cops-controller/.github/workflows/build.yaml at master · conplementAG/cops-controller · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: build
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  workflow_dispatch:
jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build an image from Dockerfile
        run: |
          docker build --file Dockerfile --tag conplementag/cops-controller:${{ github.sha }} .

      - name: Download and install syft
        run: |
          curl -L https://github.com/anchore/syft/releases/download/v${{ vars.SYFT_VERSION }}/syft_${{ vars.SYFT_VERSION }}_linux_amd64.tar.gz --output syft.tgz
          echo "${{ vars.SYFT_SHA256 }}  syft.tgz" > cksum.txt
          sha256sum --check --status cksum.txt
          if [ $? -eq 1 ]
            then
              echo "Security-Error: Unexpected SHA256 of downloaded syft executable!"
              exit 1
            fi
          rm cksum.txt
          tar xvfz syft.tgz
          chmod +x ./syft
          ./syft --version
          export PATH=$PATH:$(pwd)

      - name: Download and install cp BomCleaner
        run: |
          curl -L https://github.com/conplementAG/BomCleaner/releases/download/v${{ vars.BOMCLEANER_VERSION }}/dotnetbomcleaner --output dotnetbomcleaner
          echo "${{vars.BOMCLEANER_SHA256 }}  dotnetbomcleaner" > cksum.txt
          sha256sum --check --status cksum.txt
          if [ $? -eq 1 ]
          then
            echo "Security-Error: Unexpected SHA256 of downloaded bomcleaner executable!"
            exit 1
          fi
          rm cksum.txt
          chmod +x ./dotnetbomcleaner
          export PATH=$PATH:$(pwd)

      - name: Create SBoM with syft
        run: |
          ./syft conplementag/cops-controller:${{ github.sha }} -c syft.yaml -o cyclonedx-xml=sbom.xml
          ret_code=$?
          if [ $ret_code -ne 0 ]
          then
            echo "syft failed to create SBoM with error code $ret_code"
            exit 1
          fi
          cat sbom.xml

      - name: Clean SBoM with cp BomCleaner
        run: |
          id=$(docker create conplementag/cops-controller:${{ github.sha }})
          docker cp $id:/app/ConplementAG.CopsController.deps.json ./ConplementAG.CopsController.deps.json
          docker rm -v $id
          ./dotnetbomcleaner sbom.xml ConplementAG.CopsController.deps.json

          cat ./cleanbom.xml

      - name: Upload SBoM to DTrack
        run: |
          echo "Uploading SBOM to ${{ vars.DTRACK_URL }}/api/v1/bom"
          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/bom' -H 'Content-Type:multipart/form-data' -H 'X-API-Key:${{ secrets.DTRACK_API_KEY }}' -F 'project=${{ secrets.DTRACK_PROJECTID }}' -F 'bom=@./cleanbom.xml'

          echo "Updating Project Version in ${{ vars.DTRACK_URL }}/api/v1/project"
          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/project' -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'X-Api-Key:${{ secrets.DTRACK_API_KEY }}' -d '{"uuid": "${{ secrets.DTRACK_PROJECTID }}","name": "${{ vars.DTRACK_PROJECTNAME }}","version": "${{ github.sha }}","classifier": "APPLICATION","tags": [],"active": true}'