From a7a382e553601fc827649748e98eb34022c4c113 Mon Sep 17 00:00:00 2001 From: Tony Meyer Date: Tue, 24 Jun 2025 13:00:12 +1200 Subject: [PATCH 1/3] feat: add sbomber workflow and manifests --- .github/workflows/sbom-secscan.yaml | 55 +++++++++++++++++++++++++++++ .gitignore | 5 +++ .sbomber-manifest-sdist.yaml | 24 +++++++++++++ .sbomber-manifest-wheel.yaml | 28 +++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 .github/workflows/sbom-secscan.yaml create mode 100644 .sbomber-manifest-sdist.yaml create mode 100644 .sbomber-manifest-wheel.yaml diff --git a/.github/workflows/sbom-secscan.yaml b/.github/workflows/sbom-secscan.yaml new file mode 100644 index 000000000..7a9ded093 --- /dev/null +++ b/.github/workflows/sbom-secscan.yaml @@ -0,0 +1,55 @@ +name: SBOM and secscan + +on: + workflow_call: + workflow_dispatch: + +permissions: {} + +jobs: + scan: + strategy: + fail-fast: false + matrix: + manifest: [.sbomber-manifest-sdist.yaml, .sbomber-manifest-wheel.yaml] + + name: SBOM generation + runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Checkout security scanner + uses: actions/checkout@v4 + with: + repository: canonical/sbomber + path: scanner + token: ${{ secrets.SBOMBER_TOKEN }} + persist-credentials: false + - name: Install uv + uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 + - name: Install secscan cli + run: | + sudo snap install canonical-secscan-client + sudo snap connect canonical-secscan-client:home system:home + - name: Prepare the artifacts + run: | + cd scanner + ./sbomber prepare ../${{ matrix.manifest }} + - name: Submit the artifacts + run: | + cd scanner + ./sbomber submit + - name: Wait for the scans to finish + run: | + cd scanner + ./sbomber poll --wait --timeout 30 + - name: Download the reports + run: | + cd scanner && ./sbomber download + - name: Upload reports + uses: actions/upload-artifact@v4 + with: + name: secscan-report-upload + path: ./scanner/reports/*.json diff --git a/.gitignore b/.gitignore index 6d6d543bb..08fef1d2f 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,8 @@ juju-crashdump*.tar.xz # Benchmark test artifacts .benchmarks + +# sbomber +/pkgs +/reports +.statefile.yaml diff --git a/.sbomber-manifest-sdist.yaml b/.sbomber-manifest-sdist.yaml new file mode 100644 index 000000000..e05158b5c --- /dev/null +++ b/.sbomber-manifest-sdist.yaml @@ -0,0 +1,24 @@ +clients: + sbom: + service_url: https://sbom-request.canonical.com + department: charm_engineering + email: tony.meyer@canonical.com + team: charm_tech + secscan: {} + + +artifacts: + - name: ops + type: sdist + version: 2.22.0 + compression: gz + + - name: ops-scenario + type: sdist + version: 7.22.0 + compression: gz + + - name: ops-tracing + type: sdist + version: 2.22.0 + compression: gz diff --git a/.sbomber-manifest-wheel.yaml b/.sbomber-manifest-wheel.yaml new file mode 100644 index 000000000..3a8641dbc --- /dev/null +++ b/.sbomber-manifest-wheel.yaml @@ -0,0 +1,28 @@ +clients: + sbom: + service_url: https://sbom-request.canonical.com + department: charm_engineering + email: tony.meyer@canonical.com + team: charm_tech + secscan: + - include_id_params: true + + +artifacts: + - name: ops + type: wheel + version: 2.22.0 + channel: latest/stable + base: '25.10' + + - name: ops-scenario + type: wheel + version: 7.22.0 + channel: latest/stable + base: '25.10' + + - name: ops-tracing + type: wheel + version: 2.22.0 + channel: latest/stable + base: '25.10' From f857f80fa2e8a2a84d26408e6cea88ef75894fd9 Mon Sep 17 00:00:00 2001 From: Tony Meyer Date: Wed, 25 Jun 2025 12:53:47 +1200 Subject: [PATCH 2/3] ci: add a check for CLA signing --- .github/workflows/cla.