Skip to content

Commit c13f384

Browse files
MarkAtwoodsameehj
authored andcommitted
ci(sbom): pin deps, harden token, partial-clone bomsh
Three supply-chain hardenings on .github/workflows/sbom.yml: * Pin pcpp to ==1.30.* in both jobs that install it (unit + standalone), matching the existing pin convention used in the same file for spdx-tools, ntia-conformance- checker, and cyclonedx-bom. A pcpp release that changes macro-expansion or noise semantics will no longer silently shift SBOM build_props on master (1zj.1). * Add 'permissions: contents: read' at workflow level. The workflow does no API writes, so the practical risk of the default read-write GITHUB_TOKEN on push events is zero today; the explicit pin is GitHub's documented hardening recommendation for SBOM-producing supply-chain workflows so a future step that accidentally introduces a write call fails loudly rather than silently mutating the repo (1zj.2). * Switch the bomsh clone to git clone --filter=blob:none. Full history was being downloaded before 'git checkout $BOMSH_SHA'; --depth=1 cannot be combined with a raw SHA, so --filter=blob:none is the closest 'shallow' substitute. Saves ~10s of CI time per bomsh job run (1zj.3). Closes wolfssl-1zj.1, wolfssl-1zj.2, wolfssl-1zj.3
1 parent 2d78c98 commit c13f384

1 file changed

Lines changed: 23 additions & 3 deletions

File tree

.github/workflows/sbom.yml

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,16 @@ on:
77
pull_request:
88
branches: [ '*' ]
99

10+
# Defence-in-depth: the workflow does no API writes (no `gh pr`, no
11+
# `git push`, no release upload), so the practical risk of the default
12+
# read-write GITHUB_TOKEN on push events is zero today. Setting
13+
# `contents: read` at workflow level is GitHub's documented hardening
14+
# recommendation for SBOM-producing supply-chain workflows: a future
15+
# step that accidentally introduces a write call will fail loudly
16+
# rather than silently mutate the repo.
17+
permissions:
18+
contents: read
19+
1020
concurrency:
1121
group: ${{ github.workflow }}-${{ github.ref }}
1222
cancel-in-progress: true
@@ -34,8 +44,12 @@ jobs:
3444
# entire embedded entry point unverified at the cheapest CI
3545
# gate. The setUp now hard-fails on missing pcpp; this step
3646
# ensures it is present so all unit tests actually run.
47+
# Pinned to match the convention used elsewhere in this file
48+
# (spdx-tools==0.8.*, ntia-conformance-checker==5.*) so a pcpp
49+
# release that changes macro-expansion or noise semantics does
50+
# not silently shift SBOM build_props on master.
3751
run: |
38-
python3 -m pip install --user pcpp
52+
python3 -m pip install --user 'pcpp==1.30.*'
3953
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
4054
4155
- name: Unit tests
@@ -63,7 +77,7 @@ jobs:
6377
# spdx-tools is for the post-generation validation step.
6478
run: |
6579
python3 -m pip install --user --upgrade pip
66-
python3 -m pip install --user pcpp 'spdx-tools==0.8.*'
80+
python3 -m pip install --user 'pcpp==1.30.*' 'spdx-tools==0.8.*'
6781
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
6882
6983
- name: Generate SBOM via standalone Python entry point
@@ -880,7 +894,13 @@ jobs:
880894
# the patch's context lines in src/strace.c.
881895
STRACE_TAG: v6.7
882896
run: |
883-
git clone https://github.com/omnibor/bomsh /tmp/bomsh
897+
# --filter=blob:none is the cleanest "shallow-ish" clone when
898+
# checking out a specific SHA: it skips file blobs but keeps
899+
# the commit graph, so `git checkout $BOMSH_SHA` still works.
900+
# `--depth=1` would only work with `--branch <ref>`, not a
901+
# raw SHA. The strace clone below uses `--depth=1 --branch`
902+
# because it pins to a release tag.
903+
git clone --filter=blob:none https://github.com/omnibor/bomsh /tmp/bomsh
884904
git -C /tmp/bomsh checkout "$BOMSH_SHA"
885905
# Even with a pinned SHA, keep the layout-drift guard so the
886906
# next maintainer who bumps BOMSH_SHA gets a clear error if

0 commit comments

Comments
 (0)