actions/runner-images
1
0
Fork 0
mirror of https://github.com/actions/runner-images.git synced 2025-12-11 11:37:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

[workflow] SBOM; add cross-support for version formats (#13218)

Browse Source
This commit is contained in:
Erik Bershel
2025-11-06 13:39:54 +01:00
committed by GitHub
parent 7901df4cde
commit 10901db80b
1 changed files with 43 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
.github/workflows/create_sbom_report.yml vendored
View File

@@ -1,96 +1,112 @@
name: Create SBOM for the release name: Create SBOM for the release
# Inherited variables:
# github.event.client_payload.agentSpec - Current YAML Label
# github.event.client_payload.ReleaseID - Current release ID
# github.event.client_payload.imageVersion - AzDO image version "major.minor"
#
# Current SYFT tool issues:
# macOS (major): prompt privileges that blocking process indefinitely (https://github.com/anchore/syft/issues/1367)
run-name: Collecting SBOM for ${{ github.event.client_payload.agentSpec || 'unknown image' }} - ${{ github.event.client_payload.imageVersion || 'unknown version' }} run-name: Collecting SBOM for ${{ github.event.client_payload.agentSpec || 'unknown image' }} - ${{ github.event.client_payload.imageVersion || 'unknown version' }}
on: on:
repository_dispatch: repository_dispatch:
types: [generate-sbom] types: [generate-sbom]
defaults: defaults:
run: run:
shell: pwsh shell: pwsh
jobs: jobs:
#Checking current release for SBOM
sbom-check: sbom-check:
outputs: outputs:
check_status: ${{ steps.check.outputs.status }} check_status: ${{ steps.check.outputs.status }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
RELEASE_ID: ${{ github.event.client_payload.ReleaseID }}
steps: steps:
- name: Check release for ${{ github.event.client_payload.agentSpec }} - name: Check SBOM asset for release ${{ env.RELEASE_ID }}
id: check id: check
shell: pwsh shell: pwsh
run: | run: |
$apiUrl = "https://api.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}" $apiUrl = "https://api.github.com/repos/actions/runner-images/releases/$env:RELEASE_ID"
$response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck $response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck
if ($response.message -ilike "Not Found") { if ($response.message -ilike "Not Found") {
echo "status=release_not_found" >> $env:GITHUB_OUTPUT echo "status=release_not_found" >> $env:GITHUB_OUTPUT
Write-Error "Release ${{ github.event.client_payload.ReleaseID }} wasn't found" Write-Error "Release $env:RELEASE_ID wasn't found"
exit 1 exit 1
} }
foreach ($asset in $response.assets) { foreach ($asset in $response.assets) {
if ($asset.name -like '*sbom*') { if ($asset.name -like '*sbom*') {
echo "status=sbom_exists" >> $env:GITHUB_OUTPUT echo "status=sbom_exists" >> $env:GITHUB_OUTPUT
return "Release ${{ github.event.client_payload.ReleaseID }} already contains a SBOM" return "Release $env:RELEASE_ID already contains a SBOM"
} }
} }
Write-Host "Release has been found, SBOM is not attached, starting generation." Write-Host "Release has been found, SBOM is not attached, starting generation."
echo "status=okay" >> $env:GITHUB_OUTPUT echo "status=okay" >> $env:GITHUB_OUTPUT
#Generating SBOM
building-sbom: building-sbom:
needs: sbom-check needs: sbom-check
if: ${{ needs.sbom-check.outputs.check_status == 'okay' }} if: ${{ needs.sbom-check.outputs.check_status == 'okay' }}
runs-on: ${{ github.event.client_payload.agentSpec }} runs-on: ${{ github.event.client_payload.agentSpec }}
env:
AGENT_SPEC: ${{ github.event.client_payload.agentSpec }}
RELEASE_ID: ${{ github.event.client_payload.ReleaseID }}
IMAGE_VERSION: ${{ github.event.client_payload.imageVersion }}
steps: steps:
- name: Available image version check for ${{ github.event.client_payload.agentSpec }} - ${{ github.event.client_payload.imageVersion }} - name: Available image version check
