workflows: debos: Generate SBOM of rootfs with syft #160
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build debos recipe | |
| on: | |
| # run on pull requests to the main branch | |
| pull_request: | |
| branches: [main] | |
| # run on pushes to the main branch | |
| push: | |
| branches: [main] | |
| # run daily at 8:30am | |
| schedule: | |
| - cron: '30 8 * * *' | |
| # allow manual runs | |
| workflow_dispatch: | |
| # only need permission to read repository; implicitely set all other | |
| # permissions to none | |
| permissions: | |
| contents: read | |
| env: | |
| # github runs are only unique per repository and may also be re-run; create a | |
| # build id for the current run | |
| BUILD_ID: ${{ github.repository }}-${{ github.run_id }}-${{ github.run_attempt }} | |
| FILESERVER_URL: https://quic-yocto-fileserver-1029608027416.us-central1.run.app | |
| # cancel in progress builds for this workflow triggered by the same ref | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-debos: | |
| name: Build and upload debos recipes | |
| runs-on: [self-hosted, arm64, debbuilder] | |
| container: | |
| image: debian:trixie | |
| volumes: | |
| - /srv/gh-runners/quic-yocto/builds:/fileserver-builds | |
| - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads | |
| options: --privileged | |
| steps: | |
| # make sure we have latest packages first, to get latest fixes and to | |
| # avoid an automated update while we're building | |
| - name: Update OS packages | |
| run: | | |
| set -ux | |
| apt update | |
| apt -y upgrade | |
| apt -y full-upgrade | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Copy Linux deb and U-Boot for RB1 from fileserver space for downloads | |
| run: | | |
| set -ux | |
| mkdir -v debos-recipes/local-debs | |
| dir="/fileserver-downloads/qcom-deb-images" | |
| # copy linux-image but not the -dbg e.g. | |
| # linux-image-6.15.0-..._6.15.0...-1_arm64.deb but not | |
| # linux-image-6.15.0-...-dbg_6.15.0...-1_arm64.deb | |
| find "${dir}/linux-deb-latest/" \ | |
| -name linux-image\*.deb \ | |
| -not -name linux-image\*-dbg_\*.deb \ | |
| -exec cp -av '{}' debos-recipes/local-debs/ \; | |
| # copy U-Boot RB1 binary | |
| cp -av "${dir}/u-boot-rb1-latest/rb1-boot.img" . | |
| # mtools is needed for the flash recipe | |
| - name: Install debos and dependencies of the recipes | |
| run: apt -y install debos mtools | |
| - name: Build rootfs with debos | |
| run: | | |
| set -ux | |
| debos -t xfcedesktop:false -t localdebs:local-debs/ \ | |
| debos-recipes/qualcomm-linux-debian-rootfs.yaml | |
| - name: Upload artifacts to fileserver space for downloads | |
| run: | | |
| set -ux | |
| # create a directory for the current run | |
| dir="/fileserver-downloads/${BUILD_ID}" | |
| mkdir -vp "${dir}" | |
| # copy output files | |
| cp -av rootfs.tar.gz "${dir}" | |
| syft: | |
| name: Run Syft on rootfs | |
| # nowadays also available on arm64; set x86 for predictability | |
| runs-on: [self-hosted, x86] | |
| needs: build-debos | |
| container: | |
| image: debian:trixie | |
| volumes: | |
| - /srv/gh-runners/quic-yocto/builds:/fileserver-builds | |
| - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads | |
| steps: | |
| # make sure we have latest packages first, to get latest fixes and to | |
| # avoid an automated update while we're building | |
| - name: Update OS packages | |
| run: | | |
| set -ux | |
| apt update | |
| apt -y upgrade | |
| apt -y full-upgrade | |
| - name: Retrieve rootfs from fileserver | |
| run: cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz . | |
| - name: Unpack rootfs | |
| run: mkdir -v rootfs && tar -C rootfs -xvf rootfs.tar.gz | |
| # this is the upstream provided script; Syft is not packaged in Debian; | |
| # it's also available as a container image, but with a similar if not | |
| # worse consumption model | |
| - name: Install Syft | |
| run: | | |
| set -ux | |
| apt -y install curl | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh | |
| - name: Generate SBOMs with Syft | |
| run: | | |
| set -ux | |
| # TODO should probably restrict catalogers a bit as the rootfs is | |
| # built entirely from deb packages | |
| bin/syft --version | |
| SYFT_FORMAT_JSON_PRETTY=true bin/syft -v \ | |
| -o cyclonedx-json=rootfs-sbom.cyclonedx.json \ | |
| -o spdx-json=rootfs-sbom.spdx.json \ | |
| -o syft-json=rootfs-sbom.syft.json \ | |
| -o syft-text=rootfs-sbom.syft.txt \ | |
| -o syft-table \ | |
| --parallelism `nproc` \ | |
| --source-name qualcomm-linux-debian-rootfs \ | |
| --source-version "${BUILD_ID}" \ | |
| -v \ | |
| scan rootfs | |
| # compress SBOMs | |
| gzip rootfs-sbom* | |
| - name: Upload SBOMs to fileserver space for builds | |
| run: | | |
| # curl will be used to talk to fileserver; should be installed by | |
| # default | |
| apt -y install curl | |
| # copy SBOMs to fileserver space for builds | |
| cp -av rootfs-sbom*.gz "/fileserver-builds/${BUILD_ID}" | |
| # instruct fileserver to publish this directory | |
| url="${FILESERVER_URL}/${BUILD_ID}/" | |
| curl -X POST -H 'Accept: text/event-stream' "${url}" | |