PYTHON-5141 Update SBOM usage for Kondukto (#73)

Co-authored-by: Steven Silvester <[email protected]>

Author: fetsko

README.md

@@ -173,7 +173,7 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.
 - name: Create SBOM
   uses: mongodb-labs/drivers-github-tools/sbom@v2
   with:
-    silk_asset_group: mongodb-python-driver
+    sbom_in_path: sbom.json
 ```
 
 ### Code Scanning Alerts
@@ -228,7 +228,7 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo
   with:
     product_name: winkerberos
     release_version: ${{ inputs.version }}
-    silk_asset_group: winkerberos
+    sbom_in_path: sbom.json
     dist_filenames: dist/*
 ```
 

full-report/action.yml

@@ -9,9 +9,16 @@ inputs:
     required: true
   sarif_report_target_ref:
     description: The git ref (usually the target release branch) to pull sarif reports from.
+  sbom_in_path:
+    description: The path of the input sbom file.
+    default: sbom.json
+  kondukto_sub_project:
+    description: The Kondukto sub-project name (appended to the branch name)
+    required: false
   sbom_file_name:
     description: The name of the augmented sbom file.
     default: cyclonedx.sbom.json
+  # No longer used.
   silk_asset_group:
     description: The Silk Asset Group for the Project
   third_party_dependency_tool:
@@ -40,11 +47,13 @@ runs:
         token: ${{ inputs.token }}
     - name: Generate SBOM File
       # not all packages have third party dependencies, and so not all packages integrate with silk.
-      if: ${{ inputs.silk_asset_group }}
+      if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
       uses: mongodb-labs/drivers-github-tools/sbom@v2
       with:
         silk_asset_group: ${{ inputs.silk_asset_group }}
         sbom_file_name: ${{ inputs.sbom_file_name }}
+        kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
+        sbom_in_path: ${{ inputs.sbom_in_path }}
     - name: Generate Sarif File
       uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
       with:

python/post-publish/action.yml

@@ -14,9 +14,16 @@ inputs:
   product_name:
     description: The name of the product
     required: true
+  sbom_in_path:
+    description: The path of the input sbom file.
+    default: sbom.json
+  kondukto_sub_project:
+    description: The Kondukto sub-project name (appended to the branch name)
+    required: false
+  # No longer used.
   silk_asset_group:
     description: The Silk Asset Group for the Project
-    required: true
+    required: false
   evergreen_project:
     description: The evergreen project name.
     required: true
@@ -64,6 +71,8 @@ runs:
         release_version: ${{ inputs.version }}
         sarif_report_target_ref: ${{ inputs.version }}
         dist_filenames: dist/*
+        kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
+        sbom_in_path: ${{ inputs.sbom_in_path }}
         silk_asset_group: ${{ inputs.silk_asset_group }}
         evergreen_project: ${{ inputs.evergreen_project }}
         evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }}

sbom/action.yml

@@ -1,25 +1,44 @@
-name: Download the Augmented SBOM
-description: Downloads the Augmented SBOM for the project
+name: Augment the SBOM
+description: Augments the SBOM for the project
 inputs:
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
-    required: true
+  sbom_in_path:
+    description: The path of the input sbom file.
+    default: sbom.json
   sbom_file_name:
     description: The name of the augmented sbom file.
     default: cyclonedx.sbom.json
+  kondukto_sub_project:
+    description: The Kondukto sub-project name (appended to the branch name)
+    required: false
   artifactory_image:
     description: Image to use for artifactory
-    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
+    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
+  # no longer used
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
+    required: false
 
 runs:
   using: composite
   steps:
-    - name: Download the Augmented SBOM file to the release assets and s3 assets folders
+    - name: Augments the SBOM file and writes it to the release assets and s3 assets folders
       shell: bash
+      env:
+        SBOM_IN_PATH: ${{ inputs.sbom_in_path }}
+        KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }}
+        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
+        SBOM_FILE_NAME: ${{ inputs.sbom_file_name }}
       run: |
         set -eux
-        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
-          --env-file=${SILKBOMB_ENVFILE} \
-          ${{ inputs.artifactory_image }} \
-          download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json
-        cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }}
+        if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then
+          KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}"
+        else
+          KONDUKTO_BRANCH="${GITHUB_REF_NAME}"
+        fi
+        echo "Generating SBOM file for ${KONDUKTO_BRANCH}..."
+        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+          --env-file=${KONDUKTO_ENVFILE} \
+          ${ARTIFACTORY_IMAGE} \
+          augment --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json
+        cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME}
+        echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done."

setup/setup.sh

@@ -34,6 +34,14 @@ SILK_CLIENT_SECRET=${SILKBOMB_KEY}
 EOF
 fi
 
+if [ -n "${KONDUKTO_TOKEN:-}" ]; then
+  echo "Setting up envfile for Kondukto"
+  KONDUKTO_ENVFILE=/tmp/kondukto-envfile
+  cat << EOF > $KONDUKTO_ENVFILE
+KONDUKTO_TOKEN=${KONDUKTO_TOKEN}
+EOF
+fi
+
 echo "Set up output directories"
 export RELEASE_ASSETS=/tmp/release-assets
 mkdir $RELEASE_ASSETS
@@ -48,6 +56,7 @@ GPG_KEY_ID=$GPG_KEY_ID
 GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
 SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
+KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-}
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS