Merge pull request #73 from interlynk-io/feature/modernize-actions

modernize github actions
interlynk-io · Jul 7, 2024 · 7db01d9 · 7db01d9
2 parents 1f00e01 + 00630fb
commit 7db01d9
Show file tree

Hide file tree

Showing 9 changed files with 192 additions and 144 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,8 +1,8 @@
-name: GHCR Publishing
+name: Release | Build GHCR image
 on:
   release:
-    types:
-      - created
+    types: [published]
+  workflow_dispatch:
 
 env:
     REGISTRY: ghcr.io
@@ -38,7 +38,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,9 +1,10 @@
-name: releaser
+name: Release | Build Binary
 
 on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
 
 jobs:
   releaser:
@@ -21,6 +22,10 @@ jobs:
           go-version: '>=1.20'
           check-latest: true
           cache: true
+      - name: Download syft binary
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: Run syft
+        run: syft version
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
diff --git a/.github/workflows/sbom_dev.yml b/.github/workflows/sbom_dev.yml
@@ -0,0 +1,74 @@
+name: Dev | Build SBOM
+
+on:
+  push:
+    branches-ignore:
+      - 'main'
+  pull_request:
+    branches-ignore:
+      - 'main'
+  workflow_dispatch:
+
+env:
+    TOOL_NAME: ${{ github.repository }}
+    SUPPLIER_NAME: Interlynk
+    SUPPLIER_URL: https://interlynk.io
+    DEFAULT_TAG: v0.0.1
+    PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk
+    SBOM_TEMP_DIR: $RUNNER_TEMP/sbom
+    SBOM_ENV: development
+    MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+    MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json
+    SBOM_EXCLUDE_DIRS: "**/samples/**"
+
+
+jobs:
+  build-sbom:
+    name: Build SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3 
+        with:
+            fetch-depth: 0
+
+      - name: Get Tag
+        id: get_tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV
+
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'  # Specify the Python version needed
+
+      - name: Checkout Python SBOM tool
+        run: |
+          git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }}
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          git fetch --tags
+          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          git checkout $latest_tag
+          echo "Checked out pylynk at tag: $latest_tag"
+  
+      - name: Install Python dependencies
+        run: |
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          pip install -r requirements.txt
+
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          cd ${{ github.workspace }}
+          mkdir -p ${{ env.SBOM_TEMP_DIR}}
+          curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }}
+          chmod +x $RUNNER_TEMP/sbom-tool
+          $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}"
+
+      - name: Upload SBOM 
+        run: |
+          python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }}
+
diff --git a/.github/workflows/sbom_release.yml b/.github/workflows/sbom_release.yml
@@ -0,0 +1,67 @@
+name: Release | Build SBOM
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  TOOL_NAME: ${{ github.repository }}
+  SUPPLIER_NAME: Interlynk
+  SUPPLIER_URL: https://interlynk.io
+  DEFAULT_TAG: v0.0.1
+  PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk
+  SBOM_TEMP_DIR: $RUNNER_TEMP/sbom
+  SBOM_ENV: default
+  MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+  MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json
+  SBOM_EXCLUDE_DIRS: "**/samples/**"
+
+jobs:
+  build-sbom:
+    name: Build SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Get Tag
+        id: get_tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.x" # Specify the Python version needed
+
+      - name: Checkout Python SBOM tool
+        run: |
+          git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }}
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          git fetch --tags
+          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          git checkout $latest_tag
+          echo "Checked out pylynk at tag: $latest_tag"
+
+      - name: Install Python dependencies
+        run: |
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          pip install -r requirements.txt
+
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          cd ${{ github.workspace }}
+          mkdir -p ${{ env.SBOM_TEMP_DIR}}
+          curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }}
+          chmod +x $RUNNER_TEMP/sbom-tool
+          $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}"
+
+      - name: Upload SBOM
+        run: |
+          python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,29 @@
-FROM golang:1.20-alpine AS builder
+FROM golang:1.22.2-alpine AS builder
 LABEL org.opencontainers.image.source="https://github.com/interlynk-io/sbomgr"
 
 RUN apk add --no-cache make git
 WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
+
 RUN make ; make build
 
 FROM scratch
 LABEL org.opencontainers.image.source="https://github.com/interlynk-io/sbomgr"
-LABEL org.opencontainers.image.description="SBOM Grep - Search through SBOMs"
+LABEL org.opencontainers.image.description="Search through SBOMs"
 LABEL org.opencontainers.image.licenses=Apache-2.0
 
+COPY --from=builder /bin/sh /bin/grep /bin/busybox /bin/touch /bin/chmod /bin/mkdir /bin/date /bin/cat /bin/
+COPY --from=builder /etc/ssl/certs /etc/ssl/certs
+COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
+COPY --from=builder /tmp /tmp
+COPY --from=builder /usr/bin /usr/bin
+
+# Copy our static executable
 COPY --from=builder /app/build/sbomgr /app/sbomgr
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-ENTRYPOINT [ "/app/sbomgr" ]
+# Disable version check
+ENV INTERLYNK_DISABLE_VERSION_CHECK=true
+
+ENTRYPOINT [ "/app/sbomgr" ]
diff --git a/go.mod b/go.mod
@@ -5,15 +5,15 @@ go 1.21
 toolchain go1.21.5
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.8.0
+	github.com/CycloneDX/cyclonedx-go v0.9.0
 	github.com/google/go-github/v52 v52.0.0
 	github.com/google/uuid v1.6.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/spdx/tools-golang v0.5.4
-	github.com/spf13/cobra v1.8.0
+	github.com/spdx/tools-golang v0.5.5
+	github.com/spf13/cobra v1.8.1
 	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
-	sigs.k8s.io/release-utils v0.8.1
+	sigs.k8s.io/release-utils v0.8.2
 )
 
 require (
@@ -24,7 +24,7 @@ require (
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
-	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/cloudflare/circl v1.3.9 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -33,9 +33,9 @@ require (
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/oauth2 v0.19.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )