Update cd-download-grype-scan.yml

brianLoomis · brianLoomis · commit 678343c73c9e · 2026-01-02T17:08:35.000-05:00
adding Windows
diff --git a/.github/workflows/cd-download-grype-scan.yml b/.github/workflows/cd-download-grype-scan.yml
@@ -203,34 +203,9 @@ jobs:
           echo "  OS Platform Version: ${{ inputs.os-platform-version }}"
           echo "  Test runner: ${{ inputs.test-runner }}"         
           echo "*************************************************************"
-  generate-filename-slug:
-    name: Generate a slug based on repo and date for use in any output artifacts and set download location
-    runs-on: ubuntu-latest
-    steps:
-    - name: Generate Filename Prefix and full JSON file name as environment variables for later steps
-      run: |
-        FILE_PREFIX=$(echo "${{ inputs.product }}${{ env.DEFAULT_SEPARATOR }}${{ inputs.product-version }}${{ env.DEFAULT_SEPARATOR }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
-        echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
-        echo "Generated FILE_PREFIX: ${FILE_PREFIX}"
-
-        DOWNLOAD_URL="https://chefdownload-commercial.chef.io"
-        if [ ${{ inputs.download-site }} = "community" ]; then
-            DOWNLOAD_URL="https://chefdownload-community.chef.io"
-        fi
-        echo "DOWNLOAD_URL=${DOWNLOAD_URL}" >> $GITHUB_ENV
-        echo "DOWNLOAD_URL is set to ${DOWNLOAD_URL}"
-
-        # get the license_id from input or secret
-        LICENSE_ID="${{ inputs.license-id }}"   
-        if [ -z "${LICENSE_ID}" ]; then
-          LICENSE_ID="${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}"
-          echo "Using license ID from repository secret"
-        else
-          echo "Using license ID from workflow input"
-        fi
-      
+  
   grype-scan-linux:
-    name: 'Grype scan of Habitat packages'
+    name: 'Grype scan of customer-downloadable packages'
     runs-on: ubuntu-latest  # TODO: make this a versioned OS strategy later
     if: ${{ success() && (inputs.test-runner == 'ubuntu-latest'  || inputs.test-runner == 'both') }}
     steps:
@@ -249,6 +224,27 @@ jobs:
     #       # Create the necessary directory structure for license file
     #       sudo mkdir -p /hab/accepted-licenses/
     #       sudo touch /hab/accepted-licenses/habitat
+      - name: Generate filename prefix, download URL and license-id as environment variables for later steps
+        run: |
+          FILE_PREFIX=$(echo "${{ inputs.product }}${{ env.DEFAULT_SEPARATOR }}${{ inputs.product-version }}${{ env.DEFAULT_SEPARATOR }}ubuntu" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
+          echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
+          echo "Generated FILE_PREFIX: ${FILE_PREFIX}"
+
+          DOWNLOAD_URL="https://chefdownload-commercial.chef.io"
+          if [ ${{ inputs.download-site }} = "community" ]; then
+            DOWNLOAD_URL="https://chefdownload-community.chef.io"
+          fi
+          echo "DOWNLOAD_URL=${DOWNLOAD_URL}" >> $GITHUB_ENV
+          echo "DOWNLOAD_URL is set to ${DOWNLOAD_URL}"
+
+          # get the license_id from input or secret
+          LICENSE_ID="${{ inputs.license-id }}"   
+          if [ -z "${LICENSE_ID}" ]; then
+            LICENSE_ID="${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}"
+            echo "Using license ID from repository secret"
+          else
+            echo "Using license ID from workflow input"
+          fi
 
       - name: Install Grype (ubuntu-latest)
         continue-on-error: true
@@ -281,7 +277,7 @@ jobs:
           mkdir -p /tmp/extracted_packages
           tar -xzf /tmp/package_downloaded -C /tmp/extracted_packages
           echo "Package downloaded and extracted to /tmp/extracted_packages"
-          
+
           ls -l /tmp/extracted_packages
 
     #   - name: Install Habitat Package under test (example core/nginx on MacOS and Linux)
@@ -349,16 +345,149 @@ jobs:
           name: ${{ env.OUTPUT_FILE }}
           path: ${{ env.OUTPUT_FILE }}
 
