NH-103804: reverselab scan gem

xuan-cao-swi · xuan-cao-swi · commit a27e77a93f83 · 2025-03-10T11:43:10.000-04:00
diff --git a/.github/workflows/build_and_release_gem.yml b/.github/workflows/build_and_release_gem.yml
@@ -82,6 +82,12 @@ jobs:
               draft: true
             })
 
+      - name: Upload to artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
+          path: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
+
       # may need a bit of time for the gem to become available (-> sleep 1)
       - name: Download new Rubygem from rubygems.org and test
         working-directory: .github/workflows/
@@ -92,3 +98,45 @@ jobs:
           sudo apt-get update && sudo apt-get install -y ruby-dev g++ make
           gem install solarwinds_apm --version ${{ steps.build.outputs.gem_version }}
           ruby ./scripts/test_install.rb
+
+  # extract the built layer from artifacts, then scan it with reverselab
+  reverselab_scan_gem:
+    needs:
+      - publish_to_ruby_gem
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: extract current solarwinds_apm version
+        id: extract
+        run: |
+          APM_VERSION=$(ruby -e 'require "./lib/solarwinds_apm/version"; puts SolarWindsAPM::Version::STRING')
+          echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV
+
+      - name: extract layer zip from artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
+          path: ./
+
+      - name: Scan build artifact on the Portal
+        id: rl-scan
+        env:
+          RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        with:
+          artifact-to-scan: ./solarwinds_apm-${{ steps.SOLARWINDS_APM_VERSION }}.gem
+          rl-verbose: true
+          rl-portal-server: solarwinds
+          rl-portal-org: SolarWinds
+          rl-portal-group: SaaS-Agents-SWO
+          rl-package-url: solarwinds-apm-ruby/apm-ruby-prod@${{ env.SOLARWINDS_APM_VERSION }}
+
+      - name: report the scan status
+        if: success() || failure()
+        run: |
+          echo "The status is: '${{ steps.rl-scan.outputs.status }}'"
+          echo "The description is: '${{ steps.rl-scan.outputs.description }}'"
diff --git a/.github/workflows/build_for_github_package.yml b/.github/workflows/build_for_github_package.yml
@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  publish_to_github_package:
     name: Build + Publish to Github Package
     runs-on: ubuntu-latest
 
@@ -47,3 +47,51 @@ jobs:
           bundle exec rake push_gem_to_github_package[${{ steps.version.outputs.gem_version }}]
         env:
           GITHUB_SECRET_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload to artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
+          path: builds/solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
+
+  # extract the built layer from artifacts, then scan it with reverselab
+  reverselab_scan_gem:
+    needs:
+      - publish_to_github_package
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: extract current solarwinds_apm version
+        id: extract
+        run: |
+          APM_VERSION=$(ruby -e 'require "./lib/solarwinds_apm/version"; puts SolarWindsAPM::Version::STRING')
+          echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV
+
+      - name: extract layer zip from artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
+          path: builds
+
+      - name: Scan build artifact on the Portal
+        id: rl-scan
+        env:
+          RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        with:
+          artifact-to-scan: builds/solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
+          rl-verbose: true
+          rl-portal-server: solarwinds
+          rl-portal-org: SolarWinds
+          rl-portal-group: SaaS-Agents-SWO
+          rl-package-url: solarwinds-apm-ruby/apm-ruby-stg@${{ env.SOLARWINDS_APM_VERSION }}
+
+      - name: report the scan status
+        if: success() || failure()
+        run: |
+          echo "The status is: '${{ steps.rl-scan.outputs.status }}'"
+          echo "The description is: '${{ steps.rl-scan.outputs.description }}'"
