forked from liquibase/liquibase
-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (116 loc) · 4.82 KB
/
fossa.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Name of the GitHub Action workflow
name: FOSSA License Compliance and Security Check
# Event triggers for the workflow
on:
workflow_dispatch: # Run this action manually from the GitHub Actions tab
release:
types: [published] # Run this action when a release is published
# Define the jobs in the workflow
jobs:
fossa-scan:
# Specifies the type of runner to use
runs-on: ubuntu-latest
# Sequence of steps that make up a single job
steps:
# Checkout the code to the GitHub runner
- name: Checkout Code
uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
#look for dependencies in maven
- name: maven-settings-xml-action
uses: whelk-io/maven-settings-xml-action@v22
with:
repositories: |
[
{
"id": "liquibase",
"url": "https://maven.pkg.github.com/liquibase/liquibase",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
},
{
"id": "liquibase-pro",
"url": "https://maven.pkg.github.com/liquibase/liquibase-pro",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
}
]
servers: |
[
{
"id": "liquibase-pro",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
},
{
"id": "liquibase",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
}
]
- name: Install Maven dependencies (excluding test scope)
run: mvn clean install -DskipTests
- name: run FOSSA CLI
uses: fossas/fossa-action@main
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
branch: ${{ github.ref }}
- name: Get the commit sha
id: get_commit_sha_oss
run: |
commit_sha_lb=`(git rev-parse HEAD)`
echo "commit_sha_lb=${commit_sha_lb}" >> $GITHUB_OUTPUT
# from the below curl commands we output the fossa report with the headers we need. Following this documentation : https://docs.fossa.com/docs/download-fossa-project-attribution-reports
- name: Set the dependency metadata information
run: |
mkdir /home/runner/fossa_reports
curl --location --request PUT 'https://app.fossa.com/api/projects/git+github.com/liquibase/liquibase' \
--header 'Authorization: Bearer ${{ secrets.FOSSA_API_KEY }}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'bom_column_settings%5B%5D=Title' \
--data-urlencode 'bom_column_settings%5B%5D=Version' \
--data-urlencode 'bom_column_settings%5B%5D=Authors' \
--data-urlencode 'bom_column_settings%5B%5D=DeclaredLicense' \
--data-urlencode 'bom_column_settings%5B%5D=PackageHomepage' \
curl --location 'https://app.fossa.com/api/revisions/git%2Bgithub.jparrowsec.cn%2Fliquibase%2Fliquibase%24${{ steps.get_commit_sha_oss.outputs.commit_sha_lb }}/attribution/download?format=CSV&includeDeepDependencies=true&download=true' \
--header 'Authorization: Bearer ${{ secrets.FOSSA_API_KEY }}' -o /home/runner/fossa_reports/liquibase.csv
# Upload to build page for the team to check the csv file contents.
- name: Upload to build page
uses: actions/upload-artifact@v2
with:
name: fossa-reports
path: /home/runner/fossa_reports/liquibase.csv
# Upload report to S3
- name: Upload report to S3
if: always()
run: aws s3 cp /home/runner/fossa_reports/liquibase.csv s3://liquibaseorg-origin/fossa_reports_liquibase-pro/
env:
AWS_ACCESS_KEY_ID: ${{ secrets.LIQUIBASEORIGIN_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.LIQUIBASEORIGIN_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
# trigger a job in liquibase-pro for the fossa-scan report generation and merging of OSS and PRO reports
run-pro-fossa-report:
runs-on: ubuntu-latest
needs: [ fossa-scan ]
steps:
- name: Dispatch event to PRO repository
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.LIQUIBOT_PAT_GPM_ACCESS }}
repository: liquibase/liquibase-pro
event-type: FOSSA_Scan_PRO
client-payload: '{"repository": "${{ github.repository }}", "branch": "${{ github.ref }}", "sha": "${{ github.sha }}", "server_url": "${{ github.server_url }}", "run_id": "${{ github.run_id }}"}'