Merge branch 'sbom' into javi-gcp-images-sbom

Author: javihernandez

.github/actions/shared-steps/action.yml

@@ -393,6 +393,26 @@ runs:
         # Install ansible
         sudo ${{ env.runner_os == 'ubuntu' && 'apt-get' || 'dnf -q' }} -y install ansible
 
+    - name: Clone SBOM tools
+      shell: bash
+      run: |
+        rm -rf sbom-tools
+        git clone --depth=1 https://github.com/javihernandez/cloud-images-sbom-tools.git sbom-tools
+
+    - name: Set up Python and install generator deps
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+        cache: 'pip'
+        cache-dependency-path: sbom-tools/requirements.txt
+
+    - name: Create venv and install
+      shell: bash
+      run: |
+        python -m venv .venv-sbom
+        . .venv-sbom/bin/activate
+        pip install -r sbom-tools/requirements.txt
+
     - name: Initialize packer
       shell: bash
       run: sudo /usr/bin/packer init -upgrade .
@@ -419,66 +439,66 @@ runs:
         echo "IMAGE_NAME=$(basename ${image_file})" >> $GITHUB_ENV
 
         # don't fail if this doesn't exist, we may not always generate it
-        sudo mv repo-metadata-*.txt $(basename ${image_file}).repo-metadata.txt || true
-
-    - id: 'google-auth-dev-images'
-      if: env.IMAGE_TYPE == 'gcp'
-      uses: 'google-github-actions/auth@v2'
-      with:
-        workload_identity_provider: 'projects/443728870479/locations/global/workloadIdentityPools/github-actions/providers/github'
-        service_account: 'github-actions-cloud-images@almalinux-dev-images-469421.iam.gserviceaccount.com'
-    
-    - name: 'Set up Google Cloud SDK'
-      if: env.IMAGE_TYPE == 'gcp'
-      uses: 'google-github-actions/[email protected]'
-
-    - name: 'Upload output to GCP storage bucket'
-      if: env.IMAGE_TYPE == 'gcp'
-      shell: bash
-      run: gcloud storage cp ${{ env.IMAGE_FILE }} gs://almalinux-images-dev/almalinux-${version_major}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}-v$(date +'%Y%m%d')/root.tar.gz
-
-    - name: Clone gce_image_publish repo
-      if: env.IMAGE_TYPE == 'gcp'
-      uses: actions/checkout@v5
-      with:
-        path: compute-image-tools
-        repository: GoogleCloudPlatform/compute-image-tools
-        ref: "20250916.00"
-
-    - name: Build gce_image_publish tool
-      if: env.IMAGE_TYPE == 'gcp'
-      shell: bash
-      run: |
-        # we need golang
-        case ${{ env.runner_os }} in
-          ubuntu)
-            sudo apt update
-            sudo apt-get -y install golang-go
-            ;;
-          rhel)
-            sudo dnf -y -q install golang
-            ;;
-        esac
-        # print golang version for reference
-        go version
-        # Build gce_image_publish tool
-        cd compute-image-tools/cli_tools/gce_image_publish
-        go mod tidy
-        go install
-
-    - name: Create test image on GCP
-      if: env.IMAGE_TYPE == 'gcp'
-      shell: bash
-      run: |
-        /home/$USER/go/bin/gce_image_publish \
-          -var:environment=test \
-          -skip_confirmation \
-          -rollout_rate=0 \
-          -publish_project="almalinux-dev-images-469421" \
-          -work_project="almalinux-dev-images-469421" \
-          -replace \
-          -source_gcs_path="gs://almalinux-images-dev/" \
-          vm-scripts/gcp/almalinux_${version_major}${{ inputs.arch == 'aarch64' && '_arm64' || '' }}.publish.json
+        # sudo mv repo-metadata-*.txt $(basename ${image_file}).repo-metadata.txt || true
+
+    #- id: 'google-auth-dev-images'
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  uses: 'google-github-actions/auth@v2'
+    #  with:
+    #    workload_identity_provider: 'projects/443728870479/locations/global/workloadIdentityPools/github-actions/providers/github'
+    #    service_account: 'github-actions-cloud-images@almalinux-dev-images-469421.iam.gserviceaccount.com'
+    #
+    #- name: 'Set up Google Cloud SDK'
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  uses: 'google-github-actions/[email protected]'
+
+    #- name: 'Upload output to GCP storage bucket'
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  shell: bash
+    #  run: gcloud storage cp ${{ env.IMAGE_FILE }} gs://almalinux-images-dev/almalinux-${version_major}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}-v$(date +'%Y%m%d')/root.tar.gz
+
+    #- name: Clone gce_image_publish repo
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  uses: actions/checkout@v5
+    #  with:
+    #    path: compute-image-tools
+    #    repository: GoogleCloudPlatform/compute-image-tools
+    #    ref: "20250916.00"
+
+    #- name: Build gce_image_publish tool
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  shell: bash
+    #  run: |
+    #    # we need golang
+    #    case ${{ env.runner_os }} in
+    #      ubuntu)
+    #        sudo apt update
+    #        sudo apt-get -y install golang-go
+    #        ;;
+    #      rhel)
+    #        sudo dnf -y -q install golang
+    #        ;;
+    #    esac
+    #    # print golang version for reference
+    #    go version
+    #    # Build gce_image_publish tool
+    #    cd compute-image-tools/cli_tools/gce_image_publish
+    #    go mod tidy
+    #    go install
+
+    #- name: Create test image on GCP
+    #  if: env.IMAGE_TYPE == 'gcp'
+    #  shell: bash
+    #  run: |
+    #    /home/$USER/go/bin/gce_image_publish \
+    #      -var:environment=test \
+    #      -skip_confirmation \
+    #      -rollout_rate=0 \
+    #      -publish_project="almalinux-dev-images-469421" \
+    #      -work_project="almalinux-dev-images-469421" \
+    #      -replace \
+    #      -source_gcs_path="gs://almalinux-images-dev/" \
+    #      vm-scripts/gcp/almalinux_${version_major}${{ inputs.arch == 'aarch64' && '_arm64' || '' }}.publish.json
 
