Skip to content

Commit ec1b245

Browse files
mattdean3-nhsmattdean3-nhs
authored
Merge branch 'develop' into feature/made14-NRL-1938-add-github-ci-policies
2 parents b1bd2a5 + d76eb5f commit ec1b245

File tree

8 files changed

+468
-191
lines changed

8 files changed

+468
-191
lines changed

.github/workflows/daily-build.yml

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -67,18 +67,3 @@ jobs:
6767
with:
6868
key: ${{ github.run_id }}-nrlf-permissions
6969
path: dist/nrlf_permissions.zip
70-
71-
sbom:
72-
name: Generate SBOM - ${{ github.ref }}
73-
runs-on: ubuntu-latest
74-
75-
steps:
76-
- name: Git clone - ${{ github.ref }}
77-
uses: actions/checkout@v4
78-
with:
79-
ref: ${{ github.ref }}
80-
81-
- name: Generate SBOM
82-
uses: nhs-england-tools/trivy-action/[email protected]
83-
with:
84-
repo-path: "./"

.github/workflows/release.yml

Lines changed: 101 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,13 @@
1-
name: Release
1+
name: Release Published
22
run-name: Release NRL ${{ github.event.release.name }}
33
permissions:
44
id-token: write
5-
contents: read
5+
contents: write
66
actions: write
77

8+
env:
9+
SYFT_VERSION: "1.27.1"
10+
811
on:
912
release:
1013
types: [published]
@@ -15,11 +18,105 @@ on:
1518

1619
jobs:
1720
sbom:
18-
name: Generate SBOM - ${{ github.ref }}
19-
runs-on: ubuntu-latest
21+
name: Generate Software Bill of Materials - ${{ github.event.release.name }}
22+
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
2023

2124
steps:
2225
- name: Git clone - ${{ github.ref }}
2326
uses: actions/checkout@v4
2427
with:
2528
ref: ${{ github.ref }}
29+
30+
- name: Setup environment
31+
run: |
32+
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
33+
poetry install --no-root
34+
35+
- name: Configure Management Credentials
36+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
37+
with:
38+
aws-region: eu-west-2
39+
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
40+
role-session-name: github-actions-ci-release-tag-${{ github.run_id }}
41+
42+
- name: Terraform Init
43+
run: |
44+
terraform -chdir=terraform/account-wide-infrastructure/mgmt init
45+
terraform -chdir=terraform/account-wide-infrastructure/dev init
46+
terraform -chdir=terraform/account-wide-infrastructure/test init
47+
terraform -chdir=terraform/account-wide-infrastructure/prod init
48+
terraform -chdir=terraform/backup-infrastructure/test init
49+
terraform -chdir=terraform/backup-infrastructure/prod init
50+
terraform -chdir=terraform/bastion init
51+
terraform -chdir=terraform/infrastructure init
52+
53+
- name: Set architecture variable
54+
id: os-arch
55+
run: |
56+
case "${{ runner.arch }}" in
57+
X64) ARCH="amd64" ;;
58+
ARM64) ARCH="arm64" ;;
59+
esac
60+
echo "arch=${ARCH}" >> $GITHUB_OUTPUT
61+
62+
- name: Download and setup Syft
63+
run: |
64+
DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
65+
echo "Downloading: ${DOWNLOAD_URL}"
66+
curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
67+
tar -xzf syft.tar.gz
68+
chmod +x syft
69+
# Add to PATH for subsequent steps
70+
echo "$(pwd)" >> $GITHUB_PATH
71+
72+
- name: Create SBOM
73+
run: bash scripts/sbom-create.sh
74+
75+
- name: Upload SBOM artifact
76+
uses: actions/upload-artifact@v4
77+
with:
78+
name: sbom-${{ github.sha }}
79+
path: sbom.spdx.json
80+
81+
- name: Append SBOM inventory to summary
82+
if: always()
83+
shell: bash
84+
run: |
85+
cat > sbom_to_summary.jq <<'JQ'
86+
def clean: (.|tostring) | gsub("\\|"; "\\|") | gsub("\r?\n"; " ");
87+
def purl: ((.externalRefs[]? | select(.referenceType=="purl") | .referenceLocator) // "");
88+
def license: (.licenseConcluded // .licenseDeclared // "");
89+
def supplier: ((.supplier // "") | sub("^Person: *|^Organization: *";""));
90+
if (has("spdxVersion") | not) then
91+
"### SBOM Inventory (SPDX)\n\nSBOM is not SPDX JSON."
92+
else
93+
.packages as $pkgs
94+
| "### SBOM Inventory (SPDX)\n\n"
95+
+ "| Metric | Value |\n|---|---|\n"
96+
+ "| Packages | " + ($pkgs|length|tostring) + " |\n\n"
97+
+ "<details><summary>Full inventory</summary>\n\n"
98+
+ "| Package | Version | Supplier | License | PURL |\n|---|---|---|---|---|\n"
99+
+ (
100+
$pkgs
101+
| map("| "
102+
+ ((.name // .SPDXID) | clean)
103+
+ " | " + ((.versionInfo // "") | clean)
104+
+ " | " + (supplier | clean)
105+
+ " | " + (license | clean)
106+
+ " | " + (purl | clean)
107+
+ " |")
108+
| join("\n")
109+
)
110+
+ "\n\n</details>\n"
111+
end
112+
JQ
113+
jq -r -f sbom_to_summary.jq sbom.spdx.json >> "$GITHUB_STEP_SUMMARY"
114+
115+
- name: Upload SBOM to release
116+
if: ${{ github.event.release.tag_name }}
117+
uses: svenstaro/[email protected]
118+
with:
119+
file: sbom.spdx.json
120+
asset_name: sbom-${{ github.event.release.tag_name }}
121+
tag: ${{ github.ref }}
122+
repo_token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,3 +84,6 @@ producer-internal-*.json
8484
producer-public-*.json
8585
consumer-internal-*.json
8686
consumer-public-*.json
87+
88+
# SBOM files
89+
sbom*.spdx.json

0 commit comments

Comments
 (0)