DRIVERS-3110 Follow up for Kondukto migration (#74)

Author: blink1073

README.md

@@ -258,17 +258,10 @@ filename along with the resulting location in the bucket is printed.
 ## Create Release Branch
 
 Use this action to create a release branch and populate it with metadata.
-It will create a new Silk Asset Group, update the SBOM-lite file,
-update the ``SILK_ASSET_GROUP`` and ``EVERGREEN_PROJECT`` env variables
+It will update ``EVERGREEN_PROJECT`` env variable
 in the release workflow file, bump the version to a
 prerelease version, and push the changes.
 
-> [!Note]
-> You will need to wait overnight before making a release on
-> the new branch to allow Silk to be populated, so it is recommended to
-> make a minor/major release prior to creating a release branch, or create the
-> release branch at least one day before a planned release.
-
 ```yaml
 - name: Setup
   uses: mongodb-labs/drivers-github-tools/setup@v2

create-branch/action.yml

@@ -23,15 +23,15 @@ inputs:
   release_workflow_path:
     description: The path to the release workflow file
     default: .github/workflows/release.yml
-  sbom_file_path:
-    description: The path of the sbom-lite file
-    default: sbom.json
-  silk_group_prefix:
-    description: The prefix to use for the silk asset group, defaults to the repo name
   artifactory_image:
     description: Image to use for artifactory
     default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
-
+  # Unused inputs, to be removed in V3.
+  sbom_file_path:
+      description: The path of the sbom-lite file
+      default: sbom.json
+  silk_group_prefix:
+    description: The prefix to use for the silk asset group, defaults to the repo name
 runs:
   using: composite
   steps:
@@ -43,7 +43,6 @@ runs:
         SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
         RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
         EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
-        SILK_PREFIX: ${{ inputs.silk_group_prefix }}
         ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       run: ${{ github.action_path }}/create-branch.sh
     - uses: mongodb-labs/drivers-github-tools/bump-version@v2

create-branch/create-branch.sh

@@ -9,66 +9,7 @@ git ls-remote --exit-code --heads https://github.com/${OWNER_REPO}.git refs/head
 git fetch origin $BRANCH || true
 git checkout $BRANCH
 
-echo "Get silk creds."
-# shellcheck disable=SC2046
-export $(grep -v '^#' $SILKBOMB_ENVFILE | xargs -0)
-
-echo "Get a silk token."
-SILK_JWT_TOKEN=$(curl -s -X POST "https://silkapi.us1.app.silk.security/api/v1/authenticate" \
-  -H "accept: application/json" -H "Content-Type: application/json" \
-  -d '{ "client_id": "'${SILK_CLIENT_ID}'", "client_secret": "'${SILK_CLIENT_SECRET}'" }' \
-  | jq -r '.token')
-
-echo "Get the silk asset group prefix."
-if [ -z "${SILK_PREFIX:-}" ]; then
-  REPO="${OWNER_REPO##*/}"
-  SILK_PREFIX=${REPO}
-fi
-SILK_GROUP="${SILK_PREFIX}-${BRANCH}"
-
-echo "Create the silk asset group."
-json_payload=$(cat <<EOF
-{
-    "active": true,
-    "name": "${SILK_GROUP}",
-    "code_repo_url": "https://github.com/${OWNER_REPO}",
-    "branch": "${BRANCH}",
-    "metadata": {
-        "sbom_lite_path": "${SBOM_FILE_PATH}"
-    },
-    "file_paths": [],
-    "asset_id": "$SILK_GROUP"
-}
-EOF
-)
-curl -X 'POST' \
-  'https://silkapi.us1.app.silk.security/api/v1/raw/asset_group' \
-  -H "accept: application/json" -H "Authorization: ${SILK_JWT_TOKEN}" \
-  -H 'Content-Type: application/json' \
-  -d "$json_payload"
-
-echo "SILK_ASSET_GROUP=$SILK_GROUP" >> $GITHUB_STEP_SUMMARY
-
-echo "Create a temp sbom."
-TMP_SBOM=sbom-for-${BRANCH}.json
-podman run --platform="linux/amd64" --rm -v "$(pwd)":/pwd \
-  ${ARTIFACTORY_IMAGE}/silkbomb:1.0 \
-  update --sbom-out /pwd/${TMP_SBOM}
-
-echo "Get the new timestamp and serial number."
-set -x
-SERIAL=$(jq -r '.serialNumber' ${TMP_SBOM})
-TIMESTAMP=$(jq -r '.metadata.timestamp' ${TMP_SBOM})
-rm ${TMP_SBOM}
-
-cat ${SBOM_FILE_PATH}
-echo "Replace the values in the existing sbom."
