updating so that each step is versioned #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI pipeline for all application types on main and release branches | ||
|
Check failure on line 1 in .github/workflows/ci-main-pull-request.yml
|
||
| # | ||
| # use stubs/ci-main-pull-request-stub.yml in your repo to call this common action using workflow_call | ||
| # | ||
| # performs the following actions: | ||
| # 1. run source code complexity checks (SCC) using scc | ||
| # 2. run language-specific pre-compilation checks and linting (e.g., gosec, rubocop, etc.) | ||
| # 3. run language-agnostic pre-compilation checks and secret scans (e.g., OWASP dependency or top 10 checks, trufflehog) | ||
| # 4. build and unit test the application (e.g., go test, cargo test, etc.) - integration tests are in CD pipeline | ||
| # 5. run static application security tests (SAST, e.g. Sonar, Docker Scout or BlackDuck Polaris) | ||
| # 6. report to central dashboards such as harness or Irfan's quality dashboard | ||
| # 7. run packaging steps (e.g., go build, cargo build, hab build, go-releaser, etc.), publishing and optional grype scan on output | ||
| # 8. generate software bill-of-materials (SBOM) using SPDX format and lookup licenses (GitHub SBOM, Micrsosoft SBOM, license_scout, and/or BlackDuck SBOM) | ||
| # 9. run source composition analysis (SCA) scans (e.g., blackduck SCA / "purple" as a replacement to dependabot) | ||
| # | ||
| # See DEV-README.md for more details on the steps and how to use this action, or the confluence page at <TODO: URL> | ||
| # | ||
| # secrets required (by step) | ||
| # SonarQube | ||
| # SONAR_TOKEN (repository level) | ||
| # SONAR_HOST_URL (organization level) | ||
| # AKEYLESS_JWT_ID (organization level, for creation of Azure firewall rules) | ||
| # BlackDuck SAST/Polaris | ||
| # POLARIS_ACCESS_TOKEN (organization level) | ||
| # POLARIS_SERVER_URL (organization level) | ||
| # BlackDuck SCA/SBOM, Sbominator | ||
| # BLACKDUCK_SBOM_URL (organization level) | ||
| # BLACKDUCK_SCA_TOKEN (organization level) | ||
| # Custom repository properties (view these in the repo Settings > Code & Automation > Custom Properties) | ||
| # - GABuildLanguage (the primary language used in compilation and testing in GitHub Actions. select from go, ruby, erlang, rust) | ||
| # - GABuildProfile (a build profile to be used when building an application using GitHub Actions. This is experimental and will determine build, unit test paths by type of application (e.g., CLI, standard container, web API, etc.) in combination with GABuildLanguage | ||
| # - lifecycle (the current status of the repo in terms of level of engagement with the contents: indeterminate, active, inactive, under-review, in-process) | ||
| # - primaryApplication (the primary application of which this repo is a component. Which product owner is responsible for maintaining this repo? indeterminate, automate, chef-360, chef-server, chef-test-kitchen-enterprise, chef-workstation, chef-client, haabitt, inspec, non-product, online-services, other) | ||
| # - standardizationWorkflow (standardize, indtrminate, etc.) | ||
| name: CI flow containing PR checks for main & release, v2 | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| github-event-name: | ||
| description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| github-branch-name: | ||
| description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| application: | ||
| # NEW IN 1.0.7 | ||
| description: 'Application set in repository custom properties, typically primaryApplication' | ||
| required: false | ||
| type: string | ||
| visibility: | ||
| description: 'Visibility of the repository' | ||
| required: false | ||
| type: string | ||
| default: 'public' # (private, public, or internal) TODO: should be removed, we know this from github.event.repository.visibility | ||
| go-private-modules: | ||
| description: 'GOPRIVATE for Go private modules' | ||
| required: false | ||
| type: string | ||
| default: 'github.com/progress-platform-services/*' | ||
| version: | ||
| description: 'Version of the project' | ||
| required: false | ||
| type: string | ||
| default: '1.0.0' | ||
| detect-version-source-type: # options include "none" (do not detect), "file", "github-tag" or "github-release" | ||
| description: 'flag to determine how to detect version dynamically' | ||
| required: false | ||
| type: string | ||
| default: 'none' | ||
| detect-version-source-parameter: # use for file name | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| language: | ||
| description: 'Build language (Go, Ruby, Rust, etc.), typically from the repository custom property GABuildLanguage' | ||
| required: false | ||
| type: string | ||
| default: 'ruby' | ||
| perform-complexity-checks: | ||
| description: 'Perform complexity checks with SCC' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| scc-output-filename: | ||
| description: 'Name of the SCC complexity output file artifact, do not add file extension' | ||
| required: false | ||
| type: string | ||
| default: 'scc-complexity' | ||
| perform-language-linting: | ||
| description: 'Perform language-specific linting and pre-compilation checks' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| perform-trufflehog-scan: | ||
| description: 'Perform trufflehog scan' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| fail-trufflehog-on-secrets-found: | ||
| description: 'Fail the pipeline if Trufflehog finds verified secrets' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| perform-trivy-scan: | ||
| description: 'Perform Trivy scan' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| trivy-fail-on-high: | ||
| description: 'Fail pipeline if Trivy finds HIGH vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| trivy-fail-on-critical: | ||
| description: 'Fail pipeline if Trivy finds CRITICAL vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| perform-grype-scan: | ||
| description: 'Perform Grype scan on source code' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-fail-on-high: | ||
| description: 'Fail pipeline if Grype finds HIGH vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-fail-on-critical: | ||
| description: 'Fail pipeline if Grype finds CRITICAL vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| perform-grype-image-scan: | ||
| description: 'Perform Grype scan on Docker image' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-image-fail-on-high: | ||
| description: 'Fail pipeline if Grype image scan finds HIGH vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-image-fail-on-critical: | ||
| description: 'Fail pipeline if Grype image scan finds CRITICAL vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-image-skip-aws: | ||
| description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| perform-grype-hab-scan: | ||
| description: 'Perform Grype scan on published Habitat packages from bldr.habitat.sh' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-hab-build-package: | ||
| description: 'Build Habitat package from source before scanning (requires checkout)' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-hab-origin: | ||
| description: 'Habitat origin (e.g., chef-platform)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| grype-hab-package: | ||
| description: 'Habitat package name (e.g., node-management-agent)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| grype-hab-version: | ||
| description: 'Habitat package version (optional - scans latest from channel if not specified)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| grype-hab-release: | ||
| description: 'Habitat package release (optional - scans latest from channel if not specified)' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| grype-hab-channel: | ||
| description: 'Habitat package channel (e.g., stable, base, unstable, base-2025, lts-2024)' | ||
| required: false | ||
| type: string | ||
| default: 'stable' | ||
| grype-hab-path: | ||
| description: "Path to built Habitat package (used if build_package is true, overrides hab_origin/hab_package inputs)" | ||
| required: false | ||
| type: string | ||
| grype-hab-scan-linux: | ||
| description: 'Scan Linux (x86_64-linux) Habitat package' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| grype-hab-scan-windows: | ||
