-
Notifications
You must be signed in to change notification settings - Fork 1.8k
ci(NODE-7025): New SBOM generation workflow on dependencies change #4807
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+740
−48
Merged
Changes from all commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
e99a6c5
NODE-7025: New SBOM generation workflow on dependencies change
ekovalets 39f5a5d
NODE-7025: Using cyclone npm
ekovalets dfb72c7
NODE-7025: Shell use fix
ekovalets 2977686
NODE-7025: Excluding dev dependencies
ekovalets 91a79f6
NODE-7025: Only looking at package lock
ekovalets 9713336
NODE-7025: Fix typo
ekovalets 32b1bd0
NODE-7025: Replacing PR creation with auto-commit to main
ekovalets 49605a3
NODE-7025: Making SBOM validation more robust
ekovalets 68df070
NODE-7025: Revert the devDependencies omittion
ekovalets 4544a8a
NODE-7025: Removing unnecessary setup steps
ekovalets 58fd42f
chore(deps): Update SBOM after dependency changes
github-actions[bot] 79b52a5
NODE-7025: Moving logic to script and action runs it
ekovalets 87270a8
chore(deps): Update SBOM after dependency changes
github-actions[bot] f67fee2
Apply suggestion from @tadjik1
ekovalets dbb041f
NODE-7025: removing path ignore since path is enough
ekovalets 1f6b765
chore(deps): Update SBOM after dependency changes
github-actions[bot] File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| name: Generate SBOM | ||
| description: Generates CycloneDX SBOM using cdxgen | ||
|
|
||
| inputs: | ||
| output-file: | ||
| description: "Output filename for the SBOM" | ||
| required: false | ||
| default: "sbom.json" | ||
|
|
||
| outputs: | ||
| HAS_CHANGES: | ||
| description: "Whether the SBOM has meaningful changes compared to the existing version" | ||
| value: ${{ steps.generate.outputs.HAS_CHANGES }} | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Generate SBOM | ||
baileympearson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| id: generate | ||
| shell: bash | ||
| env: | ||
| SBOM_OUTPUT_FILE: ${{ inputs.output-file }} | ||
| run: | | ||
| SCRIPT_DIR="${{ github.action_path }}" | ||
| chmod +x "${SCRIPT_DIR}/generate-sbom.sh" | ||
| "${SCRIPT_DIR}/generate-sbom.sh" "$SBOM_OUTPUT_FILE" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| #!/usr/bin/env bash | ||
| # | ||
| # generate-sbom.sh - Generate and validate CycloneDX SBOM | ||
| # | ||
| # Usage: ./generate-sbom.sh [output-file] | ||
| # | ||
| # Environment variables: | ||
| # GITHUB_OUTPUT - Path to GitHub Actions output file (optional) | ||
| # | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| SBOM_FILE="${1:-sbom.json}" | ||
| TEMP_SBOM="sbom-new.json" | ||
| CYCLONEDX_CLI="/tmp/cyclonedx" | ||
| CYCLONEDX_CLI_URL="https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64" | ||
tadjik1 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)' | ||
|
|
||
| echo "Starting SBOM generation (output: $SBOM_FILE)" | ||
|
|
||
| echo "Generating SBOM for 'node' project..." | ||
|
|
||
| if ! npx @cyclonedx/cyclonedx-npm \ | ||
| --omit dev \ | ||
| --package-lock-only \ | ||
| --output-file "$TEMP_SBOM" \ | ||
| --output-format json \ | ||
| --spec-version 1.5; then | ||
| echo "ERROR: Failed to generate SBOM" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ ! -f "$TEMP_SBOM" ]]; then | ||
| echo "ERROR: SBOM file not found after generation" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "SBOM file generated: $TEMP_SBOM" | ||
|
|
||
| echo "Downloading CycloneDX CLI..." | ||
|
|
||
| if ! curl -L -s -o "$CYCLONEDX_CLI" "$CYCLONEDX_CLI_URL"; then | ||