-cat <<< "$(jq --indent 4 '.serialNumber = "'${SERIAL}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH}
-cat <<< "$(jq --indent 4 '.metadata.timestamp = "'${TIMESTAMP}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH}
-cat ${SBOM_FILE_PATH}
-
-echo "Update the workflow with the silk asset group and evergreen project."
-sed -i 's/SILK_ASSET_GROUP:.*/SILK_ASSET_GROUP: '${SILK_GROUP}'/' ${RELEASE_WORKFLOW_PATH}
+echo "Update the workflow with the new evergreen project."
 sed -i 's/EVERGREEN_PROJECT:.*/EVERGREEN_PROJECT: '${EVERGREEN_PROJECT}'/' ${RELEASE_WORKFLOW_PATH}
 
 echo "Add the changed files."

full-report/action.yml

@@ -18,9 +18,6 @@ inputs:
   sbom_file_name:
     description: The name of the augmented sbom file.
     default: cyclonedx.sbom.json
-  # No longer used.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
   third_party_dependency_tool:
     description: The name of the tool used to track 3rd party dependencies.
     default: Silk
@@ -34,6 +31,9 @@ inputs:
     description: The distribution filename or glob pattern
   token:
     description: The GitHub access token
+  # No longer used, to be removed in V3.
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
 
 runs:
   using: composite

golang/publish/action.yml

@@ -7,9 +7,6 @@ inputs:
   prev_version:
     description: The previous version
     required: true
-  silk_asset_group:
-    description: The Silk Asset Group
-    required: true
   evergreen_project:
     description: The evergreen project name.
     required: true
@@ -18,6 +15,11 @@ inputs:
     default: "true"
   token:
     description: The GitHub token
+  # No longer used, to be removed in V3.
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
+    required: false
+
 runs:
   using: composite
   steps:
@@ -30,7 +32,7 @@ runs:
       with:
         product_name: mongo-go-driver
         release_version: ${{ inputs.version }}
-        silk_asset_group: ${{ inputs.silk_asset_group }}
+        sbom_in_file: sbom.json
         evergreen_project: ${{ inputs.evergreen_project }}
         evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }}
         security_report_location: ${{ env.SECURITY_REPORT_URL }}

python/post-publish/action.yml

@@ -20,10 +20,6 @@ inputs:
   kondukto_sub_project:
     description: The Kondukto sub-project name (appended to the branch name)
     required: false
-  # No longer used.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
-    required: false
   evergreen_project:
     description: The evergreen project name.
     required: true
@@ -41,6 +37,10 @@ inputs:
   dry_run:
     description: Whether this is a dry run
     required: true
+  # No longer used, to be removed in V3.
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
+    required: false
 
 runs:
   using: composite

sbom/action.yml

@@ -13,7 +13,7 @@ inputs:
   artifactory_image:
     description: Image to use for artifactory
     default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
-  # no longer used
+  # No longer used, to be removed in V3.
   silk_asset_group:
     description: The Silk Asset Group for the Project
     required: false
@@ -29,13 +29,19 @@ runs:
         ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
         SBOM_FILE_NAME: ${{ inputs.sbom_file_name }}
       run: |
-        set -eux
+        set -eu
         if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then
           KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}"
         else
           KONDUKTO_BRANCH="${GITHUB_REF_NAME}"
         fi
         echo "Generating SBOM file for ${KONDUKTO_BRANCH}..."
+        echo "Updating SBOM file..."
+        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+          --env-file=${KONDUKTO_ENVFILE} \
+          ${ARTIFACTORY_IMAGE} \
+          update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number
+        echo "Augumenting SBOM file..."
         podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
           --env-file=${KONDUKTO_ENVFILE} \
           ${ARTIFACTORY_IMAGE} \