From 6af49c302a1b8cd0375f6aedfe3018119f977a41 Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 2 Dec 2024 14:29:34 +0000 Subject: [PATCH] ci: sync workflows from central-workflows Signed-off-by: Scott --- .github/workflows/codacy.yml | 13 ++-- .github/workflows/codeql.yml | 16 +++-- .github/workflows/conventional-commits.yml | 3 + .github/workflows/dco-check.yml | 57 +++++++++++++++ .github/workflows/dependency-review.yml | 8 ++- .github/workflows/dockerfile-linter.yml | 52 ++++++++++++++ .github/workflows/dockerhub-image-build.yml | 80 +++++++++++++++++++++ .github/workflows/gpg-verify.yml | 16 ++++- .github/workflows/milestone.yml | 41 ++++++----- .github/workflows/njsscan.yml | 13 ++-- .github/workflows/release.yml | 80 +++++++++------------ .github/workflows/sbom.yml | 18 +++-- 12 files changed, 306 insertions(+), 91 deletions(-) create mode 100644 .github/workflows/dco-check.yml create mode 100644 .github/workflows/dockerfile-linter.yml create mode 100644 .github/workflows/dockerhub-image-build.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 4b0d9f7..273f607 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -13,14 +13,16 @@ # For more information on Codacy Analysis CLI in general, see # https://github.com/codacy/codacy-analysis-cli. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Codacy Security Scan on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 0 * * 4' @@ -29,6 +31,7 @@ permissions: jobs: codacy-security-scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -38,11 +41,11 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + uses: codacy/codacy-analysis-cli-action@3ff8e64eb4b714c4bee91b7b4eea31c6fc2c4f93 with: # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository # You can also omit the token and run the tools that support default configurations @@ -58,6 +61,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 93f1086..6212b29 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,19 +11,23 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: "CodeQL" on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '34 0 * * 4' jobs: analyze: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: @@ -42,11 +46,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +77,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 68efbd2..6aee786 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -7,6 +7,8 @@ # This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: PR Conventional Commit Validation on: @@ -16,6 +18,7 @@ on: jobs: validate-pr-title: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout code diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml new file mode 100644 index 0000000..861c0ea --- /dev/null +++ b/.github/workflows/dco-check.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: DCO + +# Trigger the workflow on pull request events +on: [pull_request] + +jobs: + dco: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + # Define the runner environment + runs-on: ubuntu-latest + + steps: + # Step to check out the repository + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available + + - name: Set up environment variables + run: | + echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + + # Step to check each commit in the pull request for a Signed-off-by line + - name: Check for DCO Sign-off + run: | + # Get the base branch and head branch of the pull request + base_branch=$BASE_BRANCH + head_branch=$HEAD_BRANCH + + # Get the list of commit hashes between the head branch and base branch + commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) + non_compliant_commits="" + + # Loop through each commit and check for the Signed-off-by line + for commit in $commits; do + # Check if the commit message contains the Signed-off-by line + if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then + # If not, add the commit hash to the list of non-compliant commits + non_compliant_commits="$non_compliant_commits $commit" + fi + done + + # If there are any non-compliant commits, output their hashes and fail the job + if [ -n "$non_compliant_commits" ]; then + echo "The following commits do not have a Signed-off-by line:" + for commit in $non_compliant_commits; do + echo "- $commit" + done + exit 1 + fi + shell: bash diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 6036c69..577adb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,6 +6,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement + + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: 'Dependency Review' on: [pull_request] @@ -17,6 +21,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/dockerfile-linter.yml b/.github/workflows/dockerfile-linter.yml new file mode 100644 index 0000000..f2959a7 --- /dev/null +++ b/.github/workflows/dockerfile-linter.yml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Hadolint + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev" ] + schedule: + - cron: '17 13 * * 0' + +permissions: + contents: read + +jobs: + hadolint: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml new file mode 100644 index 0000000..4ea0d8e --- /dev/null +++ b/.github/workflows/dockerhub-image-build.yml @@ -0,0 +1,80 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Publish Docker image + +on: + push: + branches: [ "main" ] + release: + types: [published] + +jobs: + push_to_registry: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Set ENV variables + run: | + echo "REPO_NAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" >> $GITHUB_ENV + + - name: Use the custom ENV variable + run: | + echo $REPO_NAME + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: tazamaorg/${{ env.REPO_NAME }} + tags: | + type=raw,value=2.1.0 + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: GH_TOKEN=${{ secrets.GH_TOKEN }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: docker.io/tazamaorg/${{ env.REPO_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{"blocks": [{"type": "header","text": {"type": "plain_text","text": "New Dockerhub Image published :ship::ship:","emoji": true}},{"type": "section","fields": [{"type": "mrkdwn","text": "*Service:*\n${{ env.REPO_NAME }} "},{"type": "mrkdwn","text": "*Tazama Dockerhub:*\n"}]}]}' $SLACK_WEBHOOK_URL diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml index 5bc2b33..56b6f3c 100644 --- a/.github/workflows/gpg-verify.yml +++ b/.github/workflows/gpg-verify.yml @@ -2,27 +2,37 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: GPG Verify on: [pull_request] # Trigger this workflow on pull request events jobs: gpg-verify: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action with: fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history + - name: Set up environment variables + run: | + echo "PR_HEAD_REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV + echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + echo "GITHUB_REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + - name: Check GPG verification status # Step to check each commit for GPG signature verification run: | # Get the list of commits in the pull request - commits=$(git log --pretty=format:%H origin/${{ github.event.pull_request.head.ref }}..origin/${{ github.event.pull_request.base.ref }}) + commits=$(git log --pretty=format:%H origin/${PR_HEAD_REF}..origin/${PR_BASE_REF}) # Check the GPG verification status of each commit for commit in $commits; do - status=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }}/commits/$commit/check-runs \ + status=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit/check-runs \ | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') # If the GPG verification status is not successful, list the commit and exit with a non-zero status diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 7e53bce..8b5bb6a 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -1,7 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 +# This GitHub Actions workflow is designed to close a milestone and trigger a release workflow. + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Milestone Workflow +# This workflow can be manually triggered with a specified milestone ID. on: workflow_dispatch: inputs: @@ -12,37 +17,39 @@ on: jobs: close_milestone: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: + # Step to check out the repository code. - name: Checkout Repository uses: actions/checkout@v2 - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 16.x - registry-url: https://npm.pkg.github.com/ - # Defaults to the user or organization that owns the workflow file - scope: '@tazama-lf' - - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - + # Step to set up environment variables required for the script. + - name: Set up environment variables + run: | + # Set the GitHub token for authentication. + echo "ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + # Set the milestone number based on the workflow input. + echo "MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }}" >> $GITHUB_ENV + # Set the base API URL for GitHub. + echo "API_URL=https://api.github.com" >> $GITHUB_ENV + + # Step to close the specified milestone using GitHub API. - name: Close Milestone run: | - ACCESS_TOKEN="${{ secrets.GITHUB_TOKEN }}" - MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }} - API_URL="https://api.github.com" - + # Use the environment variables set up earlier to make the API call. curl -X PATCH \ -H "Accept: application/vnd.github.v3+json" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -d '{"state": "closed"}' \ $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER + env: + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MILESTONE_NUMBER: ${{ github.event.inputs.milestoneId }} + API_URL: "https://api.github.com" + # Step to trigger another workflow for releasing, passing the milestone number. - name: Trigger Release Workflow uses: peter-evans/repository-dispatch@v1 with: diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 010804c..d1bddf2 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -8,14 +8,16 @@ # This workflow integrates njsscan with GitHub's Code Scanning feature # nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: njsscan sarif on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 17 * * 1' @@ -24,6 +26,7 @@ permissions: jobs: njsscan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -32,13 +35,13 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: nodejsscan scan id: njsscan - uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + uses: ajinabraham/njsscan-action@d58d8b2f26322cd35a9efb8003baac517f226d81 with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e3d580..c54ed3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Release Workflow on: @@ -11,6 +13,7 @@ on: jobs: release: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: # Checkout the main branch with all history @@ -38,26 +41,6 @@ jobs: if: ${{ steps.release-label.outputs.level != null }} with: semver_only: true - - # Setup Node.js environment - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 - with: - node-version: 20.x - registry-url: https://npm.pkg.github.com/ - scope: '@tazama-lf' - - # Install dependencies - - name: Install dependencies - run: npm ci - env: - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - - # Run Tests - - name: Run Tests - run: npm test - env: - STARTUP_TYPE: 'nats' # Determine the release type (major, minor, patch) based on commit messages - name: Determine Release Type @@ -248,32 +231,37 @@ jobs: draft: false prerelease: false - # Update the CHANGELOG.md file in the repository - - name: Update CHANGELOG.md + - name: Get Latest Release run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - CHANGELOG_CONTENTS=$(cat /home/runner/work/changelog.txt) - # Prepend the new changelog content to the existing CHANGELOG.md below SPDX-License-Identifier section - echo -e "$(head -n 2 CHANGELOG.md)\n\n## $NEW_VERSION\n\n$CHANGELOG_CONTENTS\n\n$(tail -n +3 CHANGELOG.md)" > CHANGELOG.md - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add CHANGELOG.md - git commit -m "chore: Update CHANGELOG.md for $NEW_VERSION" - git push origin HEAD:main + echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV + echo "The latest release tag is $LATEST_RELEASE" + + - name: Send Slack Notification env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - STARTUP_TYPE: 'nats' - - # Update the VERSION file - - name: Update VERSION file + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - echo -e "# SPDX-License-Identifier: Apache-2.0\n\n$NEW_VERSION" > VERSION - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add VERSION - git commit -m "chore: Update VERSION to $NEW_VERSION" - git push origin HEAD:main - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - STARTUP_TYPE: 'nats' \ No newline at end of file + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New Release Alert :tazama:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Release:*\n" + } + ] + } + ] + }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 410a9bb..1abab3f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -13,28 +13,32 @@ # and parameters, see https://github.com/anchore/sbom-action. For more # information about the Anchore SBOM tool, Syft, see # https://github.com/anchore/syft + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Anchore Syft SBOM scan on: - workflow_dispatch: push: - branches: [ "dev", "main" ] + branches: [ "main" ] permissions: contents: write jobs: Anchore-Build-Scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: write # required to upload to the Dependency submission API runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v4 - - name: Scan the src directory and upload dependency results - uses: anchore/sbom-action@v0 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a with: - path: ./src/ - artifact-name: src.spdx.json + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json dependency-snapshot: true -