json
capture-sdk/default-network/build/reports/gini-capture-sdk-default-network-sbom.json
bank-sdk/sdk/build/reports/gini-bank-sdk-sbom.json
- name: archive the cyclonedx sboms
uses: actions/upload-artifact@v4
with:
name: CycloneDX SBOM JSONs
path: sbom-jsons.zip
# Step 2: Loop over each SBOM file and submit it
- name: Submit SBOMs to GitHub Dependency Graph
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_PASSWORD }}
run: |
sha=$(git rev-parse HEAD)
timestamp=$(date +%s)
correlatorName="${timestamp}_${GITHUB_WORKFLOW}"
json_sboms=(
"core-api-library/library/build/reports/gini-internal-core-api-lib-sbom.json"
"health-api-library/library/build/reports/gini-health-api-lib-sbom.json"
"bank-api-library/library/build/reports/gini-bank-api-lib-sbom.json"
"health-sdk/sdk/build/reports/gini-health-sdk-sbom.json"
"capture-sdk/sdk/build/reports/gini-capture-sdk-sbom.json"
"capture-sdk/default-network/build/reports/gini-capture-sdk-default-network-sbom.json"
"bank-sdk/sdk/build/reports/gini-bank-sdk-sbom.json"
)
echo "Submitting $sbom to GitHub Dependency Graph ${GITHUB_RUN_ID}"
manifests_json=""
for sbom in "${json_sboms[@]}"; do
sbom_name=$(basename "$sbom")
manifests_json+=$'
"'"$sbom_name"'": {
"name": "'"$sbom_name"'",
"file": {
"source_location": "'"$sbom"'"
}
},'
done
manifests_json="${manifests_json%?${manifests_json##*,}}"
payload=$(cat <<EOF
{
"version": 5,
"sha": "$sha",
"ref": "refs/heads/${GITHUB_REF#refs/heads/}",
"job": {
"correlator": "$correlatorName",
"id": "${GITHUB_RUN_ID}"
},
"detector": {
"name": "CycloneDX",
"version": "1.4",
"url": "https://cyclonedx.org"
},
"scanned": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"manifests": {
$manifests_json
}
}
EOF
)
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/dependency-graph/snapshots \
-d "$payload"
# Step 3: Confirm Submission
- name: Confirm SBOM Submission
run: echo "SBOM submitted successfully"