| description: 'Scan Windows (x86_64-windows) Habitat package' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| grype-hab-scan-macos: | ||
| description: 'Scan MacOS (x86_64-darwin) Habitat package' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| build: | ||
| description: 'CI Build (language-specific)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| build-profile: | ||
| # NEW IN 1.0.7 | ||
| description: 'Build profile for build step and Sonar, typically from the custom property GABuildProfile on the repository' | ||
| required: false | ||
| type: string | ||
| default: 'cli' | ||
| unit-tests: | ||
| description: 'Run unit tests (language-specific)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| unit-test-output-path: | ||
| # NEW IN 1.0.7 | ||
| description: "Path to test results folder" | ||
| required: false | ||
| type: string | ||
| default: "test/unittest" | ||
| unit-test-command-override: | ||
| # NEW IN 1.0.7 | ||
| description: "Command line for running tests in this repo, if not the language default" | ||
| required: false | ||
| type: string | ||
| perform-blackduck-polaris: | ||
| description: 'Perform BlackDuck Polaris (SAST) scan' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| polaris-application-name: | ||
| description: 'Polaris application name, one of these {Chef-Agents | Chef-Automate | Chef-Chef360 | Chef-Habitat | Chef-Infrastructure-Server | Chef-Shared-Services}' | ||
| required: false | ||
| type: string | ||
| polaris-project-name: | ||
| description: 'Polaris project name, typically the application name, followed by - and the repository name, for example Chef-Chef360-chef-vault' | ||
| required: false | ||
| default: "${{ github.event.repository.name }}" | ||
| type: string | ||
| polaris-working-directory: | ||
| # NEW IN 1.0.7 | ||
| description: 'Working directory for the scan, defaults to . but usually lang-dependent like ./src' | ||
| required: false | ||
| default: '.' | ||
| type: string | ||
| polaris-config-path: | ||
| # NEW IN 1.0.7 | ||
| description: 'Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-coverity-config-path: | ||
| # NEW IN 1.0.7 | ||
| description: 'Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-coverity-clean-command: | ||
| # NEW IN 1.0.7 | ||
| description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean". Leave empty for buildless analysis (Ruby, Python, etc.)' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-coverity-build-command: | ||
| # NEW IN 1.0.7 | ||
| description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install". Leave empty for buildless analysis (Ruby, Python, etc.)' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-coverity-args: | ||
| # NEW IN 1.0.7 | ||
| description: 'Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-detect-search-depth: | ||
| # NEW IN 1.0.7 | ||
| description: 'Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-detect-args: | ||
| # NEW IN 1.0.7 | ||
| description: 'Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"' | ||
| required: false | ||
| default: '' | ||
| type: string | ||
| polaris-assessment-mode: | ||
| # NEW IN 1.0.7 | ||
| description: 'Assessment mode (CI or SOURCE_UPLOAD)' | ||
| required: false | ||
| default: 'CI' | ||
| type: string | ||
| wait-for-scan: | ||
| # NEW IN 1.0.7 | ||
| description: 'Wait for scan completion' | ||
| required: false | ||
| default: true | ||
| type: boolean | ||
| polaris-fail-on-high: | ||
| description: 'Fail the pipeline if Polaris SAST scan finds HIGH vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| polaris-fail-on-critical: | ||
| description: 'Fail the pipeline if Polaris SAST scan finds CRITICAL vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| perform-sonarqube-scan: | ||
| description: 'Perform basic SonarQube scan' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| perform-docker-scan: | ||
| description: 'Perform Docker scan of Dockerfile and built images in chef360 and other containerized applications' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| report-unit-test-coverage: | ||
| description: 'Perform unit tests and report coverage to SonarQube' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| report-to-atlassian-dashboard: | ||
| description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfans QA dashboard)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| quality-dashboard-version: | ||
| description: 'Version of quality dashboard workflow to use (e.g., main, v1.0.7)' | ||
| required: false | ||
| type: string | ||
| default: 'main' | ||
| quality-product-name: | ||
| description: 'Product name for quality reporting (Chef360, Courier, Inspec)' | ||
| required: false | ||
| type: string | ||
| default: 'Chef360' | ||
| quality-sonar-app-name: | ||
| description: 'Sonar application name for quality reporting' | ||
| required: false | ||
| type: string | ||
| default: 'YourSonarAppName' | ||
| quality-testing-type: | ||
| description: 'Testing type for quality reporting (Unit, Integration, e2e, api, Performance, Security)' | ||
| required: false | ||
| type: string | ||
| default: 'Integration' | ||
| quality-service-name: | ||
| description: 'Service or repository name for quality reporting' | ||
| required: false | ||
| type: string | ||
| default: 'YourServiceOrRepoName' | ||
| quality-junit-report: | ||
| description: 'Path to JUnit report for quality reporting' | ||
| required: false | ||
| type: string | ||
| default: 'path/to/junit/report' | ||
| package-binaries: | ||
| description: 'Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| habitat-build: | ||
| description: 'Create Habitat packages' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| publish-habitat-packages: | ||
| # NEW IN 1.0.7 | ||
| description: 'Publish Habitat packages to Builder' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| publish-habitat-hab_package: | ||
| # NEW IN 1.0.7 | ||
| description: "Chef Habitat package to install (e.g., core/nginx)" | ||
| required: false | ||
| type: string | ||
| default: "core/nginx" | ||
| # TODO: detect from plan file if not provided | ||
| publish-habitat-hab_version: | ||
| # NEW IN 1.0.7 | ||
| description: "Chef Habitat package version (optional)" | ||
| required: false | ||
| type: string | ||
| publish-habitat-hab_release: | ||
| # NEW IN 1.0.7 | ||
| description: "Chef Habitat package release (optional)" | ||
| required: false | ||
| type: string | ||
| publish-habitat-hab_channel: | ||
| # NEW IN 1.0.7 | ||
| description: "Chef Habitat package channel (e.g., stable, base, base-2025); default is stable" | ||
| required: false | ||
| type: string | ||
| default: "stable" | ||
| publish-habitat-hab_auth_token: | ||
| # NEW IN 1.0.7 | ||
| required: false | ||
| type: string | ||
| # TODO: use secret if not provided | ||
| publish-habitat-runner_os: | ||
| description: "Runner OS to use (ubuntu-latest or windows-latest)" | ||
| type: string | ||
| # TODO: these should be options: ubuntu-latest, windows-latest, both, and add MacOS support | ||
| required: false | ||
| default: ubuntu-latest | ||
| habitat-grype-scan: | ||
| # NEW IN 1.0.7 | ||
| description: 'Scan built Habitat packages with Grype for vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| publish-packages: | ||
| description: 'Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| generate-sbom: | ||
| description: 'Generate software bill-of-materials (SPDX SBOM)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| export-github-sbom: | ||
| description: 'Export SBOM to GitHub' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| generate-msft-sbom: | ||
| description: 'Generate SBOM using MSFT tools' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| license_scout: | ||
| description: 'Run license scout for license compliance' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| perform-blackduck-sca-scan: # combined with generate sbom below, also needs version above | ||
| description: 'Perform BlackDuck SCA scan' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| blackduck-project-group-name: | ||
| description: 'BlackDuck project group name, typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services' | ||
| required: false | ||
| type: string | ||
| default: 'Chef' | ||
| blackduck-project-name: | ||
| description: 'BlackDuck project name, typically the repository name' | ||
| required: false | ||
| type: string | ||
| default: ${{ github.event.repository.name }} | ||
| polaris-blackduck-executable: | ||
| # TODO: this will be obsolete with built-in polaris in action | ||
| description: 'Path to BlackDuck polaris executable after build or download step' | ||
| required: false | ||
| type: string | ||
| default: 'path/to/blackduck/binary' | ||
| polaris-executable-detect-path: | ||
| description: 'Additions to $PATH for BlackDuck polaris to find executable' | ||
| required: false | ||
| type: string | ||
| default: 'path/to/detect' | ||
| blackduck-force-low-accuracy-mode: | ||
| description: 'Force low accuracy mode for BlackDuck SCA scan to speed up scan time at the cost of accuracy (not recommended for production use)' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| run-bundle-install: # Added to support projects without committed Gemfile.lock (e.g., chef-cli) | ||
| description: 'Run bundle install before scanning to generate Gemfile.lock at runtime' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| ruby-app-directory: | ||
| description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.' | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| blackduck-fail-on-blocker: | ||
| description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| blackduck-fail-on-critical: | ||
| description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| blackduck-fail-on-major: | ||
| description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| udf1: | ||
| description: 'User defined flag 1' | ||
| required: false | ||
| type: string | ||
| default: 'default' | ||
| udf2: | ||
| description: 'User defined flag 2' | ||
| required: false | ||
| type: string | ||
| default: 'default' | ||
| udf3: | ||
| description: 'User defined flag 3' | ||
| required: false | ||
| type: string | ||
| default: 'default' | ||
| # no longer used (retained just for older stub versions) | ||
| generate-blackduck-sbom: # obsolete | ||
| description: 'Generate SBOM using BlackDuck polaris (OBSOLETE, use perform-blackduck-sca-scan instead)' | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| # polaris-server-url: | ||
| # # should be obsolete with POLARIS_SERVER_URL secret | ||
| # description: 'Polaris server URL' | ||
| # required: false | ||
| # default: 'https://polaris.blackduck.com' | ||
| # type: string | ||
| env: | ||
| PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default' # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder) | ||
| REPO_VISIBILITY: ${{ github.event.repository.visibility }} | ||
| REPO_NAME: ${{ github.event.repository.name }} | ||
| PIPELINE_VERSION: '1.0.7' # version of this CI pipeline | ||
| GA_BUILD_LANGUAGE: ${{ inputs.language}} # Custom repo property [GABuildLanguage]: go, ruby, erlang, rust (replaces Language input) | ||
| GA_BUILD_PROFILE: ${{ inputs.build-profile }} # Custom repo property [GABuildProfile]: TBD | ||
| # APP_VERSION: $(cat VERSION) | ||
| FILE_PREFIX: $(echo "${{ github.repository }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S) | ||
| DEFAULT_FILE_EXTENSION: ".json" | ||
| DEFAULT_SEPARATOR: "-" | ||
| jobs: | ||
| precompilation-checks: | ||
| name: 'Pre-compilation checks' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: detect-custom-properties | ||
| # 'Detect app, language, and build profile environment variables from repository custom properties' | ||
| # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]' | ||
| run: | | ||
| response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) | ||
| primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value') | ||
| GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value') | ||
| GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value') | ||
| echo "PRIMARY APP... $primaryApplication" | ||
| echo "BUILD LANG... $GABuildLanguage" | ||
| echo "BUILD PROFILE... $GABuildProfile" | ||
| echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV | ||
| echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV | ||
| echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV | ||
| continue-on-error: true | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} | ||
| - name: generate-filename-slug | ||
| # description: Generate a simple slug based on repo and date for use in any output artifacts | ||
| run: | | ||
| FILE_PREFIX=$(echo "${{ github.repository }}${{ env.DEFAULT_SEPARATOR }}${{ github.ref_name }}${{ env.DEFAULT_SEPARATOR }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S) | ||
| echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV | ||
| # FILE_NAME=$(echo "${{ env.FILE_PREFIX }}${{ env.DEFAULT_SEPARATOR }}${{ env.DEFAULT_FILE_NAME }}${{ env.DEFAULT_FILE_EXTENSION }}") | ||
| - name: 'Echo inputs' | ||
| run: | | ||
| echo "CI pipeline execution plan for repository [$REPO_NAME] with pipeline version $PIPELINE_VERSION" | ||
| echo "Environment variables" | ||
| echo " Repository visibility $REPO_VISIBILITY [workflow param was: ${{ inputs.visibility }}]" | ||
| echo " Repository primary application $PRIMARY_APPLICATION [workflow param was: ${{ inputs.application }}]" | ||
| echo " Repository build language $GA_BUILD_LANGUAGE [workflow param was: ${{ inputs.language }}]" | ||
| echo " Repository build profile $GA_BUILD_PROFILE [workflow param was: ${{ inputs.build-profile }}]" | ||
| echo " Computed file name prefix $FILE_PREFIX" | ||
| if [ ${{ inputs.version }} ]; then | ||
| echo " Repository version ${{ inputs.version }} from parameter ${{ inputs.detect-version-source-parameter }} and type ${{ inputs.detect-version-source-type }}" | ||
| fi | ||
| if [ ${{ inputs.go-private-modules }} ]; then | ||
| echo " GOPRIVATE ${{ inputs.go-private-modules }}" | ||
| fi | ||
| echo " Pipeline executing on ubuntu-latest" | ||
| echo "** SOURCE CODE COMPLEXITY AND LINTING ***********************************************" | ||
| if [ ${{ inputs.perform-complexity-checks }} ]; then | ||
| echo " SCC: performing complexity checks with output filename ${{ inputs.scc-output-filename }} " | ||
| fi | ||
| if [ ${{ inputs.perform-language-linting }} ]; then | ||
| echo " Linting: performing language-specific linting" | ||
| fi | ||
| echo "** TRUFFLEHOG (SECRETS) AND TRIVY (DEP SCAN) ****************************************" | ||
| if [ ${{ inputs.perform-trufflehog-scan }} ]; then | ||
| echo " Trufflehog" | ||
| fi | ||
| if [ ${{ inputs.perform-trivy-scan }} ]; then | ||
| echo " trivy" | ||
| fi | ||
| if [ ${{ inputs.perform-grype-hab-scan }} ]; then | ||
| echo "** GRYPE HABITAT PACKAGE SCAN **********************************************************" | ||
| echo " Mode: ${{ inputs.grype-hab-build-package == true && 'Build from source' || 'Download from Builder' }}" | ||
| if [ ${{ inputs.grype-hab-build-package }} ]; then | ||
| echo " Origin: ${{ inputs.grype-hab-origin }}" | ||
| fi | ||
| echo " Scanning Habitat package: ${{ inputs.grype-hab-origin }}/${{ inputs.grype-hab-package }}" | ||
| echo " Version: ${{ inputs.grype-hab-version }} Release: ${{ inputs.grype-hab-release }} Channel: ${{ inputs.grype-hab-channel }}" | ||
| echo " Platforms: Linux=${{ inputs.grype-hab-scan-linux }} Windows=${{ inputs.grype-hab-scan-windows }} MacOS=${{ inputs.grype-hab-scan-macos }}" | ||
| fi | ||
| if [ ${{ inputs.build }} ]; then | ||
| echo "** BUILD AND UNIT TEST *************************************************************" | ||
| echo " Repository build profile $GA_BUILD_PROFILE [${{ inputs.build-profile }}]" | ||
| if [ ${{ inputs.unit-tests }} ]; then | ||
| echo " Unit testing to ${{ inputs.unit-test-output-path }} with override command ${{ inputs.unit-test-command-override }}" | ||
| fi | ||
| fi | ||
| if [ ${{ inputs.perform-blackduck-polaris }} ]; then | ||
| echo "** POLARIS (SAST) TESTING *************************************************************" | ||
| echo " Polaris application name ${{ inputs.polaris-application-name }}" | ||
| echo " Polaris project name ${{ inputs.polaris-project-name }}" | ||
| echo " Working directory ${{ inputs.polaris-working-directory }}" | ||
| echo " Config path ${{ inputs.polaris-config-path }} (Coverity ${{ inputs.polaris-coverity-config-path }})" | ||
| echo " Clean command ${{ inputs.polaris-coverity-clean-command }}" | ||
| echo " Build command ${{ inputs.polaris-coverity-build-command }}" | ||
| echo " Args ${{ inputs.polaris-coverity-args }}" | ||
| echo " Detect search depth ${{ inputs.polaris-detect-search-depth }}" | ||
| echo " Detect args ${{ inputs.polaris-detect-args }}" | ||
| echo " Assessment mode ${{ inputs.polaris-assessment-mode }}" | ||
| echo " Wait for scan ${{ inputs.wait-for-scan }}" | ||
| fi | ||
| if [ ${{ inputs.perform-sonarqube-scan }} ]; then | ||
| echo "** SONARQUBE ******************************************************************" | ||
| fi | ||
| if [ ${{ inputs.perform-docker-scan }} ]; then | ||
| echo "** DOCKER SCOUT ***************************************************************" | ||
| fi | ||
| if [ ${{ inputs.report-unit-test-coverage }} ]; then | ||
| echo "** QUALITY DASHBOARD UNIT TEST COVERAGE REPORT ********************************" | ||
| # ignored for now - report-to-atlassian-dashboard, quality-product-name, quality-sonar-app-name, quality-testing-type, quality-service-name, quality-junit-report | ||
| fi | ||
| if [ ${{ inputs.package-binaries }} ]; then | ||
| echo "** PACKAGING ******************************************************************" | ||
| if [ ${{ inputs.habitat-build }} ]; then | ||
| echo "** HABITAT BUILD **************************************************************" | ||
| echo " Publish Habitat packages ${{ inputs.publish-habitat-packages }}" | ||
| echo " Habitat package name ${{ inputs.publish-habitat-hab_package }}" | ||
| echo " Habitat package version ${{ inputs.publish-habitat-hab_version }}" | ||
| echo " Habitat package release ${{ inputs.publish-habitat-hab_release }}" | ||
| echo " Habitat package channel ${{ inputs.publish-habitat-hab_channel }}" | ||
| echo " Auth token (overrides secret) ${{ inputs.publish-habitat-hab_auth_token }}" | ||
| echo " Publish operating system ${{ inputs.publish-habitat-runner_os }}" | ||
| fi | ||
| if [ ${{ inputs.habitat-grype-scan }} ]; then | ||
| echo " Performing grype scan on published package" | ||
| fi | ||
| if [ ${{ inputs.publish-packages }} ]; then | ||
| echo " PUBLISHING PACKAGES TO ECR, BLDR, RUBYGEMS NOT YET SUPPORTED" | ||
| fi | ||
| fi | ||
| if [ ${{ inputs.generate-sbom }} ]; then | ||
| echo "** SOFTWARE BILL OF MATERIALS FILE GENERATION ****************************************" | ||
| if [ ${{ inputs.export-github-sbom }} ]; then | ||
| echo " GitHub SBOM export" | ||
| fi | ||
| if [ ${{ inputs.generate-msft-sbom }} ]; then | ||
| echo " Microsoft SBOM file" | ||
| fi | ||
| if [ ${{ inputs.license_scout }} ]; then | ||
| echo " License scout" | ||
| fi | ||
| fi | ||
| # Generate BlackDuck SBOM set to ${{ inputs.generate-blackduck-sbom }} OBSOLETE, NO EFFECT | ||
| if [ ${{ inputs.perform-blackduck-sca-scan }} ]; then | ||
| echo "** BLACKDUCK SCAN AND REPORT ***********************************************" | ||
| echo " Chef is located at https://progresssoftware.app.blackduck.com/api/project-groups/fc6da208-79a9-4c47-a14d-6cfdf26bcfd5" | ||
| echo " BlackDuck project group name ${{ inputs.blackduck-project-group-name }}" | ||
| echo " BlackDuck project name ${{ inputs.blackduck-project-name }}" | ||
| echo " Polaris BlackDuck executable ${{ inputs.polaris-blackduck-executable }}" | ||
| echo " Polaris executable detect path ${{ inputs.polaris-executable-detect-path }}" | ||
| fi | ||
| echo "** USER DEFINED FLAGS ***************************************" | ||
| if [ -n "$${{ inputs.udf1 }}" ]; then | ||
| echo " UDF1 ${{ inputs.udf1 }}" | ||
| fi | ||
| if [ -n "$${{ inputs.udf2 }}" ]; then | ||
| echo " UDF2 ${{ inputs.udf2 }}" | ||
| fi | ||
| if [ -n "$${{ inputs.udf3 }}" ]; then | ||
| echo " UDF3 ${{ inputs.udf3 }}" | ||
| fi | ||
| # echo "The job_id is: $GITHUB_JOB" | ||
| # echo ${{ secrets.GITHUB_TOKEN }} DO NOT ECHO THIS | ||
| checkout: | ||
| name: 'Checkout repository' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| scc: | ||
| name: 'Source code complexity checks' | ||
| if: ${{ inputs.perform-complexity-checks == true }} | ||
| uses: chef/common-github-actions/.github/workflows/scc.yml@${{ inputs.scc-version }} | ||
| needs: checkout | ||
| with: | ||
| outputfilename: ${{ inputs.scc-output-filename }} | ||
| language-specific-checks: | ||
| name: 'Language-specific pre-compilation steps and linting' | ||
| # TODO: make three separate flows, by language with all steps (as oposed to one file per step with language-branching in each) | ||
| # language specific tests (gosec, rubocop, linters, etc.) | ||
| # ${{ inputs.language == 'rust' && inputs.perform-language-linting == true }} | ||
| # TODO: note you cannot do a conditional on the job, only on the step if using an ENV VAR | ||
| if: inputs.perform-language-linting | ||
| runs-on: ubuntu-latest | ||
| needs: checkout | ||
| steps: | ||
| - name: echo language | ||
| run: | | ||
| echo "Build language is set to ${{ env.GA_BUILD_LANGUAGE }}" | ||
| echo "Build language passed in ${{ inputs.language }}" | ||
| - name: Rust language checks | ||
| if: inputs.language == 'rust' # env.GA_BUILD_LANGUAGE | ||
| run: echo 'crate linter' | ||
| # https://github.com/rust-lang/rust-clippy | ||
| # cargo clippy --all-targets --all-features -- -D warnings | ||
| - name: Ruby language checks | ||
| if: inputs.language == 'ruby' | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: '3.4' | ||
| bundler-cache: true # runs 'bundle install' and caches installed gems automatically | ||
| # generate gemfile.lock (TODO: move this below to OWASP) | ||
| - name: RuboCop Lint | ||
| if: inputs.language == 'ruby' | ||
| run: | | ||
| echo 'ruby linter' | ||
| # gem install rubocop | ||
| # rubocop --format=github --display-cop-names --extra-details --force-exclusion . | ||
| # bundle install | ||
| # - name: 'Bundler Audit' | ||
| # if: ${{ inputs.language == 'Ruby' && inputs.perform-complexity-checks == true }} | ||
| # uses: andrewmcodes/bundler-audit-action@main | ||
| # env: | ||
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| # TODO: get with Marc/Prajakta on this sequence for Ruby uses: chef/common-github-actions/.github/workflows/rubocop.yml@main | ||
| # TODO: this is also not certified, craete a copy in .github/actions - https://github.com/marketplace/actions/bundler-audit-action | ||
| # Bundler Audit Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation. | ||
| - name: Go language checks | ||
| if: inputs.language == 'go' | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: '1.24' | ||
| check-latest: true | ||
| - name: Configure git for private Go modules | ||
| if: inputs.language == 'go' | ||
| env: | ||
| GOPRIVATE: ${{ inputs.go-private-modules }} | ||
| run: git config --global url."https://${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/" | ||
| - name: Go linting and security checks | ||
| if: inputs.language == 'go' | ||
| run: echo "Running Go linting and security checks" | ||
| # TODO: THESE DO NOT RUN IN CHEF ORG - need to create copies in common-github-actions/.github/actions/ | ||
| # we can download and install them manually here if needed | ||
| # ERROR ON WORKFLOW: The actions golangci/golangci-lint-action@v6, dominikh/staticcheck-action@v1, and securego/gosec@master are not allowed in chef/arch-sample-cli because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: chef/*, chef/.github, chef/.github/workflows/*. | ||
| # - name: Run golangci-lint | ||
| # if: env.GA_BUILD_LANGUAGE == 'go' | ||
| # uses: golangci/golangci-lint-action@v6 | ||
| # with: | ||
| # version: latest | ||
| # args: --timeout=5m | ||
| # - name: Run staticcheck | ||
| # if: env.GA_BUILD_LANGUAGE == 'go' | ||
| # uses: dominikh/staticcheck-action@v1 | ||
| # with: | ||
| # version: latest | ||
| # - name: Run Gosec Security Scanner | ||
| # uses: securego/gosec@master | ||
| # with: | ||
| # args: ./... | ||
| # TO GET OUTPUT AS ARTIFACT go install github.com/securego/gosec/v2/cmd/gosec@latest | ||
| # gosec ./... >> ./bin/gosec.out | ||
| # https://go.googlesource.com/vuln - govulncheck is same as BlackDuck SCA backend, redundant to add it here | ||
| language-agnostic-checks: | ||
| name: 'Language-agnostic pre-compilation steps' | ||
| if: inputs.perform-language-linting | ||
| runs-on: ubuntu-latest | ||
| needs: checkout | ||
| steps: | ||
| - name: Language agnostic checks (OWASP dep check) | ||
| run: echo "placeholder" | ||
| # - name: 'Language-agnostic pre-compilation steps (OWASP dependency check)' | ||