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/cla.yaml diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml new file mode 100644 index 000000000..965c9ae04 --- /dev/null +++ b/.github/workflows/cla.yaml @@ -0,0 +1,14 @@ +name: cla-check + +on: + pull_request: + workflow_dispatch: + +permissions: {} + +jobs: + cla-check: + runs-on: ubuntu-latest + steps: + - name: Check if CLA signed + uses: canonical/has-signed-canonical-cla@5d1443b94417bd150ad234a82fe21f7340a25e4d # v2.1.0 From 927f88e461c092897e16f95fce8435aaf25bb855 Mon Sep 17 00:00:00 2001 From: Tony Meyer Date: Wed, 25 Jun 2025 12:56:11 +1200 Subject: [PATCH 3/3] Remove things from accidental ahead fork. --- .github/workflows/sbom-secscan.yaml | 55 ----------------------------- .gitignore | 5 --- .sbomber-manifest-sdist.yaml | 24 ------------- .sbomber-manifest-wheel.yaml | 28 --------------- 4 files changed, 112 deletions(-) delete mode 100644 .github/workflows/sbom-secscan.yaml delete mode 100644 .sbomber-manifest-sdist.yaml delete mode 100644 .sbomber-manifest-wheel.yaml diff --git a/.github/workflows/sbom-secscan.yaml b/.github/workflows/sbom-secscan.yaml deleted file mode 100644 index 7a9ded093..000000000 --- a/.github/workflows/sbom-secscan.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: SBOM and secscan - -on: - workflow_call: - workflow_dispatch: - -permissions: {} - -jobs: - scan: - strategy: - fail-fast: false - matrix: - manifest: [.sbomber-manifest-sdist.yaml, .sbomber-manifest-wheel.yaml] - - name: SBOM generation - runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium] - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: Checkout security scanner - uses: actions/checkout@v4 - with: - repository: canonical/sbomber - path: scanner - token: ${{ secrets.SBOMBER_TOKEN }} - persist-credentials: false - - name: Install uv - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 - - name: Install secscan cli - run: | - sudo snap install canonical-secscan-client - sudo snap connect canonical-secscan-client:home system:home - - name: Prepare the artifacts - run: | - cd scanner - ./sbomber prepare ../${{ matrix.manifest }} - - name: Submit the artifacts - run: | - cd scanner - ./sbomber submit - - name: Wait for the scans to finish - run: | - cd scanner - ./sbomber poll --wait --timeout 30 - - name: Download the reports - run: | - cd scanner && ./sbomber download - - name: Upload reports - uses: actions/upload-artifact@v4 - with: - name: secscan-report-upload - path: ./scanner/reports/*.json diff --git a/.gitignore b/.gitignore index 570fb55fd..76dda7259 100644 --- a/.gitignore +++ b/.gitignore @@ -41,8 +41,3 @@ juju-crashdump*.tar.xz # Libs for example charms /examples/*/lib - -# sbomber -/pkgs -/reports -.statefile.yaml diff --git a/.sbomber-manifest-sdist.yaml b/.sbomber-manifest-sdist.yaml deleted file mode 100644 index e05158b5c..000000000 --- a/.sbomber-manifest-sdist.yaml +++ /dev/null @@ -1,24 +0,0 @@ -clients: - sbom: - service_url: https://sbom-request.canonical.com - department: charm_engineering - email: tony.meyer@canonical.com - team: charm_tech - secscan: {} - - -artifacts: - - name: ops - type: sdist - version: 2.22.0 - compression: gz - - - name: ops-scenario - type: sdist - version: 7.22.0 - compression: gz - - - name: ops-tracing - type: sdist - version: 2.22.0 - compression: gz diff --git a/.sbomber-manifest-wheel.yaml b/.sbomber-manifest-wheel.yaml deleted file mode 100644 index 3a8641dbc..000000000 --- a/.sbomber-manifest-wheel.yaml +++ /dev/null @@ -1,28 +0,0 @@ -clients: - sbom: - service_url: https://sbom-request.canonical.com - department: charm_engineering - email: tony.meyer@canonical.com - team: charm_tech - secscan: - - include_id_params: true - - -artifacts: - - name: ops - type: wheel - version: 2.22.0 - channel: latest/stable - base: '25.10' - - - name: ops-scenario - type: wheel - version: 7.22.0 - channel: latest/stable - base: '25.10' - - - name: ops-tracing - type: wheel - version: 2.22.0 - channel: latest/stable - base: '25.10'