Add template for running D2D on project build and source archive (#30)

keshav-space · web-flow · commit 2c1b7c220b85 · 2025-12-03T17:26:48.000+04:00
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/.github/workflows/map-deploy-to-develop-template.yml b/.github/workflows/map-deploy-to-develop-template.yml
@@ -0,0 +1,46 @@
+name: Run D2D on build and source archives
+on:
+  workflow_call:
+    inputs:
+      artifact-name:
+        description: "Artifact containing the build archive"
+        required: true
+        type: string
+      steps:
+        description: "Comma separated D2D steps to run"
+        required: false
+        type: string
+      repository:
+        description: "Project's repository. Defaults to workflow's repository."
+        required: false
+        type: string
+
+jobs:
+  run-d2d-pipeline:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ inputs.repository || github.repository }}
+
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs['artifact-name'] }}
+          path: ../scancode-inputs/
+
+      - name: Prepare D2D inputs
+        shell: bash
+        run: |
+          for file in ../scancode-inputs/*; do
+            base=$(basename "$file")
+            mv "$file" "../scancode-inputs/to_$base"
+          done
+          git archive --format=tar.gz -o ../scancode-inputs/from.tar.gz HEAD
+
+      - name: Run D2D pipeline
+        uses: aboutcode-org/scancode-action@beta
+        with:
+          pipelines: ${{ inputs.steps && format('map_deploy_to_develop:%s', inputs.steps) || 'map_deploy_to_develop' }}
+          inputs-path: ../scancode-inputs
diff --git a/.github/workflows/map-source-binary-boolean-py.yml b/.github/workflows/map-source-binary-boolean-py.yml
@@ -0,0 +1,44 @@
+name: Run source to binary mapping on boolean.py
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-python-wheel:
+      name: Build python wheel
+      runs-on: ubuntu-24.04
+  
+      steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: bastikr/boolean.py
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+            python-version: 3.12
+  
+      - name: Install pypa/build and twine
+        run: python -m pip install --user --upgrade build twine packaging pip setuptools
+  
+      - name: Build a binary wheel
+        run: python -m build --wheel --outdir dist/
+  
+      - name: Upload wheel
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheel_archives
+          path: dist/*.whl
+
+  map-source-binary:
+      name: Generate source to binary mapping
+      needs: build-python-wheel
+      uses: ./.github/workflows/map-deploy-to-develop-template.yml
+      with:
+        artifact-name: wheel_archives
+        repository: bastikr/boolean.py
+        steps: "python"
diff --git a/README.md b/README.md
@@ -25,7 +25,8 @@ from your **GitHub Workflows**.
   - [Check for compliance issues](#check-for-compliance-issues)
   - [Define a custom project name](#define-a-custom-project-name)
   - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch)
-- [Where does the scan results go?](#where-does-the-scan-results-go)
+  - [Run source to binary mapping](#run-source-to-binary-mapping)
+- [Where does the scan results go?](#where-are-the-scan-results)
 
 ## Usage
 
@@ -226,6 +227,26 @@ Activate this behavior by enabling `check-compliance` and setting
     scancodeio-repo-branch: "main"
 ```
 
+### Run source to binary mapping
+
+Use this [workflow template](.github/workflows/map-deploy-to-develop-template.yml) for validating the integrity of open-source binary. It compares a project’s binary to its source code. Workflow will generate mapping between compiled binary and its original source code, which helps in spotting any malicious, unexpected, or otherwise undesirable code that may have made its way into the final binary.
+
+#### To use follow these steps:
+
+1. In your workflow add job to build binary and upload it as a GitHub actions artifact.
+2. Now add a second job to run source binary mapping using [template](.github/workflows/map-deploy-to-develop-template.yml).
+   ```yaml
+     map-source-binary:
+       needs: # Job id from step 1
+       uses: aboutcode-org/scancode-action/.github/workflows/map-deploy-to-develop-template.yml
+       with:
+         artifact-name: # Label of uploaded artifact from step 1
+         steps: "python,java" # Comma separated optional steps. See https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#map-deploy-to-develop
+   ```
+
+See an end-to-end working example for a python project [here](.github/workflows/map-source-binary-boolean-py.yml)
+
+
 ## Where are the Scan Results?
 
 Upon completion of the workflow, you can **find the scan results** in the dedicated 
