Add workflow code to generate SBOMs and upload them to the release/pre-release#41
Add workflow code to generate SBOMs and upload them to the release/pre-release#41jsf9k wants to merge 17 commits into
Conversation
github-actions
Bot
added
the
github-actions
jsf9k
force-pushed
the
feature/add-sbom
branch
2 times, most recently
from
8bc7e6b to
83b4c97
Compare
Thus our SBOMs are named, e.g., cisagov-skeleton-aws-lambda-python.spdx-json rather than sbom.spdx-json.
jsf9k
force-pushed
the
feature/add-sbom
branch
from
4186622 to
b39819f
Compare
The latest release supports the artifact-metadata permission that we are now using in the generate-sbom job of the build.yml GitHub Actions workflow.
github-actions
Bot
added
the
dependencies
This should have been done in #34 but was not.
github-actions
Bot
added
version bump
| # | ||
| # This job is located in this workflow as opposed to a separate | ||
| # release workflow because it only makes sense to run it after the | ||
| # build job. Putting it in a separate release workflow would |
There was a problem hiding this comment.
Why does this need to run after the build job?
There was a problem hiding this comment.
If the build job fails then we probably don't care to create an SBOM.
| # build job. Putting it in a separate release workflow would | ||
| # require us to introduce a dependency of the release workflow on | ||
| # this one. | ||
| if: github.event_name != 'pull_request' |
There was a problem hiding this comment.
This workflow also runs on push, merge_group, and repository_dispatch. Is there a reason we want this job to run against all of those, but not on pull_request events?
There was a problem hiding this comment.
We don't want it to run on pull_request because of the contents: write permission.
There was a problem hiding this comment.
It's probably worth adding a comment to that effect here.
There was a problem hiding this comment.
I copied that from the build-push-all job from the build.yml workflow of cisagov/skeleton-docker but misunderstood why it was there. Please see commit f9ebf57.
| - name: Update core Python packages | ||
| run: python -m pip install --upgrade pip setuptools wheel | ||
| - name: Install pipenv | ||
| run: pip install --upgrade pipenv |
There was a problem hiding this comment.
Is there a reason we're doing this?
There was a problem hiding this comment.
That was copied and pasted from cisagov/skeleton-aws-lambda-python. You're right, it isn't needed or wanted here. Please see commit eeb63c5.
These steps were copied and pasted from cisagov/skeleton-python-library but are not needed here. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com>
|
You can see the generated SBOMs in a workflow run or in a (pre-)release. |
jsf9k
force-pushed
the
feature/add-sbom
branch
from
c888677 to
eeb63c5
Compare
The if statement is present to to keep the push and pull_request events from both causing the job to be run. Co-authored-by: dav3r <david.redmin@gwe.cisa.dhs.gov> Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces GitHub Actions workflow support to generate SBOMs as part of the build pipeline, with the stated intent to upload them to releases/pre-releases, and updates versioning/tooling files accordingly.
Changes:
- Add a new
generate-sbomjob to the build workflow to generate SBOMs (CycloneDX + SPDX) and create provenance attestations. - Bump the project version to
0.1.0-rc.1and remove the legacybump_version.shscript. - Update pre-commit hook revision and annotate Dependabot ignore list for new actions.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/version.txt |
Version bump to 0.1.0-rc.1. |
bump_version.sh |
Removes legacy version bump script. |
.pre-commit-config.yaml |
Updates check-jsonschema hook revision. |
.github/workflows/build.yml |
Adds SBOM generation + provenance attestation job. |
.github/dependabot.yml |
Adds commented ignore entries for new GitHub Actions dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Generate an SBOM from the Pipfile.lock file and, if there is a | ||
| # release, upload it as an asset to the release. | ||
| # | ||
| # This job is located in this workflow as opposed to a separate | ||
| # release workflow because it only makes sense to run it after the |
There was a problem hiding this comment.
This job is described/named as uploading SBOMs to a release/pre-release, but the workflow is not triggered by release events and there is no step that actually uploads the generated SBOM to a GitHub release asset. Add an explicit conditional release-upload step (e.g., via gh release upload or a release action) and/or add an appropriate trigger/condition (tag push or on: release) so the intended behavior actually occurs.
There was a problem hiding this comment.
I verified that the code works as is. See, e.g., this pre-release.
| with: | ||
| path: ${{ env.PIP_CACHE_DIR }} | ||
| key: ${{ env.BASE_CACHE_KEY }}\ | ||
| ${{ hashFiles('build/pyproject.toml') }} |
There was a problem hiding this comment.
The cache key hashes build/pyproject.toml, but that file does not exist in this repository. This makes the cache key effectively constant and risks stale/incorrect caches. Either remove this cache step (SBOM generation doesn’t install Python deps) or hash an existing dependency lockfile (e.g., build/Pipfile.lock) if caching is needed.
| ${{ hashFiles('build/pyproject.toml') }} | |
| ${{ hashFiles('build/Pipfile.lock') }} |
The latter doesn't exist in this project.
Note that actions/attest-build-provenance has changed its name to actions/attest, partly because it now supports different types of attestations. One such type is an SBOM attestation, which we are now using here.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
I.e., not for the `Pipfile.lock` file. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
I think the two failing tests will pass once #44 is merged. I will test that when I start to merge PRs for this skeleton. |
felddy
left a comment
felddy
left a comment
There was a problem hiding this comment.
Looks good.
Related but not in-scope here... we should consider ingesting the signatures and attestations where these lambda's are deployed. I can't remember what the exact facility was in AWS, but I think Nitro Enclaves touched upon it many moons ago.
Strong work!
github-project-automation
Bot
moved this from Review in progress
to Reviewer approved
in Skeleton Maintenance
🗣 Description
This pull request:
💭 Motivation and context
CISA advocates for the use of SBOMs, so we should be generating them for our software products.
🧪 Testing
All automated tests pass.
✅ Pre-approval checklist
bump_versionscript if this repository is versioned and the changes in this PR warrant a version bump.✅ Pre-merge checklist
✅ Post-merge checklist