sbom-diff-and-risk ci / pull_request / 13/merge #43
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: sbom-diff-and-risk-ci | |
| run-name: sbom-diff-and-risk ci / ${{ github.event_name }} / ${{ github.ref_name }} | |
| on: | |
| workflow_dispatch: | |
| push: | |
| # Version tags provide a minimal release-build scaffold without changing publishing. | |
| tags: | |
| - "v*" | |
| paths: | |
| - ".github/workflows/sbom-diff-and-risk-ci.yml" | |
| - "tools/sbom-diff-and-risk/**" | |
| pull_request: | |
| paths: | |
| - ".github/workflows/sbom-diff-and-risk-ci.yml" | |
| - "tools/sbom-diff-and-risk/**" | |
| permissions: {} | |
| env: | |
| SBOM_DIFF_RISK_PYTHON_VERSION: "3.11" | |
| SBOM_DIFF_RISK_DIST_ARTIFACT_NAME: sbom-diff-and-risk-dist | |
| SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX: sbom-diff-and-risk | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: tools/sbom-diff-and-risk | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }} | |
| - name: Upgrade pip | |
| run: python -m pip install --upgrade pip | |
| - name: Install project | |
| run: python -m pip install -e .[dev] | |
| - name: Run test suite | |
| run: python -m pytest | |
| - name: CLI smoke test | |
| shell: bash | |
| run: | | |
| tmpdir="$(mktemp -d)" | |
| python -m sbom_diff_risk.cli compare \ | |
| --before examples/cdx_before.json \ | |
| --after examples/cdx_after.json \ | |
| --format auto \ | |
| --out-json "$tmpdir/report.json" \ | |
| --out-md "$tmpdir/report.md" | |
| test -f "$tmpdir/report.json" | |
| test -f "$tmpdir/report.md" | |
| diff -u examples/sample-report.json "$tmpdir/report.json" | |
| diff -u examples/sample-report.md "$tmpdir/report.md" | |
| build-and-attest: | |
| # Keep provenance publication on trusted non-PR runs so consumers verify | |
| # workflow-produced wheel/sdist artifacts from this repository workflow. | |
| if: github.event_name != 'pull_request' | |
| needs: test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| defaults: | |
| run: | |
| working-directory: tools/sbom-diff-and-risk | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }} | |
| - name: Upgrade pip | |
| run: python -m pip install --upgrade pip | |
| - name: Install build tooling | |
| run: python -m pip install build | |
| - name: Build distributable artifacts | |
| run: python -m build | |
| - name: Upload wheel and source distribution artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.SBOM_DIFF_RISK_DIST_ARTIFACT_NAME }} | |
| path: | | |
| tools/sbom-diff-and-risk/dist/*.whl | |
| tools/sbom-diff-and-risk/dist/*.tar.gz | |
| if-no-files-found: error | |
| - name: Generate artifact attestation for built distributions | |
| uses: actions/attest@v4 | |
| with: | |
| subject-path: ${{ github.workspace }}/tools/sbom-diff-and-risk/dist/* | |
| publish-release-assets: | |
| # Publish the exact built wheel/sdist bytes from this run as release assets. | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| needs: build-and-attest | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download built distribution artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.SBOM_DIFF_RISK_DIST_ARTIFACT_NAME }} | |
| path: release-assets | |
| - name: Publish release assets from CI-built distributions | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| GH_REPO: ${{ github.repository }} | |
| RELEASE_TAG: ${{ github.ref_name }} | |
| RELEASE_TITLE_PREFIX: ${{ env.SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX }} | |
| run: | | |
| set -euo pipefail | |
| shopt -s nullglob | |
| assets=(release-assets/*.whl release-assets/*.tar.gz) | |
| if [ "${#assets[@]}" -eq 0 ]; then | |
| echo "No release assets found in release-assets/" >&2 | |
| exit 1 | |
| fi | |
| title="${RELEASE_TITLE_PREFIX} ${RELEASE_TAG}" | |
| if gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" >/dev/null 2>&1; then | |
| is_draft="$(gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" --json isDraft -q .isDraft)" | |
| if [ "${is_draft}" != "true" ]; then | |
| echo "Release ${RELEASE_TAG} already exists and is published; leaving assets unchanged." | |
| exit 0 | |
| fi | |
| else | |
| gh release create "${RELEASE_TAG}" \ | |
| --repo "${GH_REPO}" \ | |
| --draft \ | |
| --verify-tag \ | |
| --title "${title}" \ | |
| --notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance." | |
| fi | |
| gh release upload "${RELEASE_TAG}" "${assets[@]}" --repo "${GH_REPO}" --clobber | |
| gh release edit "${RELEASE_TAG}" --repo "${GH_REPO}" --draft=false --title "${title}" |