Add full-report convenience action (#34)

Co-authored-by: Andreas Braun <git@alcaeus.org>

Author: blink1073

README.md

@@ -192,6 +192,46 @@ working directory.
  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
 ```
 
+### Compliance Report
+
+This action will generate the SSDLC compliance report in the `S3_ASSETS` folder,
+called `ssdlc_compliance_report.md`.
+
+```yaml
+- name: Setup
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Generate compliance report
+ uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+```
+
+There are several ways to specify the security report:
+- By specifying an absolute URL starting with https
+- By specifying a relative path, which is then linked to the corresponding git blob for the tagged version
+- By adding the `security-report-url` to the AWS Secrets Vault
+
+## Full Report
+
+This action is a convenience function to handle all of the SSDLC reports and put them
+in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbom`, `code-scanning-export`, and `compliance-report` actions.
+
+```yaml
+- name: Setup
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Generate SSDLC Reports
+ uses: mongodb-labs/drivers-github-tools/full-report@v2
+ with:
+ product_name: winkerberos
+ release_version: ${{ inputs.version }}
+ silk_asset_group: winkerberos
+ dist_filenames: dist/*
+```
+
 ## Upload S3 assets
 
 A number of scripts create files in the `tmp/s3_assets` folder, which then can

authorized-pub/action.yml

@@ -9,27 +9,35 @@ inputs:
  required: true
  filenames:
  description: Artifact filename(s) to include in the report, can be a glob pattern
- required: true
+ default: ""
  token:
  description: The GitHub token for the action
- required: true
 
 runs:
  using: composite
  steps:
  - name: Prepare report
  shell: bash
  run: |
- export GH_TOKEN=${{ inputs.token }}
+ if [ -n "${{ inputs.token }}" ]; then
+ export GH_TOKEN=${{ inputs.token }}
+ fi
  NAME=$(gh api users/${{ github.actor }} --jq '.name')
  export REPORT=$S3_ASSETS/authorized-publication.txt
- echo "Product: ${{ inputs.product_name }}" > $REPORT
- echo "Version: ${{ inputs.release_version }}" >> $REPORT
- echo "Releaser: $NAME" >> $REPORT
- echo "Build Source: GitHub Actions"
- echo "Build Number: ${{ github.run_id }}"
- for filename in ${{ inputs.filenames }}; do
- SHA=$(shasum -a 256 $filename | awk '{print $1;}')
- echo "Filename: $filename" >> $REPORT
- echo "Shasum: $SHA" >> $REPORT
- done
+ export FILENAMES=${{ inputs.filenames }}
+ cat << EOF > $REPORT
+ Product: ${{ inputs.product_name }}
+ Version: ${{ inputs.release_version }}
+ Releaser: $NAME
+ Build Source: GitHub Actions
+ Build Number: ${{ github.run_id }}
+ EOF
+ if [ -z "$FILENAMES" ]; then
+ echo "No published artifacts." >> $REPORT
+ else
+ for filename in ${{ inputs.filenames }}; do
+ SHA=$(shasum -a 256 $filename | awk '{print $1;}')
+ echo "Filename: $filename" >> $REPORT
+ echo "Shasum: $SHA" >> $REPORT
+ done
+ fi

compliance-report/action.yml

@@ -1,9 +1,6 @@
 name: Generate a compliance report
 description: Generates the compliance report in the S3_ASSETS folder
 inputs:
- token:
- description: The GitHub token for the action
- required: true
  sbom_name:
  description: The name of the SBOM file in the S3 bucket
  default: cyclonedx.sbom.json
@@ -13,16 +10,23 @@ inputs:
  authorized_pub_name:
  description: The name of the Authorized Publication file in the S3 bucket
  default: authorized-publication.txt
+ security_report_location:
+ description: The URL or relative git path to the security report
+ release_version:
+ description: The published version
+ token:
+ description: The GitHub token for the action
 runs:
  using: composite
  steps:
  - name: Generate Compliance Report
  shell: bash
- run: |
- set -eux
- export GH_TOKEN=${{ inputs.token }}
- export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name')
- export SBOM_NAME=${{ inputs.sbom_name }}
- export SARIF_NAME=${{ inputs.sarif_name }}
- export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }}
- bash ${{ github.action_path }}/generate.sh
+ env:
+ TOKEN: ${{ inputs.token }}
+ SBOM_NAME: ${{ inputs.sbom_name }}
+ SARIF_NAME: ${{ inputs.sarif_name }}
+ AUTHORIZED_PUB_NAME: ${{ inputs.authorized_pub_name }}
+ SECURITY_REPORT_LOCATION: ${{ inputs.security_report_location }}
+ RELEASE_VERSION: ${{ inputs.release_version }}
+ working-directory: "${{ github.action_path }}"
+ run: ./generate.sh

compliance-report/generate.sh

@@ -2,7 +2,26 @@
 
 set -eux
 
-cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md
+# Get release creator.
