diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt index 822d9c8b8e4..cab34cf7bb2 100644 --- a/.cspell/custom-words.txt +++ b/.cspell/custom-words.txt @@ -26,10 +26,6 @@ browserslistrc Bsas bxsalsa cachekey -latexmk -librsvg -luatex -LATEXMKOPTS CAFILE camelcase capacitorjs @@ -125,6 +121,7 @@ HKCR HKCU HKLM Hodi +htmlcov hypercorn icccm IDCANCEL @@ -145,6 +142,8 @@ JsonSchema jvmargs KeyFile keysyms +latexmk +LATEXMKOPTS latexpdfja levelno libasound @@ -193,6 +192,7 @@ libqtuiotouchplugin libqtwebview libqvnc libqwebgl +librsvg libscene LibSodium libsqlite @@ -214,6 +214,7 @@ lproj lsregister lstfiracode lualatex +luatex MACBYTES MACFUSE makensis @@ -237,19 +238,17 @@ multibytes mycapacitorapp myclass Nanos -ntns -ntics napi newsfragment newsfragments Niño nmspc nocapture -noserver NONCEBYTES noopener noreferrer noreply +noserver notbase notr nplurals @@ -257,6 +256,8 @@ npmkeep NSIS NSISDIR NSPHINXOPTS +ntics +ntns ntstatus numprocesses onboarded @@ -271,10 +272,10 @@ oscrypto OSXFUSE OURCYGPATTERN Owholemodule -Passw0rd PAAS packb pagetotal +Passw0rd pems pgdg PGINSTALLATION @@ -399,6 +400,7 @@ stucking subcode subsec swiftclient +syft SymKey syncer systray diff --git a/.github/workflows/package-server.yml b/.github/workflows/package-server.yml index c5452d65638..6c5d71c6562 100644 --- a/.github/workflows/package-server.yml +++ b/.github/workflows/package-server.yml @@ -49,10 +49,13 @@ jobs: matrix: include: - name: 🐧 Linux + platform: linux os: ubuntu-22.04 - name: 🍎 macOS + platform: macos os: macos-12 - name: 🏁 Windows + platform: windows os: windows-2022 name: "${{ matrix.name }}: 📦 Packaging (build Wheel)" runs-on: ${{ matrix.os }} @@ -141,9 +144,18 @@ jobs: - name: Generate requirements & constraints infos run: python server/packaging/wheel/wheel_it.py ./server --output dist --skip-wheel + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=dist/Parsec-Wheel-${{ matrix.platform }}.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-wheel - path: dist/ + path: | + dist/ if-no-files-found: error timeout-minutes: 5 diff --git a/.github/workflows/package-webapp.yml b/.github/workflows/package-webapp.yml index 5c508b28a74..b836a8d846a 100644 --- a/.github/workflows/package-webapp.yml +++ b/.github/workflows/package-webapp.yml @@ -7,6 +7,15 @@ on: workflow_call: workflow_dispatch: +# We set `concurrency` to prevent having this workflow being run on code that is not up-to-date on a PR (a user make multiple push in a quick manner). +# But on the main branch, we don't want that behavior. +# Having the workflow run on each merge commit is something we would like, that could help us where a regression was made and missed by previous checks. +# +# For that we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call). +concurrency: + group: package-webapp-${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + env: # We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date. # That would break our unit test if we don't update them. @@ -37,25 +46,10 @@ jobs: run: npm clean-install working-directory: client - - name: Install wasm-pack - run: | - set -eux - set -o pipefail - - BASE_DIR=wasm-pack-v${{ env.wasm-pack-version }}-x86_64-unknown-linux-musl - - mkdir -p ~/.local/bin - - curl -sSL \ - https://github.com/rustwasm/wasm-pack/releases/download/v${{ env.wasm-pack-version }}/$BASE_DIR.tar.gz \ - | tar --extract --gzip --to-stdout \ - $BASE_DIR/wasm-pack \ - > ~/.local/bin/wasm-pack - - chmod a+rx ~/.local/bin/wasm-pack - - echo $HOME/.local/bin >> $GITHUB_PATH - timeout-minutes: 2 + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }} - name: Build web bindings run: npm run build:release @@ -65,10 +59,15 @@ jobs: run: npm run web:release working-directory: client + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Web.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: webapp - path: client/dist/ + path: | + client/dist/ + Parsec-SBOM-Web.spdx.json if-no-files-found: error electron: @@ -77,18 +76,21 @@ jobs: matrix: include: - name: 🐧 Linux + platform: linux os: ubuntu-20.04 paths: | client/electron/dist/parsec_*_*.snap client/electron/dist/parsec-*.AppImage client/electron/dist/latest-linux.yml - name: 🏁 Windows + platform: windows os: windows-2022 paths: | client/electron/dist/parsec Setup *.exe client/electron/dist/parsec Setup *.exe.blockmap client/electron/dist/latest.yml - name: 🍎 macOS + platform: macos os: macos-12 paths: | client/electron/dist/parsec-*.dmg @@ -121,9 +123,19 @@ jobs: working-directory: client timeout-minutes: 5 + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-electron-app - path: ${{ matrix.paths }} + path: | + ${{ matrix.paths }} + Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json if-no-files-found: error timeout-minutes: 10 diff --git a/.syft.yaml b/.syft.yaml new file mode 100644 index 00000000000..604a9b5b590 --- /dev/null +++ b/.syft.yaml @@ -0,0 +1,15 @@ +# Config for syft-0.84.0 +quiet: false + +check-for-app-update: false + +exclude: + - ./.git + # We don't ignore `target` & `node_modules` folders because they could containe additional dependencies not listed in the lock files. + # Ignoring those folder result in less entries produced. + # - ./target + # - '**/node_modules' + - "**/.mypy_cache" + - "**/.hypothesis" + - "**/.pytest_cache" + - "**/htmlcov" diff --git a/newsfragments/4770.doc.rst b/newsfragments/4770.doc.rst new file mode 100644 index 00000000000..a57904af455 --- /dev/null +++ b/newsfragments/4770.doc.rst @@ -0,0 +1,2 @@ +Add SBOM (Software Bills Of Materials) generation when packaging the softwares. +This provide the list of dependencies used to build the software.