feature: initial commit for all new image changes
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
name: Create SBOM for the release
|
||||
# Inherited variables:
|
||||
# github.event.client_payload.agentSpec - Current YAML Label
|
||||
# github.event.client_payload.ReleaseID - Current release ID
|
||||
# github.event.client_payload.imageVersion - AzDO image version "major.minor"
|
||||
# github.event.client_payload.ReleaseBranchName - Necessary to identify workflow run
|
||||
#
|
||||
# Current SYFT tool issues:
|
||||
# macOS (major): prompt privilegies that blocking process indefinetely (https://github.com/anchore/syft/issues/1367)
|
||||
on:
|
||||
repository_dispatch:
|
||||
types: [generate-sbom]
|
||||
defaults:
|
||||
run:
|
||||
shell: pwsh
|
||||
jobs:
|
||||
#Checking current release for SBOM
|
||||
sbom-check:
|
||||
outputs:
|
||||
check_status: ${{ steps.check.outputs.status }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check release for ${{ github.event.client_payload.ReleaseBranchName }}
|
||||
id: check
|
||||
shell: pwsh
|
||||
run: |
|
||||
$apiUrl = "https://api.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}"
|
||||
$response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck
|
||||
if ($response.message -ilike "Not Found") {
|
||||
echo "status=release_not_found" >> $env:GITHUB_OUTPUT
|
||||
Write-Error "Release ${{ github.event.client_payload.ReleaseID }} wasn't found"
|
||||
exit 1
|
||||
}
|
||||
foreach ($asset in $response.assets) {
|
||||
if ($asset.name -like '*sbom*') {
|
||||
echo "status=sbom_exists" >> $env:GITHUB_OUTPUT
|
||||
return "Release ${{ github.event.client_payload.ReleaseID }} already contains a SBOM"
|
||||
}
|
||||
}
|
||||
Write-Host "Release has been found, SBOM is not attached, starting generation."
|
||||
echo "status=okay" >> $env:GITHUB_OUTPUT
|
||||
#Generating SBOM
|
||||
building-sbom:
|
||||
needs: sbom-check
|
||||
if: ${{ needs.sbom-check.outputs.check_status == 'okay' }}
|
||||
runs-on: ${{ github.event.client_payload.agentSpec }}
|
||||
steps:
|
||||
- name: Available image version check for ${{ github.event.client_payload.ReleaseBranchName }}
|
||||
run: |
|
||||
$imageVersionComponents = $env:ImageVersion.Split('.')
|
||||
$imageMajorVersion = $imageVersionComponents[0]
|
||||
$imageMinorVersion = $imageVersionComponents[1]
|
||||
if ("$imageMajorVersion.$imageMinorVersion" -ne '${{ github.event.client_payload.imageVersion }}') {
|
||||
throw "Current runner $imageMajorVersion.$imageMinorVersion image version doesn't match ${{ github.event.client_payload.imageVersion }}."
|
||||
}
|
||||
- name: Install SYFT tool on Windows
|
||||
if: ${{ runner.os == 'Windows' }}
|
||||
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b D:/syft
|
||||
- name: Install SYFT tool on Ubuntu or macOS
|
||||
if: ${{ runner.os != 'Windows' }}
|
||||
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.100.0
|
||||
#Running section.
|
||||
- name: Run SYFT on Windows
|
||||
if: ${{ runner.os == 'Windows' }}
|
||||
run: D:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json
|
||||
- name: Run SYFT on Ubuntu
|
||||
if: ${{ runner.os == 'Linux' }}
|
||||
run: syft dir:/ -vv -o spdx-json=sbom.json
|
||||
- name: Run SYFT on macOS
|
||||
if: ${{ runner.os == 'macOS' }}
|
||||
run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private
|
||||
shell: bash
|
||||
#Preparing artifact (raw SBOM.json is too big)
|
||||
- name: Compress SBOM file
|
||||
run: Compress-Archive sbom.json sbom.json.zip
|
||||
#Upload artifact action
|
||||
- uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: sbom-${{ github.event.client_payload.agentSpec }}-${{ github.event.client_payload.imageVersion }}
|
||||
path: sbom.json.zip
|
||||
if-no-files-found: warn
|
||||
#Upload release asset action
|
||||
#Might be changed to softprops/action-gh-release after additional check
|
||||
- name: Upload release asset
|
||||
uses: actions/upload-release-asset@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}/assets{?name,label}"
|
||||
asset_path: ./sbom.json.zip
|
||||
asset_name: sbom.${{ github.event.client_payload.agentSpec }}.json.zip
|
||||
asset_content_type: application/zip
|
||||
Reference in New Issue
Block a user