+cd $GITHUB_WORKSPACE
+if [ -n "$TOKEN" ]; then
+ export GH_TOKEN=$TOKEN
+fi
+RELEASE_CREATOR=$(gh api users/${GITHUB_ACTOR} --jq '.name')
+
+# Handle security report.
+SECURITY_REPORT="N/A"
+if [ -n "$SECURITY_REPORT_LOCATION" ]; then
+ if [[ $SECURITY_REPORT_LOCATION == https* ]]; then
+ SECURITY_REPORT="See $SECURITY_REPORT_LOCATION"
+ else
+ SECURITY_REPORT="See https://github.com/$GITHUB_REPOSITORY/blob/$RELEASE_VERSION/$SECURITY_REPORT_LOCATION"
+ fi
+elif [ -n "$SECURITY_REPORT_URL" ]; then
+ SECURITY_REPORT="See $SECURITY_REPORT_URL"
+fi
+
+cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.txt
 Release Creator
 ${RELEASE_CREATOR}
 
@@ -18,6 +37,9 @@ See ${SARIF_NAME}
 Signature Information
 See ${AUTHORIZED_PUB_NAME}
 
+Security Report
+${SECURITY_REPORT}
+
 Known Vulnerabilities
 Any vulnerabilities that may be shown in the files referenced above have been reviewed and accepted by the appropriate approvers.
-EOF
+EOF

full-report/action.yml

@@ -0,0 +1,44 @@
+name: Generate Full Report
+description: Generate all reports to be uploaded to release bucket
+inputs:
+ product_name:
+ description: The name of the product
+ required: true
+ release_version:
+ description: The published version
+ required: true
+ silk_asset_group:
+ description: The Silk Asset Group for the Project
+ required: true
+ security_report_location:
+ description: The URL or relative git path to the security report
+ dist_filenames:
+ description: The distribution filename or glob pattern
+ token:
+ description: The GitHub access token
+
+runs:
+ using: composite
+ steps:
+ - name: Generate Authorized Publication Report
+ uses: blink1073/drivers-github-tools/authorized-pub@full-report
+ with:
+ product_name: ${{ inputs.product_name }}
+ release_version: ${{ inputs.release_version }}
+ filenames: ${{ inputs.dist_filenames }}
+ token: ${{ inputs.token }}
+ - name: Generate SBOM File
+ uses: mongodb-labs/drivers-github-tools/sbom@v2
+ with:
+ silk_asset_group: ${{ inputs.silk_asset_group }}
+ - name: Generate Sarif File
+ uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+ with:
+ ref: ${{ inputs.release_version }}
+ output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
+ - name: Generate Compliance Report
+ uses: blink1073/drivers-github-tools/compliance-report@full-report
+ with:
+ release_version: ${{ inputs.release_version }}
+ security_report_location: ${{ inputs.security_report_location }}
+ token: ${{ inputs.token }}

python/publish/action.yml

@@ -19,7 +19,6 @@ inputs:
  required: true
  token:
  description: "The GitHub access token"
- required: true
  dry_run:
  description: "Whether this is a dry run"
  required: true
@@ -39,24 +38,18 @@ runs:
  uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
  with:
  filenames: dist/*
- - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+ - uses: blink1073/drivers-github-tools/full-report@full-report
  with:
  product_name: ${{ inputs.product_name }}
  release_version: ${{ inputs.version }}
- filenames: dist/*