run: | run: |
$imageVersionComponents = $env:ImageVersion.Split('.') $expectedVersion = $env:IMAGE_VERSION
$imageMajorVersion = $imageVersionComponents[0] $runnerVersion = $env:ImageVersion
$imageMinorVersion = $imageVersionComponents[1]
if ("$imageMajorVersion.$imageMinorVersion" -ne '${{ github.event.client_payload.imageVersion }}') { # Split versions by dot
throw "Current runner $imageMajorVersion.$imageMinorVersion image version doesn't match ${{ github.event.client_payload.imageVersion }}." $expectedParts = $expectedVersion.Split('.')
$runnerParts = $runnerVersion.Split('.')
# Determine what parts to compare
$minLength = [Math]::Min($expectedParts.Length, $runnerParts.Length)
$expectedComparable = $expectedParts[0..($minLength-1)] -join '.'
$runnerComparable = $runnerParts[0..($minLength-1)] -join '.'
# Perform the comparison
if ($expectedComparable -ne $runnerComparable) {
throw "Version mismatch: Expected version '$expectedVersion' doesn't match runner version '$runnerVersion'"
} }
- name: Install SYFT tool on Windows - name: Install SYFT tool on Windows
if: ${{ runner.os == 'Windows' }} if: ${{ runner.os == 'Windows' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b C:/syft run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b C:/syft
- name: Install SYFT tool on Ubuntu - name: Install SYFT tool on Ubuntu
if: ${{ runner.os == 'Linux' }} if: ${{ runner.os == 'Linux' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install SYFT v1.24.0 on macOS - name: Install SYFT v1.24.0 on macOS
if: ${{ runner.os == 'macOS' }} if: ${{ runner.os == 'macOS' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.24.0 run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.24.0
#Running section.
- name: Run SYFT on Windows - name: Run SYFT on Windows
if: ${{ runner.os == 'Windows' }} if: ${{ runner.os == 'Windows' }}
run: C:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json run: C:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json
- name: Run SYFT on Ubuntu - name: Run SYFT on Ubuntu
if: ${{ runner.os == 'Linux' }} if: ${{ runner.os == 'Linux' }}
run: syft dir:/ -vv -o spdx-json=sbom.json run: syft dir:/ -vv -o spdx-json=sbom.json
- name: Run SYFT on macOS - name: Run SYFT on macOS
if: ${{ runner.os == 'macOS' }} if: ${{ runner.os == 'macOS' }}
# Skip protected folders to avoid prompt privileges that block process indefinitely (https://github.com/anchore/syft/issues/1367)
run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private
shell: bash shell: bash
#Preparing artifact (raw SBOM.json is too big)
- name: Compress SBOM file - name: Compress SBOM file
run: Compress-Archive sbom.json sbom.json.zip run: Compress-Archive sbom.json sbom.json.zip
#Upload artifact action
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v4
with: with:
name: sbom-${{ github.event.client_payload.agentSpec }}-${{ github.event.client_payload.imageVersion }} name: sbom-${{ env.AGENT_SPEC }}-${{ env.IMAGE_VERSION }}
path: sbom.json.zip path: sbom.json.zip
if-no-files-found: warn if-no-files-found: warn
#Upload release asset action
#Might be changed to softprops/action-gh-release after additional check
- name: Upload release asset - name: Upload release asset
uses: actions/upload-release-asset@v1 uses: actions/upload-release-asset@v1
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:
upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}/assets{?name,label}" upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ env.RELEASE_ID }}/assets{?name,label}"
asset_path: ./sbom.json.zip asset_path: ./sbom.json.zip
asset_name: sbom.${{ github.event.client_payload.agentSpec }}.json.zip asset_name: sbom.${{ env.AGENT_SPEC }}.json.zip
asset_content_type: application/zip asset_content_type: application/zip