-#  grype-scan-windows:
-    
-#   checkout:
-#     name: 'Checkout repository'
-#     runs-on: ubuntu-latest
-#     steps:
-#       - name: Checkout repository
-#         uses: actions/checkout@v6
-#         with:
-#           fetch-depth: 0
+  grype-scan-windows:
+    name: 'Grype scan of customer-downloadable packages'
+    runs-on: windows-latest  # TODO: make this a versioned OS strategy later
+    if: ${{ success() && (inputs.test-runner == 'windows-latest'  || inputs.test-runner == 'both') }}
+    steps:
+      - name: Generate filename prefix, download URL and license-id as environment variables for later steps
+        # shell: bash || pwsh
+        run: |
+          FILE_PREFIX=$(echo "${{ inputs.product }}${{ env.DEFAULT_SEPARATOR }}${{ inputs.product-version }}${{ env.DEFAULT_SEPARATOR }}windows" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
+          echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
+          echo "Generated FILE_PREFIX: ${FILE_PREFIX}"
+
+          DOWNLOAD_URL="https://chefdownload-commercial.chef.io"
+          if [ ${{ inputs.download-site }} = "community" ]; then
+            DOWNLOAD_URL="https://chefdownload-community.chef.io"
+          fi
+          echo "DOWNLOAD_URL=${DOWNLOAD_URL}" >> $GITHUB_ENV
+          echo "DOWNLOAD_URL is set to ${DOWNLOAD_URL}"
+
+          # get the license_id from input or secret
+          LICENSE_ID="${{ inputs.license-id }}"   
+          if [ -z "${LICENSE_ID}" ]; then
+            LICENSE_ID="${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}"
+            echo "Using license ID from repository secret"
+          else
+            echo "Using license ID from workflow input"
+          fi
+
+      - name: Install Grype (windows-latest)
+        continue-on-error: true
+        run: |
+          $ErrorActionPreference = 'Stop'
+          # Download and install Grype for Windows
+          $grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name
+          $grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip"
+          $grypeZip = "$env:TEMP\grype.zip"
+          $grypeDir = "$env:TEMP\grype"
+          
+          # Download Grype
+          Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip
+          
+          # Extract Grype
+          Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force
+          
+          # Add Grype to PATH for subsequent steps
+          echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          
+          # Verify installation
+          & "$grypeDir\grype.exe" version
+
+      - name: Download package under test (windows-latest)
+        run: |
+          # Example download URL construction
+          $DownloadUrl = "${{ env.DOWNLOAD_URL }}/${{ inputs.channel }}/${{ inputs.product }}/download?p=${{ inputs.os-platform }}&pv=${{ inputs.os-platform-version }}&m=${{ inputs.architecture }}"
+          if ("${{ inputs.product-version }}" -ne "") {
+            $DownloadUrl = "${DownloadUrl}&v=${{ inputs.product-version }}"
+          }
+          Write-Host "Downloading package from: ${DownloadUrl}"
+          if ("${{ inputs.download-site }}" -eq "commercial") {
+              $LicenseId = "${{ env.LICENSE_ID }}"
+              if (-not [string]::IsNullOrEmpty($LicenseId)) {
+                $DownloadUrl = "${DownloadUrl}&license_id=${LicenseId}"
+                Write-Host "Using license ID in download URL"
+              }
+          }
+  
+          # Download the package
+          Invoke-WebRequest -Uri $DownloadUrl -OutFile "$env:TEMP\package_downloaded" -FollowRelLink
+          
+          # Extract the package based on its type (assuming .zip for Windows)
+          $ExtractPath = "$env:TEMP\extracted_packages"
+          New-Item -ItemType Directory -Force -Path $ExtractPath
+          Expand-Archive -Path "$env:TEMP\package_downloaded" -DestinationPath $ExtractPath -Force
+          Write-Host "Package downloaded and extracted to $ExtractPath"
+
+          Get-ChildItem -Path $ExtractPath
+
+    #   - name: Install Habitat Package under test (example core/nginx on MacOS and Linux)
+    #     run: |
+    #       PACKAGE="${{ inputs.publish-habitat-hab_package }}"
+    #       if [ -n "${{ inputs.publish-habitat-hab_version }}" ]; then
+    #         PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_version }}"
+    #       fi
+    #       if [ -n "${{ inputs.publish-habitat-hab_release }}" ]; then
+    #         PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_release }}"
+    #       fi
+          
+    #       INSTALL_CMD="sudo hab pkg install ${PACKAGE}"
+          
+    #       if [ -n "${{ inputs.publish-habitat-hab_channel }}" ]; then
+    #         INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.publish-habitat-hab_channel }}"
+    #       fi
+          
+    #       AUTH_TOKEN="${{ inputs.publish-habitat-hab_auth_token }}"
+    #       if [ -z "${AUTH_TOKEN}" ]; then
+    #         AUTH_TOKEN="${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
+    #         echo "Using token from repository secret"
+    #       else
+    #         echo "Using token from workflow input"
+    #       fi
+    #       # if [ -n "${AUTH_TOKEN}" ]; then
+    #       #   INSTALL_CMD="${INSTALL_CMD} --auth ${AUTH_TOKEN}"
+    #       # fi
+          
+    #       echo "Installing: ${INSTALL_CMD}"
+    #       eval ${INSTALL_CMD}
+
+      - name: Run Grype scan on extracted directory
+        timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
+        run: |
+          $ExtractPath = "$env:TEMP\extracted_packages"
+          
+          # run grype in runner
+          grype dir:$ExtractPath --name ${{ inputs.product }}
+          
+          # run grype to output to file (which is uploaded to the job as an artifact)
+          $OutputFile = "grype-results-windows-${{ env.FILE_PREFIX }}.txt"
+          $OutputFile = $OutputFile -replace '/', '-'
+          Write-Host $OutputFile
+          grype dir:$ExtractPath --name ${{ inputs.product }} | Out-File -FilePath $OutputFile -Encoding utf8
+          echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          
+#    - name: Run Grype Scan on Habitat Package (Windows)
+#         timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
+#         run: |
+#           # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
+#           $PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }}
+#           # run grype in runner
+#           grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }}
+#           # run grype to output to file (which is uploaded to the job as an artifact)
+#           $OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt"
+#           $OutputFile = $OutputFile -replace '/', '-'
+#           Write-Host $OutputFile
+#           grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | Out-File -FilePath $OutputFile -Encoding utf8
+#           echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+                
+      - name: Upload Grype Scan Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.OUTPUT_FILE }}
+          path: ${{ env.OUTPUT_FILE }}
+
+# --- IGNORE ---    
   
