chore(ci): update to silkbomb 2.0 (#2375)

wratner · web-flow · commit aba4ba16ae83 · 2025-02-21T15:51:13.000+01:00
diff --git a/.evergreen.yml b/.evergreen.yml
@@ -3780,6 +3780,23 @@ functions:
   # - signature_tag (either 'signed' or 'unsigned')
   ###
   add_crypt_shared_and_sbom:
+    - command: ec2.assume_role
+      display_name: Assume IAM role with permissions to pull Kondukto API token
+      params:
+        role_arn: ${kondukto_role_arn}
+    - command: shell.exec
+      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
+      params:
+        silent: true
+        shell: bash
+        working_dir: src
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+        script: |
+          set -e
+          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
+          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+          # set the KONDUKTO_TOKEN environment variable
+          echo "KONDUKTO_TOKEN=$kondukto_token" > /tmp/kondukto_credentials.env
     - command: subprocess.exec
       params:
         working_dir: src
@@ -3791,9 +3808,7 @@ functions:
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
           # for Silk SBOM integration
-          SILK_ASSET_GROUP: mongosh-${executable_os_id}
-          SILK_CLIENT_ID: ${silk_client_id}
-          SILK_CLIENT_SECRET: ${silk_client_secret}
+          KONDUKTO_BRANCH: ${branch_name}_${executable_os_id}
   create_static_analysis_report:
     - command: s3.get
       params:
diff --git a/.evergreen/download-crypt-shared-and-generate-sbom.sh b/.evergreen/download-crypt-shared-and-generate-sbom.sh
@@ -11,21 +11,15 @@ cat dist/.purls.txt
 
 set +x
 echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin
-cat << EOF > silkbomb.env
-SILK_CLIENT_ID=${SILK_CLIENT_ID}
-SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
-EOF
 set -x
 
 trap_handler() {
-  rm -f silkbomb.env
+  rm -f /tmp/kondukto_credentials.env
 }
 trap trap_handler ERR EXIT
 
-docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
-docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
+docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
+docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \
   --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
-docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
-  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
-docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
-  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json
+docker run --env-file /tmp/kondukto_credentials.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \
+  --repo mongodb-js/mongosh --branch ${KONDUKTO_BRANCH} --sbom-in /pwd/dist/.sbom-lite.json --sbom-out /pwd/dist/.sbom.json
