chore: Upgrade to Flow 24.3.0.alpha1 #1774
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SBOM | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened, edited] | |
paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"] | |
release: | |
types: ["published"] | |
workflow_dispatch: | |
inputs: | |
useSnapshots: | |
description: 'Use snapthots for all vaadin products' | |
required: false | |
type: boolean | |
default: false | |
useBomber: | |
description: 'Use bomber' | |
required: false | |
type: boolean | |
default: true | |
useOSV: | |
description: 'Use osv-scanner' | |
required: false | |
type: boolean | |
default: true | |
useOWASP: | |
description: 'Use owasp:dependency-check-maven' | |
required: false | |
type: boolean | |
default: true | |
useFullOWASP: | |
description: 'Use full owasp:dependency-check' | |
required: false | |
type: boolean | |
default: false | |
version: | |
description: 'Use set Platform Version to:' | |
required: false | |
type: string | |
default: '' | |
forcePushReports: | |
description: 'Push the SBOM to release note' | |
required: false | |
type: boolean | |
default: false | |
jobs: | |
run: | |
runs-on: ubuntu-latest | |
steps: | |
- run: | | |
[ -z "${{secrets.TB_LICENSE}}" ] \ | |
&& echo "🚫 **TB_LICENSE** is not defined, check that **${{github.repository}}** repo has a valid secret" \ | |
| tee -a $GITHUB_STEP_SUMMARY && exit 1 || exit 0 | |
name: Check secrets | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '18' | |
- uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- uses: stCarolas/setup-maven@v4.5 | |
with: | |
maven-version: '3.8.2' | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: 'stable' | |
- run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1 | |
- run: | | |
wget -q https://github.com/devops-kung-fu/bomber/releases/download/v0.4.4/bomber_0.4.4_linux_amd64.deb | |
sudo dpkg -i bomber_0.4.4_linux_amd64.deb | |
name: Install bomber-0.4.4 | |
- run: | | |
# Install dependency-check-8.2.1 | |
cd /tmp | |
wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.2/dependency-check-8.4.2-release.zip | |
unzip dependency-check-8.4.2-release.zip | |
sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check | |
name: Install dependency-check-8.4.2 | |
- run: | | |
mkdir -p ~/.vaadin/ | |
echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey | |
name: Install proKey | |
- run: | | |
## TODO: do not disable bomber by default (https://github.com/devops-kung-fu/bomber/issues/174) | |
[ -z "${{github.event.inputs.useBomber}}" -o false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber" | |
[ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan" | |
[ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp" | |
[ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp" | |
[ true = "${{github.event.inputs.useSnapshots}}" ] && A="$A --useSnapshots" | |
V="${{ github.event.inputs.version || github.event.release.tag_name }}" | |
[ -n "$V" ] && A="$A --version $V" | |
cmd="scripts/generateAndCheckSBOM.js $A" | |
echo "Running: $cmd" | |
$cmd | |
name: Generate And Check SBOM | |
env: | |
OSSINDEX_USER: ${{secrets.OSSINDEX_USER}} | |
OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}} | |
- if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}} | |
uses: thollander/actions-comment-pull-request@v2 | |
with: | |
message: "${{env.DEPENDENCIES_REPORT}}\n[[Click for more Details](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}})]" | |
comment_tag: dependencies_report | |
- if: ${{always()}} | |
uses: actions/upload-artifact@v3.1.1 | |
with: | |
name: files | |
path: | | |
**/target/bom-vaadin.json | |
**/target/*-report.json | |
**/target/tree-*.txt | |
**/target/dependencies.html | |
if-no-files-found: error | |
retention-days: 60 | |
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}} | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: vaadin-platform-sbom/target/bom-vaadin.json | |
asset_name: "Software.Bill.Of.Materials.json" | |
tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
overwrite: true | |
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}} | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: vaadin-platform-sbom/target/dependencies.html | |
asset_name: "Dependencies.Report.html" | |
tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
overwrite: true | |