Skip to content
Release Published

Release NRL v3.0.35 #24

Sign in to view logs

Release NRL v3.0.35

Release NRL v3.0.35 #24

Workflow file for this run

.github/workflows/release.yml at 2b35229
name: Release Published
run-name: Release NRL ${{ github.event.release.name }}
permissions:
id-token: write
contents: write
actions: write
env:
SYFT_VERSION: "1.27.1"
on:
release:
types: [published]
# push:
# tags:
# - v*
workflow_dispatch:
jobs:
sbom:
name: Generate Software Bill of Materials - ${{ github.event.release.name }}
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup environment
run: |
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
poetry install --no-root
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-release-tag-${{ github.run_id }}
- name: Terraform Init
run: |
terraform -chdir=terraform/account-wide-infrastructure/mgmt init
terraform -chdir=terraform/account-wide-infrastructure/dev init
terraform -chdir=terraform/account-wide-infrastructure/test init
terraform -chdir=terraform/account-wide-infrastructure/prod init
terraform -chdir=terraform/backup-infrastructure/test init
terraform -chdir=terraform/backup-infrastructure/prod init
terraform -chdir=terraform/bastion init
terraform -chdir=terraform/infrastructure init
- name: Set architecture variable
id: os-arch
run: |
case "${{ runner.arch }}" in
X64) ARCH="amd64" ;;
ARM64) ARCH="arm64" ;;
esac
echo "arch=${ARCH}" >> $GITHUB_OUTPUT
- name: Download and setup Syft
run: |
DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
echo "Downloading: ${DOWNLOAD_URL}"
curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
tar -xzf syft.tar.gz
chmod +x syft
# Add to PATH for subsequent steps
echo "$(pwd)" >> $GITHUB_PATH
- name: Create SBOM
run: bash scripts/sbom-create.sh
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}
path: sbom.spdx.json
- name: Append SBOM inventory to summary
if: always()
shell: bash
run: |
cat > sbom_to_summary.jq <<'JQ'
def clean: (.|tostring) | gsub("\\|"; "\\|") | gsub("\r?\n"; " ");
def purl: ((.externalRefs[]? | select(.referenceType=="purl") | .referenceLocator) // "");
def license: (.licenseConcluded // .licenseDeclared // "");
def supplier: ((.supplier // "") | sub("^Person: *|^Organization: *";""));
if (has("spdxVersion") | not) then
"### SBOM Inventory (SPDX)\n\nSBOM is not SPDX JSON."
else
.packages as $pkgs
| "### SBOM Inventory (SPDX)\n\n"
+ "| Metric | Value |\n|---|---|\n"
+ "| Packages | " + ($pkgs|length|tostring) + " |\n\n"
+ "<details><summary>Full inventory</summary>\n\n"
+ "| Package | Version | Supplier | License | PURL |\n|---|---|---|---|---|\n"
+ (
$pkgs
| map("| "
+ ((.name // .SPDXID) | clean)
+ " | " + ((.versionInfo // "") | clean)
+ " | " + (supplier | clean)
+ " | " + (license | clean)
+ " | " + (purl | clean)
+ " |")
| join("\n")
)
+ "\n\n</details>\n"
end
JQ
jq -r -f sbom_to_summary.jq sbom.spdx.json >> "$GITHUB_STEP_SUMMARY"
- name: Upload SBOM to release
if: ${{ github.event.release.tag_name }}
uses: svenstaro/upload-release-action@v2.11.3
with:
file: sbom.spdx.json
asset_name: sbom-${{ github.event.release.tag_name }}
tag: ${{ github.ref }}
repo_token: ${{ secrets.GITHUB_TOKEN }}