| # uses: dependency-check/Dependency-Check_Action@main | ||
| # TODO: Dependency Check is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation | ||
| # create a copy in common-github-actions/.github/actions/owasp-dependency-check.yml | ||
| # https://github.com/marketplace/actions/dependency-check & https://owasp.org/www-project-dependency-check/ | ||
| # and flags at https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html | ||
| # - name: 'OWASP dependency check' | ||
| # uses: dependency-check/Dependency-Check_Action@v4.0.0 | ||
| # with: | ||
| # project: ${{ github.event.repository.name }} | ||
| # with: | ||
| # project: $REPO_NAME | ||
| # path: '.' | ||
| # format: 'JSON' | ||
| # # out: 'reports' # this is the default, no need to specify unless you wish to override it | ||
| # args: > | ||
| # --enableRetired | ||
| # --prettyPrint | ||
| # - name: Upload Test results | ||
| # uses: actions/upload-artifact@v4 | ||
| # with: | ||
| # name: OWASP dependency check report | ||
| # path: ${{github.workspace}}/reports | ||
| # TODO: add flag --failOnCVSS 7 | ||
| # TODO: integrate with SonarQube | ||
| # TODO: correct artifact upload names like Sonu's in sbom.yml | ||
| run-trufflehog: | ||
| name: 'Trufflehog scan' | ||
| if: ${{ inputs.perform-trufflehog-scan }} | ||
| uses: chef/common-github-actions/.github/workflows/trufflehog.yml@${{ inputs.trufflehog-version }} | ||
| needs: checkout | ||
| with: | ||
| github-event-name: ${{ inputs.github-event-name }} | ||
| github-branch-name: ${{ inputs.github-branch-name }} | ||
| fail-trufflehog-on-secrets-found: ${{ inputs.fail-trufflehog-on-secrets-found }} | ||
| # temporarily commenting out trivy scan due to https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation | ||
| # run-trivy: | ||
| # name: 'Trivy scan' | ||
| # if: ${{ inputs.perform-trivy-scan }} | ||
| # uses: chef/common-github-actions/.github/workflows/trivy.yml@main | ||
| # needs: checkout | ||
| # with: | ||
| # version: ${{ inputs.version }} | ||
| # trivy-fail-on-high: ${{ inputs.trivy-fail-on-high }} | ||
| # trivy-fail-on-critical: ${{ inputs.trivy-fail-on-critical }} | ||
| run-grype: | ||
| name: 'Grype scan' | ||
| if: ${{ inputs.perform-grype-scan }} | ||
| runs-on: ubuntu-latest | ||
| needs: checkout # TODO: fix set-application-version | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Determine severity threshold | ||
| id: severity | ||
| run: | | ||
| if [ "${{ inputs.grype-fail-on-high }}" == "true" ]; then | ||
| echo "level=high" >> $GITHUB_OUTPUT | ||
| elif [ "${{ inputs.grype-fail-on-critical }}" == "true" ]; then | ||
| echo "level=critical" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "level=none" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Install Grype and update database | ||
| run: | | ||
| curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin | ||
| grype db update | ||
| grype version | ||
| - name: Generate Artifact Name | ||
| run: | | ||
| TIMESTAMP=$(date +%Y%m%d-%H%M%S) | ||
| ARTIFACT_NAME=$(echo "grype-scan-${{ github.event.repository.name }}-${TIMESTAMP}" | sed 's|/|-|g') | ||
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | ||
| - name: Run Grype scan on repo | ||
| id: scan | ||
| run: | | ||
| # Run grype with only-fixed flag and output to JSON for analysis | ||
| grype dir:. --only-fixed -o json > grype-scan.json | ||
| grype dir:. --only-fixed --only-fixed --output table >> grype-scan.log || true | ||
| echo "✅ Grype scan completed successfully" | ||
| - name: Check Grype results and fail if vulnerabilities found | ||
| if: always() | ||
| run: | | ||
| JSON_FILE="./grype-scan.json" | ||
| if [ ! -f "$JSON_FILE" ] || [ -z "$JSON_FILE" ]; then | ||
| echo "⚠️ Grype JSON output not found" | ||
| exit 0 | ||
| fi | ||
| # Extract vulnerability counts using jq or grep fallback | ||
| if command -v jq &> /dev/null; then | ||
| CRITICAL_COUNT=$(jq '[.matches[]? | select(.vulnerability.severity == "Critical")] | length' "$JSON_FILE" 2>/dev/null || echo "0") | ||
| HIGH_COUNT=$(jq '[.matches[]? | select(.vulnerability.severity == "High")] | length' "$JSON_FILE" 2>/dev/null || echo "0") | ||
| else | ||
| CRITICAL_COUNT=$(grep -o '"severity":"Critical"' "$JSON_FILE" | wc -l | tr -d ' ' || echo "0") | ||
| HIGH_COUNT=$(grep -o '"severity":"High"' "$JSON_FILE" | wc -l | tr -d ' ' || echo "0") | ||
| fi | ||
| echo "" | ||
| echo "============================================" | ||
| echo "Grype Security Scan Summary" | ||
| echo "============================================" | ||
| echo "CRITICAL vulnerabilities: $CRITICAL_COUNT" | ||
| echo "HIGH vulnerabilities: $HIGH_COUNT" | ||
| echo "============================================" | ||
| VIOLATIONS="" | ||
| [ "${{ inputs.grype-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$CRITICAL_COUNT CRITICAL, " | ||
| [ "${{ inputs.grype-fail-on-high }}" == "true" ] && [ "$HIGH_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$HIGH_COUNT HIGH, " | ||
| if [ -n "$VIOLATIONS" ]; then | ||
| echo "" | ||
| echo "❌ BUILD FAILED: Found ${VIOLATIONS%, }" | ||
| exit 1 | ||
| fi | ||
| echo "" | ||
| echo "✅ No policy violations found" | ||
| - name: Upload Grype scan results | ||
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ env.ARTIFACT_NAME }} | ||
| path: | | ||
| grype-scan.json | ||
| grype-scan.log | ||
| # - name: Run Grype scan on repo | ||
| # uses: anchore/scan-action@v3 | ||
| # with: | ||
| # path: . | ||
| # fail-build: true | ||
| # severity-cutoff: high | ||
| run-grype-image: | ||
| name: 'Grype Docker image scan' | ||
| if: ${{ inputs.perform-grype-image-scan }} | ||
| uses: chef/common-github-actions/.github/workflows/grype.yml@${{ inputs.grype-version }} | ||
| needs: checkout | ||
| secrets: inherit | ||
| with: | ||
| fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }} | ||
| fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }} | ||
| grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }} | ||
| run-grype-hab-package-scan: | ||
| name: 'Grype scan Habitat packages from bldr.habitat.sh' | ||
| if: ${{ inputs.perform-grype-hab-scan == true }} | ||
| uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@${{ inputs.grype-hab-version }} | ||
| needs: checkout | ||
| secrets: inherit | ||
| with: | ||
| build_package: ${{ inputs.grype-hab-build-package }} | ||
| hab_origin: ${{ inputs.grype-hab-origin }} | ||
| hab_package: ${{ inputs.grype-hab-package }} | ||
| hab_version: ${{ inputs.grype-hab-version }} | ||
| hab_release: ${{ inputs.grype-hab-release }} | ||
| hab_channel: ${{ inputs.grype-hab-channel }} | ||
| hab_path: ${{ inputs.grype-hab-path }} | ||
| scan-linux: ${{ inputs.grype-hab-scan-linux }} | ||
| scan-windows: ${{ inputs.grype-hab-scan-windows }} | ||
| scan-macos: ${{ inputs.grype-hab-scan-macos }} | ||
| fail-grype-on-high: ${{ inputs.grype-fail-on-high }} | ||
| fail-grype-on-critical: ${{ inputs.grype-fail-on-critical }} | ||
| # run-srcclr: | ||
| # if: ${{ inputs.perform-srcclr-scan == true }} | ||
| # uses: chef/common-github-actions/.github/workflows/srcclr.yml@main | ||
| # needs: run-scc | ||
| # run-veracode-sca: | ||
| # if: ${{ inputs.perform-veracode-sca-scan == true }} | ||
| # uses: chef/common-github-actions/.github/workflows/veracode-sca.yml@main | ||
| # needs: run-scc | ||
| # secrets: inherit | ||
| ci-build: | ||
| name: 'Build/compilation and unit tests (CI)' | ||
| if : ${{ inputs.build == true }} | ||
| needs: checkout | ||
| timeout-minutes: 40 # Maximum allowed minutes for GitHub-hosted runners (6 hours = 360 minutes) | ||
| runs-on: ubuntu-latest | ||
| # TODO: make this matrix strategy, and allow language compiler version overrides | ||
| steps: | ||
| - name: 'Build language: ${{ inputs.language }}' | ||
| run: | | ||
| echo "Building application in language ${{ env.GA_BUILD_LANGUAGE }}" | ||
| echo " passed in with ${{ inputs.language }}" | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Configure git for private Go modules | ||
| if: inputs.language == 'go' | ||
| env: | ||
| GOPRIVATE: ${{ inputs.go-private-modules }} | ||
| run: git config --global url."https://${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/" | ||
| - name: 'Go build' | ||
| if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }} | ||
| continue-on-error: true | ||
