openfl/.github/workflows/ospdt_dependency_workflow.yml at develop · refai06/openfl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# OSPDT Dependency Workflow
# This GitHub Actions workflow generates a dependency report for the OpenFL Docker image.
# It performs the following steps:
# 1. Checks out the repository.
# 2. Sets up Python 3.12 and caches pip packages.
# 3. Installs necessary dependencies (pandas, openpyxl).
# 4. Installs Trivy for scanning Docker images.
# 5. Builds the OpenFL Docker image.
# 6. Runs a Trivy license scan on the Docker image and outputs the result in SPDX JSON format.
# 7. Generates a filename for the Excel report based on the current date and image tag.
# 8. Converts the SPDX JSON report to an Excel file using a Python script.
# 9. Uploads the SPDX JSON report as an artifact.
# 10. Uploads the Excel license report as an artifact.
#
# Trigger: Manual trigger with an optional input for the Docker image tag.
# Environment Variables:
# - IMAGE_NAME: Name of the Docker image.
# - TAG: Tag of the Docker image, defaulting to 'latest'.
# - OUTPUT_DIR: Directory for Trivy output.
# - SPDX_JSON: Filename for the SPDX JSON output.
# - CACHE_VERSION: Version for caching pip packages.

name: OSPDT Dependency Workflow

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Tag of the OpenFL Docker image (e.g., latest)'
        required: false
        default: 'latest'

env:
  IMAGE_NAME: openfl
  TAG: ${{ github.event.inputs.version || 'latest' }}
  OUTPUT_DIR: trivy_output
  SPDX_JSON: openfl_trivy_output.json
  CACHE_VERSION: v1

jobs:
  scan-openfl:
    name: generate-dependency-report
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.12'

    - name: Cache pip packages
      uses: actions/cache@v4
      with:
        path: ~/.cache/pip
        key: ${{ runner.os }}-pip-${{ env.CACHE_VERSION }}-${{ hashFiles('**/requirements.txt') }}
        restore-keys: |
          ${{ runner.os }}-pip-${{ env.CACHE_VERSION }}-
          ${{ runner.os }}-pip-

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install pandas openpyxl

    - name: Install Trivy
      run: |
        sudo apt-get update
        sudo apt-get install -y wget apt-transport-https gnupg lsb-release
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
        echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
        sudo apt-get update
        sudo apt-get install -y trivy

    - name: Build OpenFL image
      uses: docker/build-push-action@v6
      with:
        context: .
        file: openfl-docker/Dockerfile.base
        tags: ${{ env.IMAGE_NAME }}:${{ env.TAG }}
        load: true

    - name: Run Trivy license scan
      run: |
        mkdir -p ${{ env.OUTPUT_DIR }}
        trivy image --scanners license --format spdx-json \
          --output ${{ env.OUTPUT_DIR }}/${{ env.SPDX_JSON }} \
          ${{ env.IMAGE_NAME }}:${{ env.TAG }} || echo "Trivy scan completed with exit code $?"

    - name: Generate filename
      id: filename
      run: |
        CURRENT_DATE=$(date +'%Y-%m-%d')
        if [ "${{ env.TAG }}" = "latest" ]; then
          echo "EXCEL_FILE=OpenFL_Dependency_$CURRENT_DATE.xlsx" >> $GITHUB_ENV
        else
          echo "EXCEL_FILE=OpenFL_Dependency_${{ env.TAG }}_$CURRENT_DATE.xlsx" >> $GITHUB_ENV
        fi

    - name: Convert SPDX JSON to Excel
      run: |
        python .github/scripts/generate_dependency_report.py \
          ${{ env.OUTPUT_DIR }}/${{ env.SPDX_JSON }} \
          ${{ env.OUTPUT_DIR }}/${{ env.EXCEL_FILE }}

    - name: Upload SPDX JSON Report
      uses: actions/upload-artifact@v4
      with:
        name: openfl_spdx_report
        path: ${{ env.OUTPUT_DIR }}/${{ env.SPDX_JSON }}
        if-no-files-found: error

    - name: Upload Excel License Report
      uses: actions/upload-artifact@v4
      with:
        name: OpenFL_Dependency_report
        path: ${{ env.OUTPUT_DIR }}/${{ env.EXCEL_FILE }}
        if-no-files-found: error