diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt index 5aaacb6da68..9a618362443 100644 --- a/.cspell/custom-words.txt +++ b/.cspell/custom-words.txt @@ -26,10 +26,6 @@ browserslistrc Bsas bxsalsa cachekey -latexmk -librsvg -luatex -LATEXMKOPTS CAFILE camelcase capacitorjs @@ -125,6 +121,7 @@ HKCR HKCU HKLM Hodi +htmlcov hypercorn icccm IDCANCEL @@ -145,6 +142,8 @@ JsonSchema jvmargs KeyFile keysyms +latexmk +LATEXMKOPTS latexpdfja levelno libasound @@ -193,6 +192,7 @@ libqtuiotouchplugin libqtwebview libqvnc libqwebgl +librsvg libscene LibSodium libsqlite @@ -213,6 +213,7 @@ lproj lsregister lstfiracode lualatex +luatex MACBYTES MACFUSE makensis @@ -245,6 +246,7 @@ NONCEBYTES noopener noreferrer noreply +noserver notbase notr nplurals @@ -252,6 +254,8 @@ npmkeep NSIS NSISDIR NSPHINXOPTS +ntics +ntns ntstatus numprocesses onboarded @@ -268,6 +272,7 @@ Owholemodule PAAS packb pagetotal +Passw0rd pems pgdg PGINSTALLATION @@ -391,6 +396,7 @@ stucking subcode subsec swiftclient +syft SymKey syncer systray diff --git a/.github/workflows/package-python.yml b/.github/workflows/package-python.yml index e9ced4179b6..d392d16b334 100644 --- a/.github/workflows/package-python.yml +++ b/.github/workflows/package-python.yml @@ -48,10 +48,13 @@ jobs: matrix: include: - name: 🐧 Linux + platform: linux os: ubuntu-22.04 - name: 🍎 macOS + platform: macos os: macos-12 - name: 🏁 Windows + platform: windows os: windows-2022 name: "${{ matrix.name }}: 📦 Packaging (build Wheel)" runs-on: ${{ matrix.os }} @@ -138,6 +141,14 @@ jobs: - name: Generate requirements & constraints infos run: python packaging/wheel/wheel_it.py . --output dist --skip-wheel + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=dist/Parsec-SBOM-Wheel-${{ matrix.platform }}.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-wheel @@ -168,6 +179,9 @@ jobs: name: ${{ runner.os }}-${{ runner.arch }}-wheel path: dist + - name: List downloaded artifacts + run: tree dist + - name: Copy snap build configuration working-directory: ${{ runner.temp }} run: | @@ -194,10 +208,20 @@ jobs: working-directory: ${{ runner.temp }} run: snapcraft --destructive-mode + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-linux-snap.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-snap - path: ${{ runner.temp }}/parsec*.snap + path: | + ${{ runner.temp }}/parsec*.snap + ${{ runner.temp }}/Parsec-SBOM-linux-snap.spdx.json if-no-files-found: error package-linux-test-snap: @@ -248,6 +272,9 @@ jobs: name: ${{ runner.os }}-${{ runner.arch }}-wheel path: dist + - name: List downloaded artifacts + run: Get-ChildItem -Recurse -Path dist + - uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c # pin v1.3.1 - name: Build Icon overlays COM objects @@ -286,7 +313,7 @@ jobs: md dist cd build # cspell:disable-next-line - 7z a -tzip ..\dist\${{ steps.names.outputs.archive }} ` + 7z a -tzip ..\${{ steps.names.outputs.archive }} ` manifest.ini ` install_files.nsh ` uninstall_files.nsh ` @@ -294,10 +321,20 @@ jobs: winfsp-* working-directory: ${{ runner.temp }} + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-windows-app.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-installer - path: ${{ runner.temp }}/dist/${{ steps.names.outputs.archive }} + path: | + ${{ runner.temp }}/${{ steps.names.outputs.archive }} + ${{ runner.temp }}/Parsec-SBOM-windows-app.spdx.json if-no-files-found: error package-macos-build-app: @@ -320,6 +357,9 @@ jobs: name: ${{ runner.os }}-${{ runner.arch }}-wheel path: dist + - name: List downloaded artifacts + run: ls -lR dist + - name: Copy packaging script run: cp -Rv ${{ github.workspace }}/packaging/macOS/* ${{ runner.temp }} @@ -337,10 +377,20 @@ jobs: --directory build/pyinstaller_dist parsec.app working-directory: ${{ runner.temp }} + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-macos-app.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-installer - path: ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2 + path: | + ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2 + ${{ runner.temp }}/Parsec-SBOM-macos-app.spdx.json if-no-files-found: error package-macos-test-app: diff --git a/.github/workflows/package-webapp.yml b/.github/workflows/package-webapp.yml index 445d2b49cc3..f0b32f3a3f9 100644 --- a/.github/workflows/package-webapp.yml +++ b/.github/workflows/package-webapp.yml @@ -7,6 +7,13 @@ on: workflow_call: workflow_dispatch: +# Set `concurrency` to prevent this workflow from being run on code that is not up-to-date on a PR (e.g. when making many push quickly on a PR). +# This behavior is only intended for a PR and not for merge commits on the main branch. Having the workflow run on each merge commit can be useful to spot regressions missed by previous checks. +# To distinguish between these cases, we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call). +concurrency: + group: package-webapp-${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + env: # We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date. # That would break our unit test if we don't update them. @@ -37,25 +44,10 @@ jobs: run: npm clean-install working-directory: oxidation/client - - name: Install wasm-pack - run: | - set -eux - set -o pipefail - - BASE_DIR=wasm-pack-v${{ env.wasm-pack-version }}-x86_64-unknown-linux-musl - - mkdir -p ~/.local/bin - - curl -sSL \ - https://github.com/rustwasm/wasm-pack/releases/download/v${{ env.wasm-pack-version }}/$BASE_DIR.tar.gz \ - | tar --extract --gzip --to-stdout \ - $BASE_DIR/wasm-pack \ - > ~/.local/bin/wasm-pack - - chmod a+rx ~/.local/bin/wasm-pack - - echo $HOME/.local/bin >> $GITHUB_PATH - timeout-minutes: 2 + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }} - name: Build web bindings run: npm run build:release @@ -65,10 +57,15 @@ jobs: run: npm run web:release working-directory: oxidation/client + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Web.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: webapp - path: oxidation/client/dist/ + path: | + oxidation/client/dist/ + Parsec-SBOM-Web.spdx.json if-no-files-found: error electron: @@ -77,23 +74,29 @@ jobs: matrix: include: - name: 🐧 Linux + platform: linux os: ubuntu-20.04 paths: | oxidation/client/electron/dist/parsec_*_*.snap oxidation/client/electron/dist/parsec-*.AppImage oxidation/client/electron/dist/latest-linux.yml + Parsec-SBOM-Electron-linux.spdx.json - name: 🏁 Windows + platform: windows os: windows-2022 paths: | oxidation/client/electron/dist/parsec Setup *.exe oxidation/client/electron/dist/parsec Setup *.exe.blockmap oxidation/client/electron/dist/latest.yml + Parsec-SBOM-Electron-windows.spdx.json - name: 🍎 macOS + platform: macos os: macos-12 paths: | oxidation/client/electron/dist/parsec-*.dmg oxidation/client/electron/dist/parsec-*.dmg.blockmap oxidation/client/electron/dist/latest-mac.yml + Parsec-SBOM-Electron-macos.spdx.json name: "${{matrix.name }}: ⚡ Package electron" runs-on: ${{ matrix.os }} timeout-minutes: 60 @@ -121,6 +124,14 @@ jobs: working-directory: oxidation/client timeout-minutes: 5 + # Install syft + - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6 + with: + tool: syft@0.84.0 + + - name: Generate SBOM + run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json . + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2 with: name: ${{ runner.os }}-${{ runner.arch }}-electron-app diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index 0f4b732e795..6b91efc8353 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -116,6 +116,9 @@ jobs: env: BASH_XTRACEFD: 1 + - name: Copy SBOM files + run: cp -v artifacts/**/Parsec-SBOM-*.spdx.json release-files + - name: Generate version file run: ( diff --git a/.syft.yaml b/.syft.yaml new file mode 100644 index 00000000000..7e611f01adc --- /dev/null +++ b/.syft.yaml @@ -0,0 +1,15 @@ +# Config for syft-0.84.0 +quiet: false + +check-for-app-update: false + +exclude: + - ./.git + # We don't ignore `target` & `node_modules` directories because they could contain additional dependencies not listed in the lock files. + # Ignoring those folder result in less entries produced. + # - ./target + # - '**/node_modules' + - "**/.mypy_cache" + - "**/.hypothesis" + - "**/.pytest_cache" + - "**/htmlcov" diff --git a/newsfragments/4770.doc.rst b/newsfragments/4770.doc.rst new file mode 100644 index 00000000000..3e57571b297 --- /dev/null +++ b/newsfragments/4770.doc.rst @@ -0,0 +1,2 @@ +Add SBOM (Software Bills Of Materials) generation on software packaging. +This provides the list of dependencies used to build the software.