diff --git a/.fossa.yml b/.fossa.yml new file mode 100644 index 00000000..48b84d83 --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,25 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_solace-agent-mesh-core-plugins + id: SolaceLabs_solace-agent-mesh-core-plugins + name: solace-agent-mesh-core-plugins + labels: + - solaceai + - repository + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + licenseScanPathFilters: + exclude: + - "./.github" + +paths: + exclude: + - ./.github + +telemetry: + scope: full diff --git a/.github/workflows/build-plugin.yaml b/.github/workflows/build-plugin.yaml index 3d5728e2..a503c4cf 100644 --- a/.github/workflows/build-plugin.yaml +++ b/.github/workflows/build-plugin.yaml @@ -10,6 +10,8 @@ on: secrets: COMMIT_KEY: required: true + FOSSA_API_KEY: + required: true workflow_dispatch: inputs: plugin_directory: @@ -40,16 +42,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 sparse-checkout: ${{ inputs.plugin_directory }} + - name: Set up Python - uses: actions/setup-python@v5.5.0 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: "3.12" - name: Cache pip - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} @@ -80,3 +83,40 @@ jobs: hatch build ls dist/*.tar.gz | xargs -n1 hatch run python -m twine check ls dist/*.whl | xargs -n1 hatch run python -m twine check + + - name: sca-scan + uses: SolaceDev/solace-public-workflows/.github/actions/sca/sca-scan@main + with: + scanners: "fossa" + additional_scan_params: | + fossa.branch=${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }} + fossa.revision=${{ github.event.pull_request.number && github.head_ref || github.sha }} + fossa.config=${{ inputs.plugin_directory }}/.fossa.yml + fossa_api_key: ${{ secrets.FOSSA_API_KEY }} + + + - name: FOSSA Licensing + id: fossa_licensing + if: ${{ always() }} + uses: SolaceDev/solace-public-workflows/.github/actions/fossa-guard@main + with: + fossa_api_key: ${{ secrets.FOSSA_API_KEY }} + fossa_project_id: "${{ github.repository_owner }}_${{ inputs.plugin_directory }}" + fossa_branch: ${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }} + fossa_revision: ${{ github.event.pull_request.number && github.head_ref || github.sha }} + fossa_category: licensing + fossa_mode: BLOCK + block_on: policy_conflict + + - name: FOSSA Security Vulnerabilities + id: fossa_vulnerabilities + if: ${{ always() }} + uses: SolaceDev/solace-public-workflows/.github/actions/fossa-guard@main + with: + fossa_api_key: ${{ secrets.FOSSA_API_KEY }} + fossa_project_id: "${{ github.repository_owner }}_${{ inputs.plugin_directory }}" + fossa_branch: ${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }} + fossa_revision: ${{ github.event.pull_request.number && github.head_ref || github.sha }} + fossa_category: vulnerability + fossa_mode: BLOCK + block_on: critical,high diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5a67d20f..17bd927d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,14 +17,14 @@ jobs: all_plugins: ${{ steps.format-labels.outputs.all-plugins }} steps: - name: Checkout code - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Lable PR based on changes id: label-pr if: ${{ github.event_name == 'pull_request' }} - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true @@ -67,3 +67,4 @@ jobs: plugin_directory: ${{matrix.plugin_directory}} secrets: COMMIT_KEY: ${{ secrets.COMMIT_KEY }} + FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} diff --git a/sam-bedrock-agent/.fossa.yml b/sam-bedrock-agent/.fossa.yml new file mode 100644 index 00000000..2c7efee5 --- /dev/null +++ b/sam-bedrock-agent/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-bedrock-agent + id: SolaceLabs_sam-bedrock-agent + name: sam-bedrock-agent + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-event-mesh-agent/.fossa.yml b/sam-event-mesh-agent/.fossa.yml new file mode 100644 index 00000000..e67a0ddf --- /dev/null +++ b/sam-event-mesh-agent/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-event-mesh-agent + id: SolaceLabs_sam-event-mesh-agent + name: sam-event-mesh-agent + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-event-mesh-gateway/.fossa.yml b/sam-event-mesh-gateway/.fossa.yml new file mode 100644 index 00000000..fa720c87 --- /dev/null +++ b/sam-event-mesh-gateway/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-event-mesh-gateway + id: SolaceLabs_sam-event-mesh-gateway + name: sam-event-mesh-gateway + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-event-mesh-tool/.fossa.yml b/sam-event-mesh-tool/.fossa.yml new file mode 100644 index 00000000..98dc212e --- /dev/null +++ b/sam-event-mesh-tool/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-event-mesh-tool + id: SolaceLabs_sam-event-mesh-tool + name: sam-event-mesh-tool + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-geo-information/.fossa.yml b/sam-geo-information/.fossa.yml new file mode 100644 index 00000000..6649ef30 --- /dev/null +++ b/sam-geo-information/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-geo-information + id: SolaceLabs_sam-geo-information + name: sam-geo-information + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-mermaid/.fossa.yml b/sam-mermaid/.fossa.yml new file mode 100644 index 00000000..65ff8abf --- /dev/null +++ b/sam-mermaid/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-mermaid + id: SolaceLabs_sam-mermaid + name: sam-mermaid + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-mongodb/.fossa.yml b/sam-mongodb/.fossa.yml new file mode 100644 index 00000000..475329ce --- /dev/null +++ b/sam-mongodb/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-mongodb + id: SolaceLabs_sam-mongodb + name: sam-mongodb + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-nuclia-tool/.fossa.yml b/sam-nuclia-tool/.fossa.yml new file mode 100644 index 00000000..78c4e764 --- /dev/null +++ b/sam-nuclia-tool/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-nuclia-tool + id: SolaceLabs_sam-nuclia-tool + name: sam-nuclia-tool + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-rag/.fossa.yml b/sam-rag/.fossa.yml new file mode 100644 index 00000000..f3eb986d --- /dev/null +++ b/sam-rag/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-rag + id: SolaceLabs_sam-rag + name: sam-rag + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-rest-gateway/.fossa.yml b/sam-rest-gateway/.fossa.yml new file mode 100644 index 00000000..363e1089 --- /dev/null +++ b/sam-rest-gateway/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-rest-gateway + id: SolaceLabs_sam-rest-gateway + name: sam-rest-gateway + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-ruleset-lookup-tool/.fossa.yml b/sam-ruleset-lookup-tool/.fossa.yml new file mode 100644 index 00000000..62df89aa --- /dev/null +++ b/sam-ruleset-lookup-tool/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-ruleset-lookup-tool + id: SolaceLabs_sam-ruleset-lookup-tool + name: sam-ruleset-lookup-tool + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-slack-gateway-adapter/.fossa.yml b/sam-slack-gateway-adapter/.fossa.yml new file mode 100644 index 00000000..87c53d2d --- /dev/null +++ b/sam-slack-gateway-adapter/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-slack-gateway-adapter + id: SolaceLabs_sam-slack-gateway-adapter + name: sam-slack-gateway-adapter + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-slack/.fossa.yml b/sam-slack/.fossa.yml new file mode 100644 index 00000000..84002b27 --- /dev/null +++ b/sam-slack/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-slack + id: SolaceLabs_sam-slack + name: sam-slack + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-sql-database-tool/.fossa.yml b/sam-sql-database-tool/.fossa.yml new file mode 100644 index 00000000..c539c66f --- /dev/null +++ b/sam-sql-database-tool/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-sql-database-tool + id: SolaceLabs_sam-sql-database-tool + name: sam-sql-database-tool + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-sql-database/.fossa.yml b/sam-sql-database/.fossa.yml new file mode 100644 index 00000000..68fb3af0 --- /dev/null +++ b/sam-sql-database/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-sql-database + id: SolaceLabs_sam-sql-database + name: sam-sql-database + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full diff --git a/sam-webhook-gateway/.fossa.yml b/sam-webhook-gateway/.fossa.yml new file mode 100644 index 00000000..3777599e --- /dev/null +++ b/sam-webhook-gateway/.fossa.yml @@ -0,0 +1,17 @@ +# Configuration used for fossa scan +version: 3 + +project: + locator: SolaceLabs_sam-webhook-gateway + id: SolaceLabs_sam-webhook-gateway + name: sam-webhook-gateway + labels: + - solaceai + - solace-agent-mesh-core-plugins + +vendoredDependencies: + forceRescans: false + scanMethod: CLILicenseScan + +telemetry: + scope: full