chore: Onboard Silkbomb in the CI (#3374)

* generate purls

* check purls

* run acceptance test only after check-purls

* gen-purls before checking

* generate sbom script

* make target check purls

* upload sbom to kondukto and release artifacts

* remove comment

* double quotes shellcheck

* move gen purls to script

* update purls.txt on dependabot PRs

Author: oarbusi

.github/workflows/code-health.yml

@@ -88,8 +88,15 @@ jobs:
           echo "::error::Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch."
           cat doc.repo.patch
           exit 1
+  check-purls:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Check PURLs
+        run: make gen-purls check-purls
   call-acceptance-tests-workflow:
-    needs: [build, lint, shellcheck, unit-test, generate-doc-check]
+    needs: [build, lint, shellcheck, unit-test, generate-doc-check, check-purls]
     secrets: inherit
     uses: ./.github/workflows/acceptance-tests.yml
     with:

.github/workflows/dependabot-update-purls.yml

@@ -0,0 +1,23 @@
+name: Update PURLs list for dependabot prs
+
+on:
+  pull_request
+
+permissions:
+  pull-requests: write
+  contents: write
+  repository-projects: read
+jobs:
+  update-purls:
+    name: Update PURLs
+    if: github.actor == 'dependabot[bot]'
+    uses: ./.github/workflows/run-script-and-commit.yml
+    with:
+      script_call: 'make gen-purls'
+      file_to_commit: 'compliance/purls.txt'
+      commit_message: 'chore: update purls.txt'
+    secrets:
+      apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+      remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}  
+      gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+      passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }}

.github/workflows/release.yml

@@ -153,6 +153,36 @@ jobs:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  compliance:
+    runs-on: ubuntu-latest
+    needs: [ release-config, release ]
+    if: >-
+      !cancelled()
+      && needs.release.result == 'success'
+      && needs.release-config.outputs.is_official_release == 'true'
+    env:
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ inputs.version_number }}
+      - name: Generate SBOM
+        run: make generate-sbom
+      - name: Upload SBOM to Kondukto
+        run: make upload-sbom
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Upload SBOM as release asset
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ inputs.version_number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   jira-release-version:
     needs: [ release-config, release ]
     # if release job is skipped, cancelled, or failed we do not run this job

.gitignore

@@ -9,6 +9,7 @@ bin
 *.mdc
 __debug_*
 *~
+compliance/sbom.json
 
 #used for schema code generation but is not commited to avoid constant updates
 tools/codegen/open-api-spec.yml

Makefile

@@ -221,3 +221,19 @@ change-lines:
 	sed 's/${find}/${new}/' "${filename}" > "file.tmp"
 	mv file.tmp ${filename}
 	goimports -w ${filename}
+
+.PHONY: gen-purls
+gen-purls: # Generate purls on linux os
+	./scripts/generate-purls.sh
+
+.PHONY: check-purls
+check-purls: ## Check purls
+	./scripts/check-purls.sh
+
+.PHONY: generate-sbom
+generate-sbom: ## Generate SBOM
+	./scripts/generate-sbom.sh
+
+.PHONY: upload-sbom
+upload-sbom: ## Upload SBOM
+	./scripts/upload-sbom.sh

compliance/purls.txt

@@ -0,0 +1,107 @@
+pkg:golang/cloud.google.com/go/compute/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/cloud.google.com/[email protected]
+pkg:golang/github.com/Masterminds/[email protected]
+pkg:golang/github.com/Masterminds/semver/[email protected]
+pkg:golang/github.com/Masterminds/sprig/[email protected]
+pkg:golang/github.com/agext/[email protected]
+pkg:golang/github.com/apparentlymart/[email protected]
+pkg:golang/github.com/apparentlymart/go-textseg/[email protected]
+pkg:golang/github.com/armon/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/bgentry/[email protected]
+pkg:golang/github.com/bgentry/[email protected]
+pkg:golang/github.com/evanphx/json-patch/[email protected]
+pkg:golang/github.com/fatih/[email protected]
+pkg:golang/github.com/felixge/[email protected]
+pkg:golang/github.com/go-logr/[email protected]
+pkg:golang/github.com/go-logr/[email protected]
+pkg:golang/github.com/golang/[email protected]
+pkg:golang/github.com/golang/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/googleapis/[email protected]
+pkg:golang/github.com/googleapis/gax-go/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/hcl/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/terraform-plugin-sdk/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/huandu/[email protected]
+pkg:golang/github.com/imdario/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/klauspost/[email protected]
+pkg:golang/github.com/mattn/[email protected]
+pkg:golang/github.com/mattn/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mitchellh/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb/[email protected]
+pkg:golang/github.com/oklog/[email protected]
+pkg:golang/github.com/posener/[email protected]
+pkg:golang/github.com/shopspring/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/tidwall/[email protected]
+pkg:golang/github.com/tidwall/[email protected]
+pkg:golang/github.com/tidwall/[email protected]
+pkg:golang/github.com/tidwall/[email protected]
+pkg:golang/github.com/ulikunitz/[email protected]
+pkg:golang/github.com/vmihailenco/msgpack/[email protected]
+pkg:golang/github.com/vmihailenco/[email protected]+incompatible
+pkg:golang/github.com/vmihailenco/tagparser/[email protected]
+pkg:golang/github.com/wI2L/[email protected]
+pkg:golang/github.com/zclconf/[email protected]
+pkg:golang/github.com/zclconf/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/[email protected]
+pkg:golang/go.opentelemetry.io/auto/[email protected]
+pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
+pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
+pkg:golang/go.opentelemetry.io/otel/[email protected]
+pkg:golang/go.opentelemetry.io/otel/[email protected]
+pkg:golang/go.opentelemetry.io/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/genproto/googleapis/[email protected]
+pkg:golang/google.golang.org/genproto/googleapis/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/[email protected]

scripts/check-purls.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! git diff --quiet --exit-code compliance/purls.txt; then
+    echo "compliance/purls.txt is out of date. Please run 'make gen-purls' and commit the result."
+    git --no-pager diff compliance/purls.txt
+    exit 1
+fi

scripts/generate-purls.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+: "${LINKER_FLAGS:=}"
+
+echo "==> Generating purls"
+
+# Define output and temp files
+OUT_DIR="compliance"
+LINUX_BIN="${OUT_DIR}/bin-linux"
+DARWIN_BIN="${OUT_DIR}/bin-darwin"
+WIN_BIN="${OUT_DIR}/bin-win.exe"
+PURL_LINUX="${OUT_DIR}/purls-linux.txt"
+PURL_DARWIN="${OUT_DIR}/purls-darwin.txt"
+PURL_WIN="${OUT_DIR}/purls-win.txt"
+PURL_ALL="${OUT_DIR}/purls.txt"
+
+# Build and extract for Linux
+GOOS=linux GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${LINUX_BIN}"
+go version -m "${LINUX_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_LINUX}"
+
+# Build and extract for Darwin
+GOOS=darwin GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${DARWIN_BIN}"
+go version -m "${DARWIN_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_DARWIN}"
+
+# Build and extract for Windows
+GOOS=windows GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${WIN_BIN}"
+go version -m "${WIN_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_WIN}"
+
+# Combine, sort, and deduplicate
+cat "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" | LC_ALL=C sort | uniq > "${PURL_ALL}"
+
+# Clean up temp files
+rm -f "${LINUX_BIN}" "${DARWIN_BIN}" "${WIN_BIN}" "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}"

scripts/generate-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/upload-sbom.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO"  \
+  --branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64"