saving copies of enriched sbom as final to make it clear #58
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Phase 1 - Keycloak | |
| on: [push] | |
| env: | |
| KEYCLOAK_TAG: 25.0.4 | |
| PARLAY_VERSION: 0.5.1 | |
| SBOMASM_VERSION: 0.1.5 | |
| SBOMQS_VERSION: 0.1.9 | |
| TRIVY_VERSION: 0.54.1 | |
| jobs: | |
| Generate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Trivy | |
| run: | | |
| curl -L -o /tmp/trivy.tgz \ | |
| "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar xvf /tmp/trivy.tgz -C /tmp | |
| chmod +x /tmp/trivy | |
| - name: Checkout Keycloak | |
| run: | | |
| curl -L -o /tmp/keycloak.tgz \ | |
| "https://github.com/keycloak/keycloak/archive/refs/tags/${KEYCLOAK_TAG}.tar.gz" | |
| tar xvf /tmp/keycloak.tgz -C . | |
| - name: Generate SBOM with Trivy | |
| run: | | |
| /tmp/trivy fs \ | |
| --timeout 30m0s \ | |
| --parallel 0 \ | |
| --format cyclonedx \ | |
| --output /tmp/generated-keycloak-sbom.cdx.json \ | |
| keycloak-${KEYCLOAK_TAG} | |
| /tmp/trivy fs \ | |
| --timeout 30m0s \ | |
| --parallel 0 \ | |
| --format spdx-json \ | |
| --output /tmp/generated-keycloak-sbom.spdx.json \ | |
| keycloak-${KEYCLOAK_TAG} | |
| - name: Upload Generated CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: generated-keycloak-sbom-cyclonedx | |
| path: "/tmp/generated-keycloak-sbom.cdx.json" | |
| - name: Upload Generated SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: generated-keycloak-sbom-spdx | |
| path: "/tmp/generated-keycloak-sbom.spdx.json" | |
| Augment: | |
| runs-on: ubuntu-latest | |
| needs: Generate | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@v4 | |
| - name: Install sbomasm | |
| run: | | |
| curl -L -o /tmp/sbomasm \ | |
| "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64" | |
| chmod +x /tmp/sbomasm | |
| - name: Augment Keycloak SPDX | |
| run: | | |
| # Augment the Generated SPDX with updated document information | |
| # - Using `--append` option to ensure the author information is appended instead | |
| # of replacing the tool information. | |
| /tmp/sbomasm edit --append --subject Document \ | |
| --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ | |
| --supplier 'keycloak (https://www.keycloak.org/)' \ | |
| --repository 'https://github.com/keycloak/keycloak' \ | |
| --license 'Apache-2.0 (https://raw.githubusercontent.com/keycloak/keycloak/refs/heads/main/LICENSE.txt)' \ | |
| generated-keycloak-sbom-spdx/generated-keycloak-sbom.spdx.json > augmented_keycloak-sbom.spdx.json | |
| # Augment the Generated SPDX with updated primary component information | |
| /tmp/sbomasm edit --subject primary-component \ | |
| --supplier 'keycloak (https://www.keycloak.org/)' \ | |
| --repository 'https://github.com/keycloak/keycloak' \ | |
| --license 'Apache-2.0 (https://raw.githubusercontent.com/keycloak/keycloak/refs/heads/main/LICENSE.txt)' \ | |
| augmented_keycloak-sbom.spdx.json > /tmp/augmented_keycloak-sbom.spdx.json | |
| - name: Augment Keycloak CycloneDX | |
| run: | | |
| # Augment the Generated CycloneDX with updated document information | |
| /tmp/sbomasm edit --subject Document \ | |
| --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ | |
| --supplier 'keycloak (https://www.keycloak.org/)' \ | |
| --lifecycle 'pre-build' \ | |
| --repository 'https://github.com/keycloak/keycloak' \ | |
| --license 'Apache-2.0 (https://raw.githubusercontent.com/keycloak/keycloak/refs/heads/main/LICENSE.txt)' \ | |
| generated-keycloak-sbom-cyclonedx/generated-keycloak-sbom.cdx.json > augmented_keycloak-sbom.cdx.json | |
| # Augment the Generated CycloneDX with updated primary component information | |
| /tmp/sbomasm edit --subject primary-component \ | |
| --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ | |
| --supplier 'keycloak (https://www.keycloak.org/)' \ | |
| --repository 'https://github.com/keycloak/keycloak' \ | |
| --license 'Apache-2.0 (https://raw.githubusercontent.com/keycloak/keycloak/refs/heads/main/LICENSE.txt)' \ | |
| augmented_keycloak-sbom.cdx.json > /tmp/augmented_keycloak-sbom.cdx.json | |
| - name: Upload Augmented SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: augmented-keycloak-sbom-spdx | |
| path: "/tmp/augmented_keycloak-sbom.spdx.json" | |
| - name: Upload Augmented CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: augmented-keycloak-sbom-cyclonedx | |
| path: "/tmp/augmented_keycloak-sbom.cdx.json" | |
| Enrich: | |
| runs-on: ubuntu-latest | |
| needs: Augment | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@v4 | |
| - name: Install parlay | |
| run: | | |
| curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp | |
| chmod +x /tmp/parlay | |
| - name: Enrich Keycloak CycloneDX | |
| run: | | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-keycloak-sbom-cyclonedx/augmented_keycloak-sbom.cdx.json > /tmp/enriched_keycloak-sbom.cdx.json | |
| - name: Enrich Keycloak SPDX | |
| run: | | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-keycloak-sbom-spdx/augmented_keycloak-sbom.spdx.json > /tmp/enriched_keycloak-sbom.spdx.json | |
| - name: Upload Enriched SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: enriched-keycloak-sbom-spdx | |
| path: "/tmp/enriched_keycloak-sbom.spdx.json" | |
| - name: Upload Enriched CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: enriched-keycloak-sbom-cyclonedx | |
| path: "/tmp/enriched_keycloak-sbom.cdx.json" | |
| - name: Save Final SBOMs | |
| run: | | |
| cp /tmp/enriched_keycloak-sbom.spdx.json /tmp/final_keycloak-sbom.spdx.json | |
| cp /tmp/enriched_keycloak-sbom.cdx.json /tmp/final_keycloak-sbom.cdx.json | |
| - name: Upload Final SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: final-keycloak-sbom-spdx | |
| path: "/tmp/final_keycloak-sbom.spdx.json" | |
| - name: Upload Final CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: final-keycloak-sbom-cyclonedx | |
| path: "/tmp/final_keycloak-sbom.cdx.json" | |
| Validate: | |
| needs: Enrich | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download SBOMs | |
| uses: actions/download-artifact@v4 | |
| - name: Install sbomqs | |
| run: | | |
| curl -L -o /tmp/sbomqs \ | |
| "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64" | |
| chmod +x /tmp/sbomqs | |
| - name: "Display SBOM quality score through sbomqs" | |
| run: | | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} | |
| for SBOM in $(find . -iname final*.json); do | |
| /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY} | |
| done | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} |