     # - name: 'Run Google cloud-image-testing tests (basic suite)'
     #   if: env.IMAGE_TYPE == 'gcp' && inputs.run_test == 'true'
@@ -492,6 +512,21 @@ runs:
     #       -images 'projects/almalinux-dev-images-469421/global/images/family/almalinux-${{ env.version_major }}${{ inputs.arch == 'aarch64' && '-arm64' || '' }}' \
     #       -parallel_stagger 10s -parallel_count 20
 
+    # TODO
+    - name: Generate SBOM
+      shell: bash
+      run: |
+        . ./.venv-sbom/bin/activate
+        mkdir -p sbom
+        shopt -s nullglob
+        for f in sbom-data/sbom-data*.json; do
+          base=$(basename "$f" .json)
+          python3 sbom-tools/sbom_generator.py "${base}" "$f" "${base}.spdx.json" -v
+        done
+
+    # - name: Setup tmate session
+    #   uses: mxschmitt/action-tmate@v3
+
     - name: Test ${{ inputs.type }} ${{ inputs.variant }} image
       # Skip testing for vagrant_virtualbox on GH runner because 'vugrant up' fails to connect to the newly created VM via ssh:
       # kex_exchange_identification: read: Connection reset by peer

ansible/roles/cleanup_vm/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 cleanup_ssh_host_keys: true
+collect_sbom_data: true

ansible/roles/cleanup_vm/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Include sbom_data role for SBOM data collection
+  include_role:
+    name: sbom_data
+  when: collect_sbom_data | bool
+
 - name: Remove older versions kernel and other packages
   ansible.builtin.command: dnf -y remove --oldinstallonly
   register: removeoldoutput

ansible/roles/sbom_data/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Copy SBOM data collector into the system
+  ansible.builtin.copy:
+    src: "{{ playbook_dir }}/../sbom-tools/sbom_data_collector.py"
+    dest: /dev/shm/sbom_data_collector.py
+  
+- name: Collect SBOM data from the system
+  ansible.builtin.shell: python3 /dev/shm/sbom_data_collector.py -o /dev/shm/sbom-data.json -v
+  register: sbom_data_collector
+  
+- name: Write repo metadata for SBOMs to artifact file
+  ansible.builtin.fetch:
+    src: /dev/shm/sbom-data.json
+    dest: "{{ playbook_dir }}/../sbom-data/sbom-data-{{ packer_build_name }}.json"
+    flat: true
+  become: false