Add SBOM handling action (#13)

Co-authored-by: Andreas Braun <git@alcaeus.org>

Author: blink1073

README.md

@@ -116,6 +116,22 @@ It will create the file `$S3_ASSETS/authorized_publication.txt`
  token: ${{ github.token }}
 ```
 
+### Software Bill of Materials (SBOM)
+
+This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.
+
+```yaml
+- name: Setup
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Create SBOM
+ uses: mongodb-labs/drivers-github-tools/sbom@v2
+ with:
+ silk_asset_group: mongodb-python-driver
+```
+
 ## Python Helper Scripts
 
 These scripts are opinionated helper scripts for Python releases.

python/publish/action.yml

@@ -14,6 +14,9 @@ inputs:
  product_name:
  description: "The name of the product"
  required: true
+ silk_asset_group:
+ description: The Silk Asset Group for the Project
+ required: true
  token:
  description: "The GitHub access token"
  required: true
@@ -42,6 +45,9 @@ runs:
  release_version: ${{ inputs.version }}
  filenames: dist/*
  token: ${{ inputs.token }}
+ - uses: mongodb-labs/drivers-github-tools/sbom@v2
+ with:
+ silk_asset_group: ${{ inputs.silk_asset_group }}
  - name: Generate Sarif Report
  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
  with:

sbom/action.yml

@@ -0,0 +1,20 @@
+name: Download the Augmented SBOM
+description: Downloads the Augmented SBOM for the project
+inputs:
+ silk_asset_group:
+ description: The Silk Asset Group for the Project
+ required: true
+ artifactory_image:
+ description: Image to use for artifactory
+ default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
+
+runs:
+ using: composite
+ steps:
+ - name: Download the Augmented SBOM file to the release assets folder
+ shell: bash
+ run: |
+ podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
+ --env-file=${SILKBOMB_ENVFILE} \
+ ${{ inputs.artifactory_image }} \
+ download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json

setup/setup.sh

@@ -14,13 +14,22 @@ echo "::group::Set up artifactory"
 echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY
 echo "::endgroup::"
 
-echo "Set up envfile for artifactory image"
-GARASIGN_ENVFILE=/tmp/envfile
+echo "Set up envfile for garasign"
+GARASIGN_ENVFILE=/tmp/garasign-envfile
 cat << EOF > $GARASIGN_ENVFILE
 GRS_CONFIG_USER1_USERNAME=$GARASIGN_USERNAME
 GRS_CONFIG_USER1_PASSWORD=$GARASIGN_PASSWORD
 EOF
 
+if [ -n "${SILKBOMB_USER:-}" ]; then
+ echo "Set up envfile for silkbomb"
+ SILKBOMB_ENVFILE=/tmp/silkbomb-envfile
+ cat << EOF > $SILKBOMB_ENVFILE
+SILK_CLIENT_ID=${SILKBOMB_USER}
+SILK_CLIENT_SECRET=${SILKBOMB_KEY}
+EOF
+fi
+
 echo "Set up output directories"
 export RELEASE_ASSETS=/tmp/release-assets
 mkdir $RELEASE_ASSETS
@@ -34,6 +43,7 @@ AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}"
 GPG_KEY_ID=$GPG_KEY_ID
 GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}"
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
+SILKBOMB_ENVFILE=$SILKBOMB_ENVFILE
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS