Add better github actions

interlynk-io · Jul 6, 2024 · 6a9dbe0 · 6a9dbe0
1 parent 634b36d
commit 6a9dbe0
Show file tree

Hide file tree

Showing 7 changed files with 384 additions and 118 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,8 +1,8 @@
-name: Create and publish a docker image to ghcr
+name: Release | Build GHCR image
 on:
   release:
-    types:
-      - created
+    types: [published]
+  workflow_dispatch:
 
 env:
     REGISTRY: ghcr.io
@@ -41,4 +41,4 @@ jobs:
           platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,9 +1,10 @@
-name: releaser
+name: Release | Build Binary
 
 on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
 
 jobs:
   releaser:
@@ -12,10 +13,10 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3 
         with:
           fetch-depth: 0
-      - run: git fetch --force --tags
+      - run: git fetch --force --tags 
       - uses: actions/setup-go@v3
         with:
           go-version: '>=1.20'
@@ -28,10 +29,10 @@ jobs:
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:
-          install-only: true
+          install-only: true 
       - run: go version
-      - run: goreleaser -v
+      - run: goreleaser -v 
       - name: Releaser
-        run: make release
+        run: make release 
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
diff --git a/.github/workflows/sbom_dev.yml b/.github/workflows/sbom_dev.yml
@@ -0,0 +1,74 @@
+name: Dev | Build SBOM
+
+on:
+  push:
+    branches-ignore:
+      - 'main'
+  pull_request:
+    branches-ignore:
+      - 'main'
+  workflow_dispatch:
+
+env:
+    TOOL_NAME: ${{ github.repository }}
+    SUPPLIER_NAME: Interlynk
+    SUPPLIER_URL: https://interlynk.io
+    DEFAULT_TAG: v0.0.1
+    PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk
+    SBOM_TEMP_DIR: $RUNNER_TEMP/sbom
+    SBOM_ENV: development
+    MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+    MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json
+    SBOM_EXCLUDE_DIRS: "**/samples/**"
+
+
+jobs:
+  build-sbom:
+    name: Build SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3 
+        with:
+            fetch-depth: 0
+
+      - name: Get Tag
+        id: get_tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV
+
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'  # Specify the Python version needed
+
+      - name: Checkout Python SBOM tool
+        run: |
+          git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }}
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          git fetch --tags
+          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          git checkout $latest_tag
+          echo "Checked out pylynk at tag: $latest_tag"
+  
+      - name: Install Python dependencies
+        run: |
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          pip install -r requirements.txt
+
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          cd ${{ github.workspace }}
+          mkdir -p ${{ env.SBOM_TEMP_DIR}}
+          curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }}
+          chmod +x $RUNNER_TEMP/sbom-tool
+          $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}"
+
+      - name: Upload SBOM 
+        run: |
+          python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }}
+
diff --git a/.github/workflows/sbom_release.yml b/.github/workflows/sbom_release.yml
@@ -0,0 +1,67 @@
+name: Release | Build SBOM
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  TOOL_NAME: ${{ github.repository }}
+  SUPPLIER_NAME: Interlynk
+  SUPPLIER_URL: https://interlynk.io
+  DEFAULT_TAG: v0.0.1
+  PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk
+  SBOM_TEMP_DIR: $RUNNER_TEMP/sbom
+  SBOM_ENV: default
+  MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+  MS_SBOM_SBOM_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json
+  SBOM_EXCLUDE_DIRS: "**/samples/**"
+
+jobs:
+  build-sbom:
+    name: Build SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Get Tag
+        id: get_tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.x" # Specify the Python version needed
+
+      - name: Checkout Python SBOM tool
+        run: |
+          git clone https://github.com/interlynk-io/pylynk.git ${{ env.PYLYNK_TEMP_DIR }}
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          git fetch --tags
+          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          git checkout $latest_tag
+          echo "Checked out pylynk at tag: $latest_tag"
+
+      - name: Install Python dependencies
+        run: |
+          cd ${{ env.PYLYNK_TEMP_DIR }}
+          pip install -r requirements.txt
+
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          cd ${{ github.workspace }}
+          mkdir -p ${{ env.SBOM_TEMP_DIR}}
+          curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }}
+          chmod +x $RUNNER_TEMP/sbom-tool
+          $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv ${{ env.LATEST_TAG }} -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.SBOM_EXCLUDE_DIRS }}"
+
+      - name: Upload SBOM
+        run: |
+          python3 ${{ env.PYLYNK_TEMP_DIR }}/pylynk.py --verbose upload --prod ${{env.TOOL_NAME}} --env ${{ env.SBOM_ENV }} --sbom ${{ env.MS_SBOM_SBOM_PATH }} --token ${{ secrets.INTERLYNK_SECURITY_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml