APIM-6390-modified SBOM implementation by Valswyn-NHS · Pull Request #435 · NHSDigital/identity-service-api
Expand Up
@@ -4,69 +4,79 @@ on:
workflow_dispatch:
inputs:
environment:
description: "Run SBOM check"
description: "Apply SBOM check"
required: true
type: choice
options:
- yes
- no
env: SYFT_VERSION: "1.27.1" TF_VERSION: "1.12.2" - apply - skip default: apply
jobs: deploy: sbom-check: if: ${{ github.event.inputs.environment == 'apply' }} name: Software Bill of Materials runs-on: ubuntu-latest permissions: actions: read contents: write
steps: - name: Checkout uses: actions/checkout@v5 - name: Checkout repository uses: actions/checkout@v5
- name: Setup Python 3.13 - name: Install Python 3.9 uses: actions/setup-python@v5 with: python-version: "3.13"
- name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} python-version: 3.9
- name: Update apt repositories run: sudo apt update
- uses: terraform-linters/setup-tflint@v5 name: Setup TFLint with: tflint_version: v0.58.0 - name: Install Java run: sudo apt-get install --yes default-jre default-jdk
- name: Set architecture variable id: os-arch - name: Install node run: | case "${{ runner.arch }}" in X64) ARCH="amd64" ;; ARM64) ARCH="arm64" ;; esac echo "arch=${ARCH}" >> $GITHUB_OUTPUT wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add - curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs
- name: Download and setup Syft run: | DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz" echo "Downloading: ${DOWNLOAD_URL}" - name: Upgrade python packaging tools run: python -m pip install --upgrade pip setuptools wheel
curl -L -o syft.tar.gz "${DOWNLOAD_URL}" tar -xzf syft.tar.gz chmod +x syft - name: Install poetry run: pip install "poetry<2.0.0"
# Add to PATH for subsequent steps echo "$(pwd)" >> $GITHUB_PATH - name: Cache poetry packages uses: actions/cache@v4 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
- name: Cache node modules uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
- name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint - name: Install repo run: make install
- name: Upload SBOM as artifact - name: Generate SBOM uses: anchore/sbom-action@v0 with: path: ./ format: cyclonedx-json artifact-name: identity-repo-sbom.cdx.json
- name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom path: sbom.json name: sbom-action-${{ github.run_id }} path: /tmp/sbom-action-*/identity-repo-sbom.cdx.json if-no-files-found: warn
- name: Clean up SBOM file run: rm /tmp/sbom-action-*/identity-repo-sbom.cdx.json || true
env: SYFT_VERSION: "1.27.1" TF_VERSION: "1.12.2" - apply - skip default: apply
jobs: deploy: sbom-check: if: ${{ github.event.inputs.environment == 'apply' }} name: Software Bill of Materials runs-on: ubuntu-latest permissions: actions: read contents: write
steps: - name: Checkout uses: actions/checkout@v5 - name: Checkout repository uses: actions/checkout@v5
- name: Setup Python 3.13 - name: Install Python 3.9 uses: actions/setup-python@v5 with: python-version: "3.13"
- name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ env.TF_VERSION }} python-version: 3.9
- name: Update apt repositories run: sudo apt update
- uses: terraform-linters/setup-tflint@v5 name: Setup TFLint with: tflint_version: v0.58.0 - name: Install Java run: sudo apt-get install --yes default-jre default-jdk
- name: Set architecture variable id: os-arch - name: Install node run: | case "${{ runner.arch }}" in X64) ARCH="amd64" ;; ARM64) ARCH="arm64" ;; esac echo "arch=${ARCH}" >> $GITHUB_OUTPUT wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add - curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs
- name: Download and setup Syft run: | DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz" echo "Downloading: ${DOWNLOAD_URL}" - name: Upgrade python packaging tools run: python -m pip install --upgrade pip setuptools wheel
curl -L -o syft.tar.gz "${DOWNLOAD_URL}" tar -xzf syft.tar.gz chmod +x syft - name: Install poetry run: pip install "poetry<2.0.0"
# Add to PATH for subsequent steps echo "$(pwd)" >> $GITHUB_PATH - name: Cache poetry packages uses: actions/cache@v4 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
- name: Cache node modules uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
- name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint - name: Install repo run: make install
- name: Upload SBOM as artifact - name: Generate SBOM uses: anchore/sbom-action@v0 with: path: ./ format: cyclonedx-json artifact-name: identity-repo-sbom.cdx.json
- name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom path: sbom.json name: sbom-action-${{ github.run_id }} path: /tmp/sbom-action-*/identity-repo-sbom.cdx.json if-no-files-found: warn
- name: Clean up SBOM file run: rm /tmp/sbom-action-*/identity-repo-sbom.cdx.json || true