Skip to content

Commit 78ad99d

Browse files
cveticmcveticm
committed
CLOUDP-315271: Onboard Kundukto to CI (#3862)
1 parent fad8487 commit 78ad99d

File tree

9 files changed

+272
-2
lines changed

9 files changed

+272
-2
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
*.so
66
*.dylib
77
bin/**
8+
compliance/**
89
dist/**
910
# mac notarization service
1011
linux_amd64/**

Makefile

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ addcopy: ## Add missing license to files
106106
@scripts/add-copy.sh
107107

108108
.PHONY: generate
109-
generate: gen-docs gen-mocks gen-api-commands ## Generate docs, mocks, code, api commands, all auto generated assets
109+
generate: gen-docs gen-mocks gen-api-commands gen-purls ## Generate docs, mocks, code, api commands, all auto generated assets
110110

111111
.PHONY: apply-overlay
112112
apply-overlay: ## Apply overlay on openapi spec
@@ -138,6 +138,14 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands
138138
@echo "==> Generating docs"
139139
go run -ldflags "$(LINKER_FLAGS)" ./tools/cmd/docs
140140

141+
.PHONY: gen-purls
142+
gen-purls: # Generate purls on linux os
143+
@echo "==> Generating purls"
144+
GOOS=linux GOARCH=amd64 go build -trimpath -mod=readonly -o bin/atlas-linux ./cmd/atlas
145+
go version -m ./bin/atlas-linux | \
146+
awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \
147+
LC_ALL=C sort > build/package/purls.txt
148+
141149
.PHONY: build
142150
build: ## Generate an atlas binary in ./bin
143151
@echo "==> Building $(ATLAS_BINARY_NAME) binary"

build/ci/check-purls.sh

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#!/usr/bin/env bash
2+
3+
# Copyright 2025 MongoDB Inc
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
17+
set -Eeou pipefail
18+
19+
if ! git diff --quiet --exit-code build/package/purls.txt; then
20+
echo "build/package/purls.txt is out of date. Please run 'make gen-purls' and commit the result."
21+
git --no-pager diff build/package/purls.txt
22+
exit 1
23+
fi

build/ci/evergreen.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,21 @@ functions:
533533
binary: make
534534
args:
535535
- otel
536+
"check purls":
537+
- command: subprocess.exec
538+
type: test
539+
params:
540+
<<: *go_options
541+
binary: make
542+
args:
543+
- gen-purls
544+
- command: subprocess.exec
545+
params:
546+
<<: *go_options
547+
include_expansions_in_env:
548+
- workdir
549+
binary: build/ci/check-purls.sh
550+
536551
tasks:
537552
- name: compile
538553
tags: ["code_health"]
@@ -1726,6 +1741,10 @@ tasks:
17261741
vars:
17271742
span: "coverage"
17281743
attr: "total=${percentage},count=${count}"
1744+
- name: check_purls
1745+
tags: ["code_health"]
1746+
commands:
1747+
- func: "check purls"
17291748
- name: snyk_monitor
17301749
tags:
17311750
- snyk

build/ci/release.yml

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,48 @@ functions:
7070
params:
7171
<<: *go_options
7272
binary: build/package/generate-notices.sh
73+
"generate sbom":
74+
- command: ec2.assume_role
75+
params:
76+
role_arn: ${ecr_role_arn}
77+
- command: subprocess.exec
78+
params:
79+
<<: *go_options
80+
include_expansions_in_env:
81+
- AWS_ACCESS_KEY_ID
82+
- AWS_SECRET_ACCESS_KEY
83+
- AWS_SESSION_TOKEN
84+
- workdir
85+
binary: build/package/generate-sbom.sh
86+
"run silkbomb":
87+
- command: ec2.assume_role
88+
params:
89+
role_arn: ${kondukto_role_arn}
90+
- command: shell.exec
91+
params:
92+
silent: true
93+
shell: bash
94+
include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
95+
script: |
96+
set -e
97+
kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
98+
echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env
99+
- command: shell.exec
100+
params:
101+
shell: bash
102+
script: |
103+
docker run \
104+
--pull=always \
105+
--platform="linux/amd64" \
106+
--rm \
107+
--env-file ${workdir}/kondukto_credentials.env \
108+
-v ${workdir}:/workdir \
109+
901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
110+
upload \
111+
--sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \
112+
--repo mongodb_mongodb-atlas-cli \
113+
--branch ${branch_name}
114+
rm ${workdir}/kondukto_credentials.env
73115
"package":
74116
- command: github.generate_token
75117
params:
@@ -317,6 +359,10 @@ tasks:
317359
permissions: public-read
318360
content_type: ${content_type|application/octet-stream}
319361
display_name: unsigned
362+
- name: generate_and_upload_sbom
363+
commands:
364+
- func: "generate sbom"
365+
- func: "run silkbomb"
320366
- name: package_goreleaser
321367
tags: ["packaging"]
322368
depends_on:
@@ -528,6 +574,8 @@ buildvariants:
528574
depends_on:
529575
- name: package_msi
530576
variant: "go_atlascli_msi_snapshot"
577+
- name: generate_and_upload_sbom
578+
variant: ssdlc
531579
- name: publish_atlascli_snapshot
532580
display_name: "Publish AtlasCLI Snapshot"
533581
run_on:
@@ -553,6 +601,8 @@ buildvariants:
553601
depends_on:
554602
- name: package_msi
555603
variant: release_atlascli_msi
604+
- name: generate_and_upload_sbom
605+
variant: ssdlc
556606
- name: copybara
557607
display_name: "Copybara"
558608
git_tag_only: true
@@ -605,3 +655,11 @@ buildvariants:
605655
- ubuntu2004-small
606656
tasks:
607657
- name: .smoke-test .generate .repo .atlascli
658+
- name: ssdlc
659+
display_name: Compliance [ssdlc]
660+
run_on:
661+
- ubuntu2204-small
662+
expansions:
663+
<<: *go_linux_version
664+
tasks:
665+
- name: generate_and_upload_sbom

build/package/.goreleaser.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,4 +142,5 @@ release:
142142
name_template: "MongoDB Atlas CLI {{.Version}}"
143143
extra_files:
144144
- glob: ./bin/*.msi
145-
version: 2
145+
- glob: compliance/**/*
146+
version: 2

build/package/generate-sbom.sh

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
#!/usr/bin/env bash
2+
3+
# Copyright 2025 MongoDB Inc
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
17+
set -Eeou pipefail
18+
19+
export WORKDIR=${workdir:?}
20+
21+
# Authenticate Docker to AWS ECR
22+
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
23+
24+
echo "Generating SBOMs..."
25+
docker run --rm \
26+
-v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \
27+
901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
28+
update \
29+
--purls /pwd/build/package/purls.txt \
30+
--sbom-out /pwd/sbom.json
31+