| # TODO: make this a matrix on WIndows/Mac/Linux | ||
| # TODO: parameterize build output path | ||
| run: | | ||
| ls | ||
| pwd | ||
| go mod tidy | ||
| go build -o ./bin/${{ env.REPO_NAME }} . | ||
| - name: 'Go unit tests' | ||
| if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }} | ||
| continue-on-error: true | ||
| run: | | ||
| go test -v ./... > ${{ inputs.unit-test-output-path }} | ||
| # TODO: add unit-test-command-override if go test is not desired | ||
| - name: Upload test coverage artifact | ||
| if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }} | ||
| uses: actions/upload-artifact@v4 | ||
| # TODO: parameterize the unit test and coverage report names | ||
| with: | ||
| # Name of the artifact to upload. | ||
| name: test-coverage.out | ||
| # A file, directory or wildcard pattern that describes what to upload | ||
| path: ${{ inputs.unit-test-output-path }} | ||
| # run: go test -v -coverprofile="coverage.out" ./... and upload artifact! | ||
| # - name: Build for Rust binary | ||
| # if: ${{ env.GA_BUILD_LANGUAGE == 'rust' }} | ||
| # run: echo 'hello world' | ||
| # # cargo build --release --target-dir ./bin | ||
| # - name: Build for Ruby binary | ||
| # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem | ||
| # https://bundler.io/man/bundle-install.1.html | ||
| - name: Set up Ruby # Fixed: Ruby setup was missing, causing "bundle: command not found" errors | ||
| if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: '3.4' | ||
| bundler-cache: false | ||
| - name: Configure Bundler for private Ruby gems | ||
| if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} | ||
| run: | | ||
| if [ -z "${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}" ]; then | ||
| echo "Skipping: PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE secret not configured or not in scope" | ||
| exit 0 | ||
| fi | ||
| bundle config set --local github.com "x-access-token:${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}" | ||
| - name: 'Ruby build' | ||
| if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} | ||
| continue-on-error: true | ||
| run: | | ||
| mkdir -p vendor | ||
| if [ -f "Gemfile.lock" ]; then | ||
| bundle install --deployment | ||
| else | ||
| echo "No Gemfile.lock found, creating it now" | ||
| bundle install --path vendor/bundle # Fixed: Removed --deployment flag when lockfile doesn't exist | ||
| fi | ||
| bundle exec rake build | ||
| # this does not work on all repos - chef-telemetry needs bundle install to generate gemfile.lock, but chef-cli does not commit gemfile.lock and needs bundle install to generate it at runtime - add flag to control whether bundle install is run in ci-build or language-specific checks | ||
| # TODO: detect if rakefile exists, else do bundler default | ||
| - name: 'Ruby unit tests' | ||
| if: ${{ inputs.language == 'ruby' && inputs.unit-tests == true && inputs.build-profile == 'cli' }} | ||
| continue-on-error: true | ||
| run: | | ||
| echo "Running Ruby unit tests with output to ${{ inputs.unit-test-output-path }}" | ||
| # bundle exec rake spec --trace > ${{ inputs.unit-test-output-path }} | ||
| # - name: Configure git for private modules | ||
| # env: | ||
| # GOPRIVATE: github.com/progress-platform-services/* | ||
| # run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/" | ||
| # TODO: dynamic version detection stepswith new flags ${{ detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" | ||
| # AND ${{ detect-version-source-parameter: '' # use for file name}} | ||
| # version: ${{ github.workflow.env.APP_VERSION }} | ||
| # version: ${{ needs.set-app-version.outputs.app-version }} | ||
| # if you have a version file, you can read it in to an environment variable with | ||
| # - name: Set variables | ||
| # run: | | ||
| # VER=$(cat VERSION) | ||
| # echo "VERSION=$VER" >> $GITHUB_ENV | ||
| # then ${{ env.VERSION }} | ||
| set-application-version: | ||
| runs-on: ubuntu-latest | ||
| name: 'Detect SBOM version for application' | ||
| if: (inputs.version == '') && (inputs.detect-version-source-parameter != '') | ||
| needs: ci-build | ||
| steps: | ||
| - name: Detect SBOM version | ||
| run: | | ||
| echo "placeholder for setting version" | ||
| echo ${{ inputs.version }} | ||
| echo ${{ inputs.detect-version-source-parameter }} | ||
| echo ${{ inputs.detect-version-source-type }} | ||
| # outputs: | ||
| # app-version: ${{ steps.set-app-version.outputs.version }} # Map the step's output to the job's output | ||
| # steps: | ||
| # - name: Checkout code | ||
| # uses: actions/checkout@v6 | ||
| # - name: Set application version from file | ||
| # id: set-app-version | ||
| # run: | | ||
| # VERSION=$(cat VERSION) # cat VERSION works | ||
| # echo "APP_VERSION=$VERSION" >> $GITHUB_ENV | ||
| # echo "env.APP_VERSION = ${{ env.APP_VERSION }}" | ||
| # VERSION=$(cat VERSION) | ||
| # echo "two $VERSION" | ||
| # echo "VERSION=$VERSION" >> $GITHUB_ENV | ||
| # echo "$VERSION is the shell variable" | ||
| # echo "Setting version to ${{ github.env.VERSION }} [$VERSION]" | ||
| # echo "version=$VERSION" >> $GITHUB_OUTPUT | ||
| # if "latest-tag" then use action to get latest tag or ${{ github.event.release.tag_name }} | ||
| # - name: Get latest tag | ||
| # uses: actions-ecosystem/action-get-latest-tag@v1 | ||
| # id: latest_tag | ||
| # - name: Use the latest tag | ||
| # run: echo "The latest tag is ${{ steps.latest_tag.outputs.tag }}" | ||
| ci-unit-test: # FROM CHEF-VAULT | ||
| # TODO: add language-specific unit tests | ||
| name: 'Unit tests' | ||
| if: ${{ inputs.unit-tests == true && success() && inputs.language == 'Ruby' }} | ||
| needs: ci-build | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os-version: [ubuntu-latest, ubuntu-22.04, macos-latest] # ubuntu-22.04 was original chef-vault | ||
| ruby-version: ['3.4'] # '2.7', '3.1', | ||
| runs-on: ${{ matrix.os-version }} | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Set up ruby version | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: ${{ matrix.ruby-version }} | ||
| bundler-cache: true | ||
| - name: run specs | ||
| run: bundle exec rake spec --trace | ||
| # - name: Simplecov Report | ||
| # uses: aki77/simplecov-report-action@v1 # TODO: archived action - replace with another simplecov | ||
| # with: | ||
| # token: ${{ secrets.GITHUB_TOKEN }} | ||
| # failedThreshold: 90 | ||
| # resultPath: coverage/.last_run.json | ||
| # runs-on: ubuntu-latest | ||
| # needs: ci-package-binary | ||
| # name: 'CI unit tests' | ||
| # steps: | ||
| # - name: Build for Rust binary | ||
| # if: ${{ inputs.language == 'Rust' }} | ||
| # run: echo 'hello world' | ||
| # # cargo test --target-dir ./bin OR | ||
| # - name: Run cargo-tarpaulin | ||
| # shell: bash | ||
| # run: | | ||
| # RUN_MODE=local cargo tarpaulin --ignore-tests --all-features --release --out Lcov | ||
| # sonar-scanner -Dcommunity.rust.lcov.reportPaths=lcov.info -Dsonar.login=${{ secrets.SONAR_TOKEN }} | ||
| # - name: Build for Ruby binary | ||
| # if: ${{ inputs.language == 'Ruby' }} | ||
| # run: echo 'hello world' | ||
| # # bundle exec rake test | ||
| # # bundle exec rake test:unit | ||
| # # bundle exec rake test:integration | ||
| # # bundle exec rake test:unit:rubocop | ||
| # - name: Build for Go binary | ||
| # if: ${{ inputs.language == 'Go' }} | ||
| # run: echo 'hello world' | ||
| # # go test -v ./... > ./bin/test.out | ||
| # - name: Upload test coverage artifact | ||
| # uses: actions/upload-artifact@v4 | ||
| # with: | ||
| # # Name of the artifact to upload. | ||
| # name: test-coverage.out | ||
| # # A file, directory or wildcard pattern that describes what to upload | ||
| # path: test/unittest/coverage.out | ||
| # Sonar-public-repo: | ||
| # name: 'PUBLIC Sonar SAST scan' | ||
| # needs: ci-build | ||
| # if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'public'}} | ||
| # uses: chef/common-github-actions/.github/workflows/sonarqube-public-repo.yml@main | ||
| # secrets: inherit | ||
| # permissions: | ||
| # id-token: write | ||
| # contents: read | ||
| # with: | ||
| # perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }} | ||
| # build-profile: ${{ inputs.build-profile }} | ||
| # language: ${{ inputs.language }} | ||
| # report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }} | ||
| # report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }} | ||
