diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml new file mode 100644 index 000000000..0730690a1 --- /dev/null +++ b/.github/workflows/generate-augmented-sbom.yml @@ -0,0 +1,63 @@ +name: Augment SBOM + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version (e.g. 1.35.1)" + required: true + type: string + resource: + description: "Resource name (e.g. organization, project, etc.)" + required: true + type: string + + +permissions: + id-token: write + contents: read + +jobs: + augment-sbom: + runs-on: ubuntu-latest + + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 + with: + go-version-file: 'go.mod' + + - name: Get current date + id: date + run: | + echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" + + - name: Augment SBOM with Kondukto + env: + RELEASE_VERSION: ${{ inputs.release_version }} + RESOURCE: ${{ inputs.resource }} + run: | + make augment-sbom + + - name: Generate SSDLC report + env: + AUTHOR: ${{ github.actor }} + VERSION: ${{ inputs.release_version }} + AUGMENTED_REPORT: "true" + run: ./scripts/gen-ssdlc-report.sh + + - name: Upload augmented SBOM as artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + with: + name: augmented_sbom_and_ssdlc_report + path: | + cfn-resources/${{ inputs.resource }}/compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json + cfn-resources/${{ inputs.resource }}/compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md + if-no-files-found: error diff --git a/Makefile b/Makefile index d9f7414b3..26682a82a 100644 --- a/Makefile +++ b/Makefile @@ -69,3 +69,7 @@ gen-sbom-and-ssdlc-report: ./scripts/generate-sbom.sh $(RESOURCE) $(VERSION) ./scripts/gen-ssdlc-report.sh $(RESOURCE) $(VERSION) ./scripts/upload-sbom.sh $(RESOURCE) $(VERSION) + +.PHONY: augment-sbom +augment-sbom: + ./scripts/augment-sbom.sh $(RESOURCE) $(VERSION) diff --git a/scripts/augment-sbom.sh b/scripts/augment-sbom.sh new file mode 100755 index 000000000..e9f8b88be --- /dev/null +++ b/scripts/augment-sbom.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}" +: "${RESOURCE:?RESOURCE environment variable not set}" +DATE="${DATE:-$(date +'%Y-%m-%d')}" + +echo "Augmenting SBOM..." +docker run \ + --pull=always \ + --platform="linux/amd64" \ + --rm \ + -v "${PWD}:/pwd" \ + -e KONDUKTO_TOKEN \ + "$SILKBOMB_IMG" \ + augment \ + --sbom-in "/pwd/cfn-resources/${RESOURCE}/compliance/v${RELEASE_VERSION}/sbom.json" \ + --repo "$KONDUKTO_REPO" \ + --branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \ + --sbom-out "/pwd/cfn-resources/${RESOURCE}/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"