From 9960dd55f881ba4b1249d83eff9efce90fafc050 Mon Sep 17 00:00:00 2001 From: Viktor Petersson Date: Tue, 1 Oct 2024 15:49:15 +0100 Subject: [PATCH] Feedback after meeting --- .github/workflows/phase_1_python.yml | 53 +++------------------------- 1 file changed, 4 insertions(+), 49 deletions(-) diff --git a/.github/workflows/phase_1_python.yml b/.github/workflows/phase_1_python.yml index e72a9ae..0a1c49e 100644 --- a/.github/workflows/phase_1_python.yml +++ b/.github/workflows/phase_1_python.yml @@ -147,7 +147,7 @@ jobs: --author "$SBOM_AUTHOR" \ --supplier "$SBOM_SUPPLIER" \ --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ - --lifecycle source \ + --lifecycle pre-build \ --license 'Apache-2.0' \ application-sbom-cyclonedx/application-sbom.cdx.json > /tmp/augmented_application-sbom.cdx.tmp @@ -170,7 +170,7 @@ jobs: --author "$SBOM_AUTHOR" \ --supplier "$SBOM_SUPPLIER" \ --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ - --lifecycle source \ + --lifecycle pre-build \ --license 'Apache-2.0' \ container-sbom-spdx/container-sbom.spdx.json > /tmp/augmented_container-sbom.spdx.tmp @@ -193,7 +193,7 @@ jobs: --author "$SBOM_AUTHOR" \ --supplier "$SBOM_SUPPLIER" \ --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ - --lifecycle source \ + --lifecycle pre-build \ --license 'Apache-2.0' \ application-sbom-spdx/application-sbom.spdx.json > /tmp/augmented_application-sbom.spdx.tmp @@ -250,53 +250,8 @@ jobs: name: enriched-sboms path: "/tmp/enriched_*.json" - - Consolidate: - runs-on: ubuntu-latest - needs: [Enrich] - steps: - - uses: actions/checkout@v4 - - - name: Download all workflow run artifacts - uses: actions/download-artifact@v4 - - # TODO: Add SPDX - - - name: Build top-level CDX SBOM - run: | - # Create destination folder - #mkdir /tmp/output - - # Define metadata for parent template - #export TOP_LEVEL_UUID=$(uuidgen) - #export APPLICATION_SBOM_SHA256=$(sha256sum enriched-sboms/enriched_application-sbom.cdx.json | awk {'print $1'}) - #export CONTAINER_SBOM_SHA256=$(sha256sum enriched-sboms/enriched_container-sbom.cdx.json | awk {'print $1'}) - #export CREATION_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%S%z") - #export CONTAINER_BOM_REF=$(jq -r '.metadata.component["bom-ref"]' enriched-sboms/enriched_container-sbom.cdx.json) - #export APPLICATION_BOM_REF=$(jq -r '.metadata.component["bom-ref"]' enriched-sboms/enriched_application-sbom.cdx.json) - - # We're using `envsubst` here to populate the metadata - # template from environment variables - #cat "phase_1/Python/sbom/top-level.cdx.json.tmpl" | jq | \ - # envsubst > top-level-sbom.cdx.json.tmp - - # Set GITHUB_RUN_NUMBER as the version of the SBOM - #jq '.version = (env.GITHUB_RUN_NUMBER | tonumber)' \ - # top-level-sbom.cdx.json.tmp \ - # > /tmp/output/top-level-sbom.cdx.json - - # Copy in enriched SBOMs - #cp enriched-sboms/enriched_*-sbom.cdx.json /tmp/output/ - - - name: Upload Top Level SBOMs - uses: actions/upload-artifact@v4 - with: - name: top-level-sboms - path: /tmp/output/ - - Validate: - needs: Consolidate + needs: Augment runs-on: ubuntu-latest steps: - uses: actions/checkout@v4