build/package/purls.txt

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
pkg:golang/cloud.google.com/go/auth/oauth2adapt@v0.2.8
2+
pkg:golang/cloud.google.com/go/auth@v0.16.0
3+
pkg:golang/cloud.google.com/go/compute/metadata@v0.6.0
4+
pkg:golang/cloud.google.com/go/iam@v1.5.0
5+
pkg:golang/cloud.google.com/go/kms@v1.21.2
6+
pkg:golang/cloud.google.com/go/longrunning@v0.6.6
7+
pkg:golang/github.com/AlecAivazis/survey/v2@v2.3.7
8+
pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0
9+
pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0
10+
pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1
11+
pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1
12+
pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1
13+
pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2
14+
pkg:golang/github.com/Masterminds/semver/v3@v3.3.1
15+
pkg:golang/github.com/PaesslerAG/gval@v1.0.0
16+
pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1
17+
pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0
18+
pkg:golang/github.com/STARRY-S/zip@v0.2.1
19+
pkg:golang/github.com/andybalholm/brotli@v1.1.1
20+
pkg:golang/github.com/aws/aws-sdk-go-v2/config@v1.29.14
21+
pkg:golang/github.com/aws/aws-sdk-go-v2/credentials@v1.17.67
22+
pkg:golang/github.com/aws/aws-sdk-go-v2/feature/ec2/imds@v1.16.30
23+
pkg:golang/github.com/aws/aws-sdk-go-v2/internal/configsources@v1.3.34
24+
pkg:golang/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2@v2.6.34
25+
pkg:golang/github.com/aws/aws-sdk-go-v2/internal/ini@v1.8.3
26+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding@v1.12.3
27+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url@v1.12.15
28+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/kms@v1.38.3
29+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/sso@v1.25.3
30+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/ssooidc@v1.30.1
31+
pkg:golang/github.com/aws/aws-sdk-go-v2/service/sts@v1.33.19
32+
pkg:golang/github.com/aws/aws-sdk-go-v2@v1.36.3
33+
pkg:golang/github.com/aws/smithy-go@v1.22.2
34+
pkg:golang/github.com/bodgit/plumbing@v1.3.0
35+
pkg:golang/github.com/bodgit/sevenzip@v1.6.0
36+
pkg:golang/github.com/bodgit/windows@v1.0.1
37+
pkg:golang/github.com/briandowns/spinner@v1.23.2
38+
pkg:golang/github.com/cloudflare/circl@v1.6.0
39+
pkg:golang/github.com/denisbrodbeck/machineid@v1.0.1
40+
pkg:golang/github.com/dsnet/compress@v0.0.2-0.20230904184137-39efe44ab707
41+
pkg:golang/github.com/fatih/color@v1.14.1
42+
pkg:golang/github.com/felixge/httpsnoop@v1.0.4
43+
pkg:golang/github.com/fsnotify/fsnotify@v1.8.0
44+
pkg:golang/github.com/go-logr/logr@v1.4.2
45+
pkg:golang/github.com/go-logr/stdr@v1.2.2
46+
pkg:golang/github.com/go-viper/mapstructure/v2@v2.2.1
47+
pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.2
48+
pkg:golang/github.com/golang/mock@v1.6.0
49+
pkg:golang/github.com/golang/snappy@v0.0.4
50+
pkg:golang/github.com/google/go-github/v61@v61.0.0
51+
pkg:golang/github.com/google/go-querystring@v1.1.0
52+
pkg:golang/github.com/google/s2a-go@v0.1.9
53+
pkg:golang/github.com/google/uuid@v1.6.0
54+
pkg:golang/github.com/googleapis/enterprise-certificate-proxy@v0.3.6
55+
pkg:golang/github.com/googleapis/gax-go/v2@v2.14.1
56+
pkg:golang/github.com/hashicorp/errwrap@v1.1.0
57+
pkg:golang/github.com/hashicorp/go-multierror@v1.1.1
58+
pkg:golang/github.com/hashicorp/golang-lru/v2@v2.0.7
59+
pkg:golang/github.com/iancoleman/strcase@v0.3.0
60+
pkg:golang/github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51
61+
pkg:golang/github.com/klauspost/compress@v1.18.0
62+
pkg:golang/github.com/klauspost/pgzip@v1.2.6
63+
pkg:golang/github.com/kylelemons/godebug@v1.1.0
64+
