CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #19

Summary
Jobs
- augment-sbom
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/generate-augmented-sbom.yml at fb859d0

	name: Augment SBOM

	on:
	pull_request:
	workflow_dispatch:
	inputs:
	release_version:
	description: "Release version (e.g. 1.42.2)"
	required: true
	type: string

	permissions:
	id-token: write
	contents: read

	jobs:
	augment-sbom:
	runs-on: ubuntu-latest

	env:
	KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
	KONDUKTO_REPO: mongodb/mongodb-atlas-cli
	KONDUKTO_BRANCH_PREFIX: atlascli
	SILKBOMB_IMG: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0

	steps:
	- uses: GitHubSecurityLab/actions-permissions/monitor@v1
	with:
	config: ${{ vars.PERMISSIONS_CONFIG }}
	- name: Checkout repo
	uses: actions/checkout@v4

	- uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'

	- name: Download Linux ARM64 binary
	run: \|
	curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version \|\| '1.42.2' }}/mongodb-atlas-cli_${{ github.event.inputs.release_version \|\| '1.42.2' }}_linux_arm64.tar.gz" \
	-o release.tar.gz

	- name: Extract binary
	run: \|
	tar -xzf release.tar.gz

	- name: Generate PURLs from binary
	run: \|
	go version -m ./mongodb-atlas-cli_${{ inputs.release_version \|\| '1.42.2' }}_linux_arm64/bin/atlas \| \
	awk '$1 == "dep" \|\| $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' \| \
	LC_ALL=C sort > purls.txt
	cat purls.txt

	- name: Generate SBOM with Silkbomb
	run: \|
	docker run \
	--pull=always \
	--platform="linux/amd64" \
	--rm \
	-v "${PWD}:/pwd" \
	"${SILKBOMB_IMG}" \
	update \
	--purls "/pwd/purls.txt" \
	--sbom-out "/pwd/sbom_lite.json"
	cat "sbom_lite.json"

	- name: Augment SBOM with Kondukto
	run: \|
	docker run \
	--pull=always \
	--platform="linux/amd64" \
	--rm \
	-v "${PWD}:/pwd" \
	-e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \
	"${SILKBOMB_IMG}" \
	augment \
	--sbom-in "/pwd/sbom_lite.json" \
	--repo "${KONDUKTO_REPO}" \
	--branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \
	--sbom-out "/pwd/linux_amd64_augmented_sbom_v${{ inputs.release_version \|\| '1.42.2' }}.json"

	- name: Generate SSDLC report
	env:
	AUTHOR: ${{ github.actor }}
	VERSION: ${{ inputs.release_version \|\| '1.42.2' }}
	AUGMENTED_SBOM_TEXT: "\t- See Augmented SBOM manifests (CycloneDX in JSON format):\n
	\t\t- This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${{ inputs.release_version \|\| '1.42.2' }}.json'\n"
	run: ./build/package/gen-ssdlc-report.sh
	- name: Upload augmented SBOM as artifact
	uses: actions/upload-artifact@v4
	with:
	name: augmented-sbom_and-ssdlc-report
	path: \|
	linux_amd64_augmented_sbom_v${{ inputs.release_version \|\| '1.42.2' }}.json
	ssdlc-compliance-${{ inputs.release_version \|\| '1.42.2' }}.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #19

Workflow file

CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #19

Uh oh!

Jobs

Run details

Workflow file for this run