 #   habitat-grype-scan-windows:
 #     name: 'Grype scan of Habitat packages (Windows)'
@@ -395,28 +524,6 @@ jobs:
 #           New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses"
 #           New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat"
           
-#       - name: Install Grype (Windows)
-#         continue-on-error: true
-#         run: |
-#           $ErrorActionPreference = 'Stop'
-#           # Download and install Grype for Windows
-#           $grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name
-#           $grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip"
-#           $grypeZip = "$env:TEMP\grype.zip"
-#           $grypeDir = "$env:TEMP\grype"
-          
-#           # Download Grype
-#           Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip
-          
-#           # Extract Grype
-#           Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force
-          
-#           # Add Grype to PATH for subsequent steps
-#           echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          
-#           # Verify installation
-#           & "$grypeDir\grype.exe" version
-
 #       - name: Install Habitat Package under test (Windows)
 #         run: |
 #           $Package = "${{ inputs.publish-habitat-hab_package }}"
@@ -446,23 +553,3 @@ jobs:
           
 #           Write-Host "Installing: ${InstallCmd}"
 #           Invoke-Expression $InstallCmd
-
-#       - name: Run Grype Scan on Habitat Package (Windows)
-#         timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
-#         run: |
-#           # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
-#           $PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }}
-#           # run grype in runner
-#           grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }}
-#           # run grype to output to file (which is uploaded to the job as an artifact)
-#           $OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt"
-#           $OutputFile = $OutputFile -replace '/', '-'
-#           Write-Host $OutputFile
-#           grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | Out-File -FilePath $OutputFile -Encoding utf8
-#           echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-                
-#       - name: Upload Grype Scan Results
-#         uses: actions/upload-artifact@v4
-#         with:
-#           name: grype-results-windows-${{ env.OUTPUT_FILE }}
-#           path: ${{ env.OUTPUT_FILE }}
