PHPLIB-1688: Updating Release pipeline with SBOM generation steps#1810
PHPLIB-1688: Updating Release pipeline with SBOM generation steps#1810ekovalets wants to merge 4 commits intomongodb:v2.xfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v2.x #1810 +/- ##
============================================
+ Coverage 87.72% 87.74% +0.01%
+ Complexity 3195 3185 -10
============================================
Files 424 424
Lines 6296 6289 -7
============================================
- Hits 5523 5518 -5
+ Misses 773 771 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| run: composer config allow-plugins.cyclonedx/cyclonedx-php-composer true | ||
| - name: Install CycloneDX plugin | ||
| shell: bash | ||
| run: composer require --dev cyclonedx/cyclonedx-php-composer --ignore-platform-reqs |
There was a problem hiding this comment.
Is there a reason you're using ignore-platform-reqs? If we want to ignore a specific requirement, we should use ignore-platform-req, e.g. --ignore-platform-req=php+ if we're using a newer version of PHP than is supported by the plugin.
| - name: "Generate token and checkout repository" | ||
| uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 | ||
| with: | ||
| app_id: ${{ vars.APP_ID }} | ||
| private_key: ${{ secrets.APP_PRIVATE_KEY }} | ||
|
|
There was a problem hiding this comment.
Why was this removed? The "Create and push new release branch" step pushes a branch in line 91, which requires an appropriate token if I'm not mistaken.
There was a problem hiding this comment.
this was moved to later stages, but now I moved it up - before sbom gen.
.github/workflows/release.yml
Outdated
| id: composer-lock | ||
| run: | | ||
| echo "Resolving dependencies and generating composer.lock..." | ||
| composer update --no-install --ignore-platform-reqs |
There was a problem hiding this comment.
This step should never use ignore-platform-reqs. This could install dependencies that we don't actually want to install or lead to an invalid dependency chain.
.github/workflows/release.yml
Outdated
| - name: "Commit SBOM changes" | ||
| if: steps.sbom_status.outputs.HAS_CHANGES == 'true' | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add ${{ env.SBOM_FILE }} | ||
| git commit -m "chore: Update SBOM for release ${{ inputs.version }}" | ||
| git push | ||
| echo "📦 SBOM updated and committed" >> $GITHUB_STEP_SUMMARY | ||
| continue-on-error: true |
There was a problem hiding this comment.
Please use the drivers-github-tools/setup action to set git config: (https://github.com/mongodb/mongo-php-driver/blob/a2109ca2730584022ecba44dc7eab65e9cfe397a/.github/workflows/release.yml#L70-L75). The push should also happen with the correct credentials set through the secure-checkout action that you removed previously. Last but not least, a push to a stable branch will lead to a merge-up pull request; we should discuss how to handle this. For example, in PHPC we ensure that newer branches are up-to-date with older branches, so in this case we'll want to mark the branch as merged up using strategy=ours to avoid conflicts or overwriting a newer SBOM. Please see the corresponding step in PHPC: https://github.com/mongodb/mongo-php-driver/blob/a2109ca2730584022ecba44dc7eab65e9cfe397a/.github/workflows/release.yml#L118-L127
.github/workflows/release.yml
Outdated
| php-version: ${{ env.PHP_VERSION }} | ||
| working-directory: '.' | ||
| output-file: ${{ env.SBOM_FILE }} | ||
| output-format: 'json' |
There was a problem hiding this comment.
The new action only defines an output-file input, so the others should not be needed.
.github/workflows/release.yml
Outdated
| - name: Checkout repository (Base Branch) | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.pull_request.base.ref || github.ref }} |
There was a problem hiding this comment.
Since this workflow is only called manually on a branch, github.event.pull_request.base.ref will never be defined, so this should be changed. Ideally, we should rely on the secure-checkout action that we used in this workflow.
There was a problem hiding this comment.
replaced whole with secure checkout
3 participants
This PR updated the mongo-php-library release pipeline with automatic sbom.json file generation on release, which then being added to the released branch.