- token: ${{ inputs.token }}
- - uses: mongodb-labs/drivers-github-tools/sbom@v2
- with:
+ dist_filenames: dist/*
  silk_asset_group: ${{ inputs.silk_asset_group }}
- - name: Generate Sarif Report
- uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
- with:
- ref: ${{ inputs.version }}
- - name: Generate Compliance Report
- uses: mongodb-labs/drivers-github-tools/compliance-report@v2
- with:
  token: ${{ inputs.token }}
- - name: Run publish script
+ - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+ with:
+ version: ${{ inputs.version }}
+ product_name: ${{ inputs.product_name }}
+ - name: Run GitHub Publish script
  shell: bash
  run: ${{github.action_path}}/publish.sh
  env:

python/publish/publish.sh

@@ -2,20 +2,12 @@
 
 set -eux
 
-cp $RELEASE_ASSETS/*.sig $S3_ASSETS
-mv code-scanning-alerts.json $S3_ASSETS
-
 if [ "$DRY_RUN" == "false" ]; then
- echo "Uploading Release Reports"
- TARGET=s3://${AWS_BUCKET}/${PRODUCT_NAME}/${VERSION}
- aws s3 cp $S3_ASSETS $TARGET --recursive
-
  echo "Creating draft release with attached files"
  gh release create ${VERSION} --draft --verify-tag --title ${VERSION} --notes ""
  gh release upload ${VERSION} $RELEASE_ASSETS/*.*
  gh release view ${VERSION} >> $GITHUB_STEP_SUMMARY
 else
- echo "Dry run, not uploading to S3 or creating GitHub Release"
+ echo "Dry run, not creating GitHub Release"
  ls -ltr $RELEASE_ASSETS
- ls -ltr $S3_ASSETS
 fi

setup/action.yml

@@ -10,6 +10,8 @@ inputs:
  aws_secret_id:
  description: "The name of the aws secret to use"
  required: true
+ artifactory_username:
+ description: "The artifactory username to be used"
  artifactory_registry:
  description: "Artifactory registry to be used"
  default: artifactory.corp.mongodb.com
@@ -34,6 +36,7 @@ runs:
  id: setup
  run: ${{ github.action_path }}/setup.sh
  env:
+ ARTIFACTORY_USERNAME_INPUT: ${{ inputs.artifactory_username }}
  ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }}
  ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
  AWS_SECRET_ID: ${{ inputs.aws_secret_id }}

setup/setup.sh

@@ -11,6 +11,10 @@ for var in $vars; do
 done
 
 echo "::group::Set up artifactory"
+ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME:-}
+if [ -n "${ARTIFACTORY_USERNAME_INPUT}" ]; then
+ ARTIFACTORY_USERNAME=$ARTIFACTORY_USERNAME_INPUT
+fi
 echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY
 echo "::endgroup::"
 
@@ -47,6 +51,7 @@ SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS
+SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-}
 EOF
 
 echo "Set up git credentials"

tag-version/action.yml

@@ -51,8 +51,8 @@ runs:
  shell: bash -eux {0}
  run: |
  if [ ${{ inputs.push_tag }} == "true" ]; then
- git push origin --tags
- echo "Pushed tag: ${{ inputs.version }}" >> $GITHUB_STEP_SUMMARY
+ git push origin tag $TAG
+ echo "Pushed tag: ${{ env.TAG }}" >> $GITHUB_STEP_SUMMARY
  else
- echo "Created tag (no push): ${{ inputs.version }}" >> $GITHUB_STEP_SUMMARY
+ echo "Created tag (no push): ${{ env.Tag }}" >> $GITHUB_STEP_SUMMARY
  fi