pkg:golang/github.com/mattn/go-colorable@v0.1.13
65+
pkg:golang/github.com/mattn/go-isatty@v0.0.20
66+
pkg:golang/github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b
67+
pkg:golang/github.com/mholt/archives@v0.1.1
68+
pkg:golang/github.com/minio/minlz@v1.0.0
69+
pkg:golang/github.com/mongodb-forks/digest@v1.1.0
70+
pkg:golang/github.com/montanaflynn/stats@v0.7.1
71+
pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0
72+
pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3
73+
pkg:golang/github.com/pelletier/go-toml@v1.9.5
74+
pkg:golang/github.com/pierrec/lz4/v4@v4.1.21
75+
pkg:golang/github.com/pkg/browser@v0.0.0-20240102092130-5ac0b6a4141c
76+
pkg:golang/github.com/sagikazarmark/locafero@v0.7.0
77+
pkg:golang/github.com/shirou/gopsutil/v4@v4.25.3
78+
pkg:golang/github.com/sorairolake/lzip-go@v0.3.5
79+
pkg:golang/github.com/sourcegraph/conc@v0.3.0
80+
pkg:golang/github.com/spf13/afero@v1.14.0
81+
pkg:golang/github.com/spf13/cast@v1.7.1
82+
pkg:golang/github.com/spf13/cobra@v1.9.1
83+
pkg:golang/github.com/spf13/pflag@v1.0.6
84+
pkg:golang/github.com/spf13/viper@v1.20.1
85+
pkg:golang/github.com/subosito/gotenv@v1.6.0
86+
pkg:golang/github.com/tangzero/inflector@v1.0.0
87+
pkg:golang/github.com/therootcompany/xz@v1.0.1
88+
pkg:golang/github.com/tklauser/go-sysconf@v0.3.12
89+
pkg:golang/github.com/tklauser/numcpus@v0.6.1
90+
pkg:golang/github.com/ulikunitz/xz@v0.5.12
91+
pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0
92+
pkg:golang/github.com/xdg-go/scram@v1.1.2
93+
pkg:golang/github.com/xdg-go/stringprep@v1.0.4
94+
pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78
95+
pkg:golang/go.mongodb.org/atlas-sdk/v20240530005@v20240530005.0.0
96+
pkg:golang/go.mongodb.org/atlas-sdk/v20250312002@v20250312002.0.0
97+
pkg:golang/go.mongodb.org/atlas@v0.38.0
98+
pkg:golang/go.mongodb.org/mongo-driver@v1.17.3
99+
pkg:golang/go.opentelemetry.io/auto/sdk@v1.1.0
100+
pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.60.0
101+
pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.60.0
102+
pkg:golang/go.opentelemetry.io/otel/metric@v1.35.0
103+
pkg:golang/go.opentelemetry.io/otel/trace@v1.35.0
104+
pkg:golang/go.opentelemetry.io/otel@v1.35.0
105+
pkg:golang/go4.org@v0.0.0-20230225012048-214862532bf5
106+
pkg:golang/golang.org/x/crypto@v0.37.0
107+
pkg:golang/golang.org/x/exp@v0.0.0-20241004190924-225e2abe05e6
108+
pkg:golang/golang.org/x/mod@v0.24.0
109+
pkg:golang/golang.org/x/net@v0.39.0
110+
pkg:golang/golang.org/x/oauth2@v0.29.0
111+
pkg:golang/golang.org/x/sync@v0.13.0
112+
pkg:golang/golang.org/x/sys@v0.32.0
113+
pkg:golang/golang.org/x/term@v0.31.0
114+
pkg:golang/golang.org/x/text@v0.24.0
115+
pkg:golang/golang.org/x/time@v0.11.0
116+
pkg:golang/google.golang.org/api@v0.229.0
117+
pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20250414145226-207652e42e2e
118+
pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20250414145226-207652e42e2e
119+
pkg:golang/google.golang.org/genproto@v0.0.0-20250303144028-a0af3efb3deb
120+
pkg:golang/google.golang.org/grpc@v1.72.0
121+
pkg:golang/google.golang.org/protobuf@v1.36.6
122+
pkg:golang/gopkg.in/yaml.v3@v3.0.1

scripts/pre-commit.sh

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,13 @@ if [[ -n "${STAGED_GO_FILES}" ]]; then
3939
git add docs
4040
fi
4141

42+
STAGED_GO_MOD_FILES=$(git diff --cached --name-only | grep -E "^go\.(mod|sum)$" || true)
43+
44+
if [[ -n "${STAGED_GO_MOD_FILES}" ]]; then
45+
make gen-purls > /dev/null
46+
git add build/package/purls.txt
47+
fi
48+
4249
STAGED_EVG_FILES=$(git diff --cached --name-only | grep "evergreen.yml$")
4350

4451
for FILE in ${STAGED_EVG_FILES}

0 commit comments

Comments
 (0)