| # quality-product-name: ${{ inputs.quality-product-name }} | ||
| # quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }} | ||
| # quality-testing-type: ${{ inputs.quality-testing-type }} | ||
| # quality-service-name: ${{ inputs.quality-service-name }} | ||
| # quality-junit-report: ${{ inputs.quality-junit-report }} | ||
| # visibility: ${{ inputs.visibility }} | ||
| # go-private-modules: ${{ inputs.go-private-modules }} | ||
| # udf1: ${{ inputs.udf1 }} | ||
| # udf2: ${{ inputs.udf2 }} | ||
| # udf3: ${{ inputs.udf3 }} | ||
| # Sonar-private-repo: | ||
| # name: 'PRIVATE Sonar scan (inline)' | ||
| # if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'private'}} | ||
| # needs: ci-build | ||
| # # was uses: chef/common-github-actions/.github/workflows/sonarqube-private-repo.yml@main | ||
| # runs-on: ubuntu-latest | ||
| # steps: | ||
| # - name: SonarQube Scan | ||
| # if: ${{ inputs.visibility == 'private' }} | ||
| # uses: sonarsource/sonarqube-scan-action@v5.3.1 | ||
| # continue-on-error: true | ||
| # env: | ||
| # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | ||
| # Sonar-internal-repo: | ||
| # name: 'INTERNAL Sonar scan' | ||
| # if: ${{ inputs.perform-sonarqube-scan == true && inputs.visibility == 'internal'}} | ||
| # # was if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'internal'}} | ||
| # needs: ci-build | ||
| # uses: chef/common-github-actions/.github/workflows/sonarqube-internal-repo.yml@main | ||
| # secrets: inherit | ||
| # permissions: | ||
| # id-token: write | ||
| # contents: read | ||
| # with: | ||
| # perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }} | ||
| # build-profile: ${{ inputs.build-profile }} | ||
| # language: ${{ inputs.language }} | ||
| # report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }} | ||
| # report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }} | ||
| # quality-product-name: ${{ inputs.quality-product-name }} | ||
| # quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }} | ||
| # quality-testing-type: ${{ inputs.quality-testing-type }} | ||
| # quality-service-name: ${{ inputs.quality-service-name }} | ||
| # quality-junit-report: ${{ inputs.quality-junit-report }} | ||
| # visibility: ${{ inputs.visibility }} | ||
| # go-private-modules: ${{ inputs.go-private-modules }} | ||
| # udf1: ${{ inputs.udf1 }} | ||
| # udf2: ${{ inputs.udf2 }} | ||
| # udf3: ${{ inputs.udf3 }} | ||
| BlackDuck-Polaris-SAST: | ||
| name: 'BlackDuck Polaris SAST scan' | ||
| if: ${{ inputs.perform-blackduck-polaris }} | ||
| uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@${{ inputs.polaris-version }} | ||
| needs: checkout | ||
| secrets: inherit | ||
| with: | ||
| github-event-name: ${{ inputs.github-event-name }} | ||
| github-branch-name: ${{ inputs.github-branch-name }} | ||
| language: ${{ inputs.language }} | ||
| polaris-application-name: ${{ inputs.polaris-application-name }} | ||
| polaris-project-name: ${{ inputs.polaris-project-name }} | ||
| polaris-working-directory: ${{ inputs.polaris-working-directory }} | ||
| polaris-config-path: ${{ inputs.polaris-config-path }} | ||
| polaris-coverity-config-path: ${{ inputs.polaris-coverity-config-path }} | ||
| polaris-coverity-clean-command: ${{ inputs.polaris-coverity-clean-command }} | ||
| polaris-coverity-build-command: ${{ inputs.polaris-coverity-build-command }} | ||
| polaris-coverity-args: ${{ inputs.polaris-coverity-args }} | ||
| polaris-detect-search-depth: ${{ inputs.polaris-detect-search-depth }} | ||
| polaris-detect-args: ${{ inputs.polaris-detect-args }} | ||
| polaris-assessment-mode: ${{ inputs.polaris-assessment-mode }} | ||
| wait-for-scan: ${{ inputs.wait-for-scan }} | ||
| polaris-fail-on-high: ${{ inputs.polaris-fail-on-high }} | ||
| polaris-fail-on-critical: ${{ inputs.polaris-fail-on-critical }} | ||
| package-binary: | ||
| name: 'Creating packaged binaries' | ||
| # TODO: Add packaging steps – rpm, deb, MSI, dpkg + signing + SHA | ||
| runs-on: ubuntu-latest | ||
| if: ${{ success() && inputs.package-binaries == true }} | ||
| needs: ci-build | ||
| steps: | ||
| - name: 'Create packaged binaries' | ||
| run: echo "Creating packaged binaries" | ||
| # TODO: Add habitat build steps from plan.sh for various packages/platforms/machine archs, optionally publish to Builder, then optionally test with grype | ||
| habitat-build: | ||
| name: 'Creating Habitat packages' | ||
| runs-on: ubuntu-latest | ||
| if: ${{ success() && inputs.habitat-build == true }} | ||
| needs: package-binary | ||
| steps: | ||
| - name: 'Create Habitat packages' | ||
| run: echo "Creating Habitat packages" | ||
| # TODO: add flag for any params needed | ||
| habitat-publish: | ||
| name: 'Publishing Habitat packages to Builder' | ||
| runs-on: ubuntu-latest | ||
| if: ${{ success() && inputs.publish-habitat-packages == true }} | ||
| needs: habitat-build | ||
| steps: | ||
| - name: 'Publishing Habitat packages to Builder' | ||
| run: echo "Publishing Habitat packages to Builder" | ||
| habitat-grype-scan-linux: | ||
| # this workflow installs a specified Chef Habitat package and runs a Grype security scan against it. | ||
| # It supports multiple OS runners (Linux, Windows, MacOS) and allows dynamic input of package details. | ||
| # The results of the Grype scan are uploaded as artifacts for further analysis. | ||
| # Example hab pkg install command: | ||
| # hab pkg install core/7zip/24.09/20250708070501 --channel base-2025 --auth HAB_PERSONAL_ACCESS_TOKEN | ||
| # -z, --auth <AUTH_TOKEN> Authentication token for Builder [env: HAB_AUTH_TOKEN=] | ||
| # --binlink-dir <BINLINK_DIR> Binlink all binaries from installed package(s) into BINLINK_DIR [env: HAB_BINLINK_DIR=] [default: /bin] | ||
| # -u, --url <BLDR_URL> Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh) | ||
| # -c, --channel <CHANNEL> Install from the specified release channel [env: HAB_BLDR_CHANNEL=] [default: stable] | ||
| # Example hab pkg download command (we do not use this in the workflow but it's here for reference; allows --target): | ||
| # hab pkg download core/nginx/<VERSION>/<RELEASE> \ | ||
| # --channel stable \ | ||
| # --target x86_64-linux \ | ||
| # --download-directory /tmp/habitat_packages | ||
| name: 'Grype scan of Habitat packages' | ||
| runs-on: ubuntu-latest | ||
| if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'ubuntu-latest' }} | ||
| # TODO: make this a matrix operation | ||
| needs: habitat-publish | ||
| steps: | ||
| - name: Install Chef Habitat (MacOS and Linux) | ||
| run: | | ||
| curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | sudo bash | ||
| - name: Configure Habitat (MacOS and Linux) | ||
| run: | | ||
| # Add Habitat to PATH (for current session and future steps if needed, though install.sh usually handles symlinks) | ||
| echo "/hab/bin" >> $GITHUB_PATH | ||
| # Accept the license | ||
| echo "HAB_LICENSE=accept-no-persist" >> $GITHUB_ENV | ||
| # Create the necessary directory structure for license file | ||
| sudo mkdir -p /hab/accepted-licenses/ | ||
| sudo touch /hab/accepted-licenses/habitat | ||
| - name: Install Grype (Linux and MacOS) | ||
| continue-on-error: true | ||
| run: | | ||
| curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin | ||
| - name: Install Habitat Package under test (example core/nginx on MacOS and Linux) | ||
| run: | | ||
| PACKAGE="${{ inputs.publish-habitat-hab_package }}" | ||
| if [ -n "${{ inputs.publish-habitat-hab_version }}" ]; then | ||
| PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_version }}" | ||
| fi | ||
| if [ -n "${{ inputs.publish-habitat-hab_release }}" ]; then | ||
| PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_release }}" | ||
| fi | ||
| INSTALL_CMD="sudo hab pkg install ${PACKAGE}" | ||
| if [ -n "${{ inputs.publish-habitat-hab_channel }}" ]; then | ||
| INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.publish-habitat-hab_channel }}" | ||
| fi | ||
| AUTH_TOKEN="${{ inputs.publish-habitat-hab_auth_token }}" | ||
| if [ -z "${AUTH_TOKEN}" ]; then | ||
| AUTH_TOKEN="${{ secrets.HAB_PUBLIC_BLDR_PAT }}" | ||
| echo "Using token from repository secret" | ||
| else | ||
| echo "Using token from workflow input" | ||
| fi | ||
| # if [ -n "${AUTH_TOKEN}" ]; then | ||
| # INSTALL_CMD="${INSTALL_CMD} --auth ${AUTH_TOKEN}" | ||
| # fi | ||
| echo "Installing: ${INSTALL_CMD}" | ||
