Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
266 changes: 133 additions & 133 deletions .github/workflows/sbom-diff-and-risk-ci.yml
Original file line number Diff line number Diff line change
@@ -1,97 +1,97 @@
name: sbom-diff-and-risk-ci
run-name: sbom-diff-and-risk ci / ${{ github.event_name }} / ${{ github.ref_name }}
on:
workflow_dispatch:
push:
# Version tags provide a minimal release-build scaffold without changing publishing.
tags:
- "v*"
paths:
- ".github/workflows/sbom-diff-and-risk-ci.yml"
- "tools/sbom-diff-and-risk/**"
pull_request:
paths:
- ".github/workflows/sbom-diff-and-risk-ci.yml"
- "tools/sbom-diff-and-risk/**"
permissions: {}
env:
name: sbom-diff-and-risk-ci
run-name: sbom-diff-and-risk ci / ${{ github.event_name }} / ${{ github.ref_name }}

on:
workflow_dispatch:
push:
# Version tags provide a minimal release-build scaffold without changing publishing.
tags:
- "v*"
paths:
- ".github/workflows/sbom-diff-and-risk-ci.yml"
- "tools/sbom-diff-and-risk/**"
pull_request:
paths:
- ".github/workflows/sbom-diff-and-risk-ci.yml"
- "tools/sbom-diff-and-risk/**"

permissions: {}

env:
SBOM_DIFF_RISK_PYTHON_VERSION: "3.11"
SBOM_DIFF_RISK_DIST_ARTIFACT_NAME: sbom-diff-and-risk-dist
SBOM_DIFF_RISK_CHECKSUM_MANIFEST: sbom-diff-and-risk-SHA256SUMS.txt
SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX: sbom-diff-and-risk
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
defaults:
run:
working-directory: tools/sbom-diff-and-risk
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}
- name: Upgrade pip
run: python -m pip install --upgrade pip
- name: Install project
run: python -m pip install -e .[dev]
- name: Run test suite
run: python -m pytest
- name: CLI smoke test
shell: bash
run: |
tmpdir="$(mktemp -d)"
python -m sbom_diff_risk.cli compare \
--before examples/cdx_before.json \
--after examples/cdx_after.json \
--format auto \
--out-json "$tmpdir/report.json" \
--out-md "$tmpdir/report.md"
test -f "$tmpdir/report.json"
test -f "$tmpdir/report.md"
diff -u examples/sample-report.json "$tmpdir/report.json"
diff -u examples/sample-report.md "$tmpdir/report.md"
build-and-attest:
# Keep provenance publication on trusted non-PR runs so consumers verify
# workflow-produced wheel/sdist artifacts from this repository workflow.
if: github.event_name != 'pull_request'
needs: test
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
defaults:
run:
working-directory: tools/sbom-diff-and-risk
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}
- name: Upgrade pip
run: python -m pip install --upgrade pip
- name: Install build tooling
run: python -m pip install build

jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
defaults:
run:
working-directory: tools/sbom-diff-and-risk
steps:
- name: Check out repository
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}

- name: Upgrade pip
run: python -m pip install --upgrade pip

- name: Install project
run: python -m pip install -e .[dev]

- name: Run test suite
run: python -m pytest

- name: CLI smoke test
shell: bash
run: |
tmpdir="$(mktemp -d)"
python -m sbom_diff_risk.cli compare \
--before examples/cdx_before.json \
--after examples/cdx_after.json \
--format auto \
--out-json "$tmpdir/report.json" \
--out-md "$tmpdir/report.md"
test -f "$tmpdir/report.json"
test -f "$tmpdir/report.md"
diff -u examples/sample-report.json "$tmpdir/report.json"
diff -u examples/sample-report.md "$tmpdir/report.md"

build-and-attest:
# Keep provenance publication on trusted non-PR runs so consumers verify
# workflow-produced wheel/sdist artifacts from this repository workflow.
if: github.event_name != 'pull_request'
needs: test
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
defaults:
run:
working-directory: tools/sbom-diff-and-risk
steps:
- name: Check out repository
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}

- name: Upgrade pip
run: python -m pip install --upgrade pip

- name: Install build tooling
run: python -m pip install build

- name: Build distributable artifacts
run: python -m build

Expand Down Expand Up @@ -135,34 +135,34 @@ jobs:
subject-path: |
${{ github.workspace }}/tools/sbom-diff-and-risk/dist/*.whl
${{ github.workspace }}/tools/sbom-diff-and-risk/dist/*.tar.gz
publish-release-assets:

publish-release-assets:
# Publish the exact built wheel/sdist bytes and checksum manifest from this run.
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
needs: build-and-attest
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Check out repository
uses: actions/checkout@v6
with:
fetch-depth: 0
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
needs: build-and-attest
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Check out repository
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Download built distribution artifact and checksum manifest
uses: actions/download-artifact@v8
with:
name: ${{ env.SBOM_DIFF_RISK_DIST_ARTIFACT_NAME }}
path: release-assets
- name: Publish release assets from CI-built distributions
shell: bash
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
RELEASE_TAG: ${{ github.ref_name }}
RELEASE_TITLE_PREFIX: ${{ env.SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX }}
run: |
uses: actions/download-artifact@v8
with:
name: ${{ env.SBOM_DIFF_RISK_DIST_ARTIFACT_NAME }}
path: release-assets

- name: Publish release assets from CI-built distributions
shell: bash
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
RELEASE_TAG: ${{ github.ref_name }}
RELEASE_TITLE_PREFIX: ${{ env.SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX }}
run: |
set -euo pipefail
shopt -s nullglob
assets=(release-assets/*.whl release-assets/*.tar.gz)
Expand All @@ -188,21 +188,21 @@ jobs:
assets+=( "${checksum_manifest}" )

title="${RELEASE_TITLE_PREFIX} ${RELEASE_TAG}"
if gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" >/dev/null 2>&1; then
is_draft="$(gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" --json isDraft -q .isDraft)"
if [ "${is_draft}" != "true" ]; then
echo "Release ${RELEASE_TAG} already exists and is published; leaving assets unchanged."
exit 0
fi
else
gh release create "${RELEASE_TAG}" \
--repo "${GH_REPO}" \
--draft \
--verify-tag \
--title "${title}" \
--notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance."
fi

if gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" >/dev/null 2>&1; then
is_draft="$(gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" --json isDraft -q .isDraft)"
if [ "${is_draft}" != "true" ]; then
echo "Release ${RELEASE_TAG} already exists and is published; leaving assets unchanged."
exit 0
fi
else
gh release create "${RELEASE_TAG}" \
--repo "${GH_REPO}" \
--draft \
--verify-tag \
--title "${title}" \
--notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance."
fi

gh release upload "${RELEASE_TAG}" "${assets[@]}" --repo "${GH_REPO}"
gh release edit "${RELEASE_TAG}" --repo "${GH_REPO}" --draft=false --title "${title}"
gh release edit "${RELEASE_TAG}" --repo "${GH_REPO}" --draft=false --title "${title}"
Loading