liquibase/.github/workflows/fossa.yml at master · mkarg/liquibase · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Name of the GitHub Action workflow
name: FOSSA License Compliance and Security Check

# Permissions needed for this workflow
permissions:
  contents: read
  id-token: write
  packages: read

# Event triggers for the workflow
on:
  workflow_dispatch:  # Run this action manually from the GitHub Actions tab
  release:
   types: [published] # Run this action when a release is published

# Define the jobs in the workflow
jobs:
  fossa-scan:
    # Specifies the type of runner to use
    runs-on: ubuntu-latest

    # Sequence of steps that make up a single job
    steps:
    # Checkout the code to the GitHub runner
    - name: Checkout Code
      uses: actions/checkout@v5

    - name: Set up JDK
      uses: actions/setup-java@v5
      with:
        distribution: 'temurin'
        java-version: '17'

        #look for dependencies in maven
    - name: maven-settings-xml-action
      uses: whelk-io/maven-settings-xml-action@v22
      with:
        repositories: |
          [
            {
              "id": "liquibase",
              "url": "https://maven.pkg.github.com/liquibase/liquibase",
              "releases": {
                "enabled": "false"
              },
              "snapshots": {
                "enabled": "true",
                "updatePolicy": "always"
              }
            }
          ]
        servers: |
          [
            {
              "id": "liquibase",
              "username": "liquibot",
              "password": "${{ secrets.GITHUB_TOKEN }}"
            }
          ]

    - name: Install Maven dependencies (excluding test scope)
      run: mvn clean install -DskipTests

    - name: Configure AWS credentials for vault access
      uses: aws-actions/configure-aws-credentials@v5
      with:
        role-to-assume: ${{ secrets.LIQUIBASE_VAULT_OIDC_ROLE_ARN }}
        aws-region: us-east-1

    - name: Get secrets from vault
      id: vault-secrets
      uses: aws-actions/aws-secretsmanager-get-secrets@v2
      with:
        secret-ids: |
          ,/vault/liquibase
        parse-json-secrets: true

    - name: run FOSSA CLI
      uses: fossas/fossa-action@main
      with:
        api-key: ${{ env.FOSSA_API_KEY }}
        branch: ${{ github.ref }}

    - name: Get the commit sha
      id: get_commit_sha_oss
      run: |
        commit_sha_lb=`(git rev-parse HEAD)`
        echo "commit_sha_lb=${commit_sha_lb}" >> $GITHUB_OUTPUT

      # from the below curl commands we output the fossa report with the headers we need. Following this documentation : https://docs.fossa.com/docs/download-fossa-project-attribution-reports
    - name: Set the dependency metadata information
      run: |
        mkdir /home/runner/fossa_reports
        curl --location --request PUT 'https://app.fossa.com/api/projects/git+github.com/liquibase/liquibase' \
        --header 'Authorization: Bearer ${{ env.FOSSA_API_KEY }}' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
          --data-urlencode 'bom_column_settings%5B%5D=Title' \
          --data-urlencode 'bom_column_settings%5B%5D=Version' \
          --data-urlencode 'bom_column_settings%5B%5D=Authors' \
          --data-urlencode 'bom_column_settings%5B%5D=DeclaredLicense' \
          --data-urlencode 'bom_column_settings%5B%5D=PackageHomepage' \


        curl --location 'https://app.fossa.com/api/revisions/git%2Bgithub.com%2Fliquibase%2Fliquibase%24${{ steps.get_commit_sha_oss.outputs.commit_sha_lb }}/attribution/download?format=CSV&includeDeepDependencies=true&download=true' \
        --header 'Authorization: Bearer ${{ env.FOSSA_API_KEY }}' -o /home/runner/fossa_reports/liquibase.csv

      # Upload to build page for the team to check the csv file contents.
    - name: Upload to build page
      uses: actions/upload-artifact@v5
      with:
        name: fossa-reports
        path: /home/runner/fossa_reports/liquibase.csv

    - name: Configure AWS credentials for vault access
      uses: aws-actions/configure-aws-credentials@v5
      with:
        role-to-assume: ${{ secrets.LIQUIBASE_VAULT_OIDC_ROLE_ARN }}
        aws-region: us-east-1

    - name: Get secrets from vault
      id: vault-secrets
      uses: aws-actions/aws-secretsmanager-get-secrets@v2
      with:
        secret-ids: |
          ,/vault/liquibase
        parse-json-secrets: true

    - name: Configure AWS credentials for prod account access
      uses: aws-actions/configure-aws-credentials@v5
      with:
        role-to-assume: ${{ env.AWS_PROD_GITHUB_OIDC_ROLE_ARN_BUILD_LOGIC }}
        aws-region: us-east-1

      # Upload report to S3
    - name: Upload report to S3
      if: always()
      run: aws s3 cp /home/runner/fossa_reports/liquibase.csv s3://liquibaseorg-origin/fossa_reports_liquibase/