| eval ${INSTALL_CMD} | ||
| - name: Run Grype Scan on Habitat Package | ||
| timeout-minutes: 15 # Sets a 15-minute timeout for this specific step | ||
| run: | | ||
| # Find the installed package path. 'hab pkg path' returns the path to the latest installed version. | ||
| PKG_PATH=$(hab pkg path ${{ inputs.publish-habitat-hab_package }}) | ||
| # run grype in runner | ||
| grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} | ||
| # run grype to output to file (which is uploaded to the job as an artifact) | ||
| OUTPUT_FILE="grype-results-ubuntu-${{ inputs.publish-habitat-hab_package }}.txt" | ||
| OUTPUT_FILE="${OUTPUT_FILE//\//-}" | ||
| echo $OUTPUT_FILE | ||
| grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} > $OUTPUT_FILE | ||
| echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV | ||
| - name: Upload Grype Scan Results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: grype-results-ubuntu-${{ env.OUTPUT_FILE }} | ||
| path: ${{ env.OUTPUT_FILE }} | ||
| habitat-grype-scan-windows: | ||
| name: 'Grype scan of Habitat packages (Windows)' | ||
| runs-on: windows-latest | ||
| if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'windows-latest' }} | ||
| # TODO: make this a matrix operation | ||
| needs: habitat-publish | ||
| steps: | ||
| - name: Install Chef Habitat (Windows) | ||
| run: | | ||
| choco install habitat | ||
| # Set-ExecutionPolicy Bypass -Scope Process -Force; | ||
| # [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; | ||
| # iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1')) | ||
| # $env:PATH += ";~\bin\hab-1.6.1245-20250905141844-x86_64-windows" | ||
| # Write-Host "one" | ||
| # ls ~/bin | ||
| # Write-Host "two" | ||
| # ls c:/users/runneradmin/bin | ||
| # Write-Host "three" | ||
| # ls c:/hab | ||
| # ls "~\bin\hab-1.6.1245-20250905141844-x86_64-windows" | ||
| # Write-Host "end" | ||
| hab --version | ||
| - name: Configure Habitat (Windows) | ||
| run: | | ||
| # Accept the license | ||
| echo "HAB_LICENSE=accept-no-persist" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | ||
| # Create the necessary directory structure for license file | ||
| New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses" | ||
| New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat" | ||
| - name: Install Grype (Windows) | ||
| continue-on-error: true | ||
| run: | | ||
| $ErrorActionPreference = 'Stop' | ||
| # Download and install Grype for Windows | ||
| $grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name | ||
| $grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip" | ||
| $grypeZip = "$env:TEMP\grype.zip" | ||
| $grypeDir = "$env:TEMP\grype" | ||
| # Download Grype | ||
| Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip | ||
| # Extract Grype | ||
| Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force | ||
| # Add Grype to PATH for subsequent steps | ||
| echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append | ||
| # Verify installation | ||
| & "$grypeDir\grype.exe" version | ||
| - name: Install Habitat Package under test (Windows) | ||
| run: | | ||
| $Package = "${{ inputs.publish-habitat-hab_package }}" | ||
| if ("${{ inputs.publish-habitat-hab_version }}" -ne "") { | ||
| $Package = "${Package}/${{ inputs.publish-habitat-hab_version }}" | ||
| } | ||
| if ("${{ inputs.publish-habitat-hab_release }}" -ne "") { | ||
| $Package = "${Package}/${{ inputs.publish-habitat-hab_release }}" | ||
| } | ||
| $InstallCmd = "hab pkg install ${Package}" | ||
| if ("${{ inputs.publish-habitat-hab_channel }}" -ne "") { | ||
| $InstallCmd = "${InstallCmd} --channel ${{ inputs.publish-habitat-hab_channel }}" | ||
| } | ||
| $AuthToken = "${{ inputs.publish-habitat-hab_auth_token }}" | ||
| if ([string]::IsNullOrEmpty($AuthToken)) { | ||
| $AuthToken = "${{ secrets.HAB_PUBLIC_BLDR_PAT }}" | ||
| Write-Host "Using token from repository secret" | ||
| } else { | ||
| Write-Host "Using token from workflow input" | ||
| } | ||
| # if (-not [string]::IsNullOrEmpty($AuthToken)) { | ||
| # $InstallCmd = "${InstallCmd} --auth ${AuthToken}" | ||
| # } | ||
| Write-Host "Installing: ${InstallCmd}" | ||
| Invoke-Expression $InstallCmd | ||
| - name: Run Grype Scan on Habitat Package (Windows) | ||
| timeout-minutes: 15 # Sets a 15-minute timeout for this specific step | ||
| run: | | ||
| # Find the installed package path. 'hab pkg path' returns the path to the latest installed version. | ||
| $PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }} | ||
| # run grype in runner | ||
| grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | ||
| # run grype to output to file (which is uploaded to the job as an artifact) | ||
| $OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt" | ||
| $OutputFile = $OutputFile -replace '/', '-' | ||
| Write-Host $OutputFile | ||
| grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | Out-File -FilePath $OutputFile -Encoding utf8 | ||
| echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | ||
| - name: Upload Grype Scan Results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: grype-results-windows-${{ env.OUTPUT_FILE }} | ||
| path: ${{ env.OUTPUT_FILE }} | ||
| publish: | ||
| name: 'Publishing packages' | ||
| # TODO: Add binary publishing steps – container from Dockerfile to ECR, go-releaser binary to releases page, | ||
| # omnibus to artifactory, gems, choco, homebrew, other app stores | ||
| runs-on: ubuntu-latest | ||
| if: ${{ success() && inputs.publish-packages == true }} | ||
| needs: habitat-build | ||
| steps: | ||
| - name: 'Publishing packages' | ||
| run: echo "Publishing packages" | ||
| generate-sbom: | ||
| name: 'Generating SBOM' | ||
| # Create software bill-of-materials (SBOM) using SPDX format | ||
| if: ${{ inputs.generate-sbom == true }} | ||
| uses: chef/common-github-actions/.github/workflows/sbom.yml@${{ inputs.sbom-version }} | ||
| needs: checkout # TODO: fix set-application-version | ||
| secrets: inherit | ||
| with: | ||
| github-event-name: ${{ inputs.github-event-name }} | ||
| github-branch-name: ${{ inputs.github-branch-name }} | ||
| version: ${{ inputs.version }} | ||
| export-github-sbom: ${{ inputs.export-github-sbom }} | ||
| perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan }} | ||
| # generate-blackduck-sbom: ${{ inputs.generate-blackduck-sbom }} # obsolete, remove TODO | ||
| blackduck-project-group-name: ${{ inputs.blackduck-project-group-name }} | ||
| blackduck-project-name: ${{ inputs.blackduck-project-name }} | ||
| generate-msft-sbom: ${{ inputs.generate-msft-sbom }} | ||
| license_scout: ${{ inputs.license_scout }} | ||
| go-private-modules: ${{ inputs.go-private-modules }} | ||
| blackduck-force-low-accuracy-mode: ${{ inputs.blackduck-force-low-accuracy-mode }} | ||
| run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime | ||
| language: ${{ inputs.language }} | ||
| ruby-app-directory: ${{ inputs.ruby-app-directory }} | ||
| blackduck-fail-on-blocker: ${{ inputs.blackduck-fail-on-blocker }} | ||
| blackduck-fail-on-critical: ${{ inputs.blackduck-fail-on-critical }} | ||
| blackduck-fail-on-major: ${{ inputs.blackduck-fail-on-major }} | ||
| quality-dashboard: | ||
| name: 'Reporting to quality dashboard' | ||
| needs: generate-sbom | ||
| secrets: inherit | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| if: ${{ inputs.report-to-atlassian-dashboard == true && success() }} | ||
| uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@${{ inputs.quality-dashboard-version }} | ||
| with: | ||
| perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }} | ||
| build-profile: ${{ inputs.build-profile }} | ||
| language: ${{ inputs.language }} | ||
| report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }} | ||
| report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }} | ||
| quality-product-name: ${{ inputs.quality-product-name }} | ||
| quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }} | ||
| quality-testing-type: ${{ inputs.quality-testing-type }} | ||
| quality-service-name: ${{ inputs.quality-service-name }} | ||
| quality-junit-report: ${{ inputs.quality-junit-report }} | ||
| visibility: ${{ inputs.visibility }} | ||
| go-private-modules: ${{ inputs.go-private-modules }} | ||
| udf1: ${{ inputs.udf1 }} | ||
| udf2: ${{ inputs.udf2 }} | ||
| udf3: ${{ inputs.udf3 }} | ||