| echo "ERROR: Failed to download CycloneDX CLI" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| chmod +x "$CYCLONEDX_CLI" | ||
|
|
||
| if [[ ! -x "$CYCLONEDX_CLI" ]]; then | ||
| echo "ERROR: CycloneDX CLI is not executable" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "CycloneDX CLI ready at $CYCLONEDX_CLI" | ||
|
|
||
| echo "Validating SBOM: $TEMP_SBOM" | ||
|
|
||
| if ! "$CYCLONEDX_CLI" validate --input-file "$TEMP_SBOM" --fail-on-errors; then | ||
| echo "ERROR: SBOM validation failed for $TEMP_SBOM" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "SBOM validation passed: $TEMP_SBOM" | ||
|
|
||
| echo "Checking for SBOM changes..." | ||
|
|
||
| HAS_CHANGES="false" | ||
|
|
||
| if [[ ! -f "$SBOM_FILE" ]]; then | ||
| echo "No existing $SBOM_FILE found, creating initial version" | ||
| mv "$TEMP_SBOM" "$SBOM_FILE" | ||
| HAS_CHANGES="true" | ||
| else | ||
| echo "Comparing new SBOM with existing $SBOM_FILE..." | ||
|
|
||
| # Try cyclonedx diff for component-level comparison | ||
| DIFF_OUTPUT=$("$CYCLONEDX_CLI" diff "$SBOM_FILE" "$TEMP_SBOM" --component-versions 2>/dev/null || true) | ||
|
|
||
| if echo "$DIFF_OUTPUT" | grep -q "^None$"; then | ||
| echo "No component changes detected via cyclonedx diff" | ||
|
|
||
| # Double-check with jq normalization (excludes metadata like timestamps) | ||
| if diff -q \ | ||
| <(jq -r "$JQ_NORMALIZER" < "$SBOM_FILE") \ | ||
| <(jq -r "$JQ_NORMALIZER" < "$TEMP_SBOM") > /dev/null 2>&1; then | ||
| echo "No meaningful changes detected in SBOM" | ||
| rm -f "$TEMP_SBOM" | ||
| HAS_CHANGES="false" | ||
| else | ||
| echo "Changes detected in SBOM (non-component changes)" | ||
| mv "$TEMP_SBOM" "$SBOM_FILE" | ||
| HAS_CHANGES="true" | ||
| fi | ||
| else | ||
| echo "Component changes detected:" | ||
| echo "$DIFF_OUTPUT" | ||
| mv "$TEMP_SBOM" "$SBOM_FILE" | ||
| HAS_CHANGES="true" | ||
| fi | ||
| fi | ||
|
|
||
| if [[ -n "${GITHUB_OUTPUT:-}" ]]; then | ||
| echo "HAS_CHANGES=${HAS_CHANGES}" >> "$GITHUB_OUTPUT" | ||
| fi | ||
| echo "Output: HAS_CHANGES=${HAS_CHANGES}" | ||
|
|
||
| if [[ ! -f "$SBOM_FILE" ]]; then | ||
| echo "ERROR: Final SBOM file not found at $SBOM_FILE" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "SBOM file validated: $SBOM_FILE" | ||
| echo "SBOM generation completed successfully" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| name: Post-Merge SBOM Update | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - 'package.json' | ||
| - 'package-lock.json' | ||
ekovalets marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| jobs: | ||
| sbom: | ||
| name: Generate SBOM and Create PR | ||
| runs-on: ubuntu-latest | ||
|
|
||
| concurrency: | ||
| group: sbom-update | ||
| cancel-in-progress: false | ||
baileympearson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.ref }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Install Node and dependencies | ||
| uses: mongodb-labs/drivers-github-tools/node/setup@v3 | ||
| with: | ||
| ignore_install_scripts: false | ||
|
|
||
| - name: Generate SBOM | ||
| id: generate_sbom | ||
| uses: ./.github/actions/sbom-update | ||
| with: | ||
| output-file: sbom.json | ||
|
|
||
| - name: Commit SBOM changes | ||
| if: steps.generate_sbom.outputs.HAS_CHANGES == 'true' | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add sbom.json | ||
| git commit -m "chore(deps): Update SBOM after dependency changes" | ||
| git push | ||
| echo "SBOM updated and committed" >> $GITHUB_STEP_SUMMARY | ||
| continue-on-error: true | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.