diff --git a/authorized-pub/action.yml b/authorized-pub/action.yml index 7bcf677..1eefa32 100644 --- a/authorized-pub/action.yml +++ b/authorized-pub/action.yml @@ -22,7 +22,7 @@ runs: run: | export GH_TOKEN=${{ inputs.token }} NAME=$(gh api users/${{ github.actor }} --jq '.name') - export REPORT=$S3_ASSETS/authorized_publication.txt + export REPORT=$S3_ASSETS/authorized-publication.txt echo "Product: ${{ inputs.product_name }}" > $REPORT echo "Version: ${{ inputs.release_version }}" >> $REPORT echo "Releaser: $NAME" >> $REPORT diff --git a/compliance-report/action.yml b/compliance-report/action.yml new file mode 100644 index 0000000..8ce938c --- /dev/null +++ b/compliance-report/action.yml @@ -0,0 +1,28 @@ +name: Generate a compliance report +description: Generates the compliance report in the S3_ASSETS folder +inputs: + token: + description: The GitHub token for the action + required: true + sbom_name: + description: The name of the SBOM file in the S3 bucket + default: cyclonedx.sbom.json + sarif_name: + description: The name of the SARIF file in the S3 bucket + default: code-scanning-alerts.json + authorized_pub_name: + description: The name of the Authorized Publication file in the S3 bucket + default: authorized-publication.txt +runs: + using: composite + steps: + - name: Generate Compliance Report + shell: bash + run: | + set -eux + export GH_TOKEN=${{ inputs.token }} + export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name') + export SBOM_NAME=${{ inputs.sbom_name }} + export SARIF_NAME=${{ inputs.sarif_name }} + export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }} + bash ${{ github.action_path }}/generate.sh diff --git a/compliance-report/generate.sh b/compliance-report/generate.sh new file mode 100644 index 0000000..bd638b8 --- /dev/null +++ b/compliance-report/generate.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -eux + +cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md +Release Creator +${RELEASE_CREATOR} + +Tool used to track third party vulnerabilities +Silk + +Third-Party Dependency Information +See ${SBOM_NAME} + +Static Analysis Findings +See ${SARIF_NAME} + +Signature Information +See ${AUTHORIZED_PUB_NAME} + +Known Vulnerabilities +Any vulnerabilities that may be shown in the files referenced above have been reviewed and accepted by the appropriate approvers. +EOF diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 06c20bd..171451b 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -11,6 +11,16 @@ inputs: runs: using: composite steps: + - name: Get the list of filenames as a space-separated string + shell: bash + id: filenames + run: | + set -eux + export FILENAMES=${{inputs.filenames}} + if [[ $FILENAMES =~ '*' ]]; then + FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + fi + echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash run: | @@ -25,4 +35,6 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | - for filename in ${{ inputs.filenames }}; do mv ${filename}.sig $RELEASE_ASSETS; done + set -eux + export FILENAMES=${{steps.filenames.outputs.names}} + for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done diff --git a/python/publish/action.yml b/python/publish/action.yml index e3725a2..9d5a196 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -51,8 +51,11 @@ runs: - name: Generate Sarif Report uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 with: - output-file: sarif-report.json ref: ${{ inputs.version }} + - name: Generate Compliance Report + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + token: ${{ inputs.token }} - name: Run publish script shell: bash run: ${{github.action_path}}/publish.sh diff --git a/python/publish/publish.sh b/python/publish/publish.sh index 5e11673..7f2cc60 100755 --- a/python/publish/publish.sh +++ b/python/publish/publish.sh @@ -2,7 +2,8 @@ set -eux -mv sarif-report.json $S3_ASSETS +cp $RELEASE_ASSETS/*.sig $S3_ASSETS +mv code-scanning-alerts.json $S3_ASSETS if [ "$DRY_RUN" == "false" ]; then echo "Uploading Release Reports" diff --git a/sbom/action.yml b/sbom/action.yml index 571ad60..c420a37 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -11,10 +11,12 @@ inputs: runs: using: composite steps: - - name: Download the Augmented SBOM file to the release assets folder + - name: Download the Augmented SBOM file to the release assets and s3 assets folders shell: bash run: | + set -eux podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${SILKBOMB_ENVFILE} \ ${{ inputs.artifactory_image }} \ - download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json \ No newline at end of file + download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json + cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS} \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index 6f06d3f..0fd8c22 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -39,11 +39,11 @@ mkdir $S3_ASSETS echo "Set up global variables" cat <> $GITHUB_ENV -AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}" +AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-} GPG_KEY_ID=$GPG_KEY_ID -GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}" +GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE -SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}" +SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS