Skip to content

PYTHON-5141 Update SBOM usage for Kondukto #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Feb 20, 2025
Merged

PYTHON-5141 Update SBOM usage for Kondukto #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
01e48d4
silkbomb 2.0 updates
fetsko Feb 18, 2025
3c69897
sbom_in_path for clarity
fetsko Feb 18, 2025
58700f3
Add KONDUKTO_TOKEN usage
blink1073 Feb 19, 2025
18df4cd
syntax
blink1073 Feb 19, 2025
d7d93c6
use branch
blink1073 Feb 19, 2025
f479bd8
debug
blink1073 Feb 19, 2025
1d41cab
fix handling of input file
blink1073 Feb 19, 2025
380ca5b
clean up handling of silk
blink1073 Feb 19, 2025
d6693fb
revert to upstream
blink1073 Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.
- name: Create SBOM
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: mongodb-python-driver
sbom_in_path: sbom.json
```

### Code Scanning Alerts
Expand Down Expand Up @@ -228,7 +228,7 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo
with:
product_name: winkerberos
release_version: ${{ inputs.version }}
silk_asset_group: winkerberos
sbom_in_path: sbom.json
dist_filenames: dist/*
```

Expand Down
11 changes: 10 additions & 1 deletion full-report/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,16 @@ inputs:
required: true
sarif_report_target_ref:
description: The git ref (usually the target release branch) to pull sarif reports from.
sbom_in_path:
description: The path of the input sbom file.
default: sbom.json
kondukto_sub_project:
description: The Kondukto sub-project name (appended to the branch name)
required: false
sbom_file_name:
description: The name of the augmented sbom file.
default: cyclonedx.sbom.json
# No longer used.
silk_asset_group:
description: The Silk Asset Group for the Project
third_party_dependency_tool:
Expand Down Expand Up @@ -40,11 +47,13 @@ runs:
token: ${{ inputs.token }}
- name: Generate SBOM File
# not all packages have third party dependencies, and so not all packages integrate with silk.
if: ${{ inputs.silk_asset_group }}
if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: ${{ inputs.silk_asset_group }}
sbom_file_name: ${{ inputs.sbom_file_name }}
kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
sbom_in_path: ${{ inputs.sbom_in_path }}
- name: Generate Sarif File
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
Expand Down
11 changes: 10 additions & 1 deletion python/post-publish/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,16 @@ inputs:
product_name:
description: The name of the product
required: true
sbom_in_path:
description: The path of the input sbom file.
default: sbom.json
kondukto_sub_project:
description: The Kondukto sub-project name (appended to the branch name)
required: false
# No longer used.
silk_asset_group:
description: The Silk Asset Group for the Project
required: true
required: false
evergreen_project:
description: The evergreen project name.
required: true
Expand Down Expand Up @@ -64,6 +71,8 @@ runs:
release_version: ${{ inputs.version }}
sarif_report_target_ref: ${{ inputs.version }}
dist_filenames: dist/*
kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
sbom_in_path: ${{ inputs.sbom_in_path }}
silk_asset_group: ${{ inputs.silk_asset_group }}
evergreen_project: ${{ inputs.evergreen_project }}
evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }}
Expand Down
43 changes: 31 additions & 12 deletions sbom/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,44 @@
name: Download the Augmented SBOM
description: Downloads the Augmented SBOM for the project
name: Augment the SBOM
description: Augments the SBOM for the project
inputs:
silk_asset_group:
description: The Silk Asset Group for the Project
required: true
sbom_in_path:
description: The path of the input sbom file.
default: sbom.json
sbom_file_name:
description: The name of the augmented sbom file.
default: cyclonedx.sbom.json
kondukto_sub_project:
description: The Kondukto sub-project name (appended to the branch name)
required: false
artifactory_image:
description: Image to use for artifactory
default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
# no longer used
silk_asset_group:
description: The Silk Asset Group for the Project
required: false

runs:
using: composite
steps:
- name: Download the Augmented SBOM file to the release assets and s3 assets folders
- name: Augments the SBOM file and writes it to the release assets and s3 assets folders
shell: bash
env:
SBOM_IN_PATH: ${{ inputs.sbom_in_path }}
KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }}
ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
SBOM_FILE_NAME: ${{ inputs.sbom_file_name }}
run: |
set -eux
podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
--env-file=${SILKBOMB_ENVFILE} \
${{ inputs.artifactory_image }} \
download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json
cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${{ inputs.sbom_file_name }}
if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then
KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}"
else
KONDUKTO_BRANCH="${GITHUB_REF_NAME}"
fi
echo "Generating SBOM file for ${KONDUKTO_BRANCH}..."
podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
--env-file=${KONDUKTO_ENVFILE} \
${ARTIFACTORY_IMAGE} \
augment --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json
cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME}
echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done."
9 changes: 9 additions & 0 deletions setup/setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,14 @@ SILK_CLIENT_SECRET=${SILKBOMB_KEY}
EOF
fi

if [ -n "${KONDUKTO_TOKEN:-}" ]; then
echo "Setting up envfile for Kondukto"
KONDUKTO_ENVFILE=/tmp/kondukto-envfile
cat << EOF > $KONDUKTO_ENVFILE
KONDUKTO_TOKEN=${KONDUKTO_TOKEN}
EOF
fi

echo "Set up output directories"
export RELEASE_ASSETS=/tmp/release-assets
mkdir $RELEASE_ASSETS
Expand All @@ -48,6 +56,7 @@ GPG_KEY_ID=$GPG_KEY_ID
GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}
GARASIGN_ENVFILE=$GARASIGN_ENVFILE
SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-}
ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
RELEASE_ASSETS=$RELEASE_ASSETS
S3_ASSETS=$S3_ASSETS
Expand Down
Loading