diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d7afdfe..efa78b2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -118,26 +118,35 @@ jobs:
id-token: "write"
steps:
- uses: "actions/checkout@v4"
+
- name: "install nix"
uses: "cachix/install-nix-action@v30"
+
- name: "login to ghcr.io"
uses: "docker/login-action@v3"
with:
registry: "ghcr.io"
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
+
- uses: "dtolnay/rust-toolchain@stable"
+
- uses: "cargo-bins/cargo-binstall@main"
+
- run: |
cargo binstall --no-confirm just
+
- name: "nix cache"
uses: "DeterminateSystems/magic-nix-cache-action@main"
+
- name: "confirm sources"
run: |
./scripts/confirm-sources.sh
+
- name: "build + push"
run: |
just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
+
- name: "Install SBOM generator dependencies"
run: |
for f in /tmp/dpdk-sys/builds/*; do
@@ -146,50 +155,26 @@ jobs:
cargo binstall --no-confirm csview
sudo apt-get update
sudo apt-get install --yes --no-install-recommends graphviz
+
- name: "Generate SBOM"
run: |
./scripts/sbom.sh
- - name: "SBOM upload"
- # if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
- uses: "advanced-security/spdx-dependency-submission-action@v0.1.1"
- with:
- filePattern: '/tmp/dpdk-sys/builds/*.spdx.json'
+
- name: "step summary"
continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
run: |
- {
- echo "# Outdated packages (gnu64):";
- echo "";
- cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md;
- echo "";
- echo "# Outdated packages (musl64):";
- echo "";
- cat /tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md;
- echo "";
- echo "# Vuln scan (gnu64):";
- echo "";
- cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md;
- echo "";
- echo "# Vuln scan (musl64):";
- echo "";
- cat /tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md;
- echo "";
- } >> $GITHUB_STEP_SUMMARY
+ cat "/tmp/dpdk-sys/builds/env.sysroot.summary.md" >> "${GITHUB_STEP_SUMMARY}"
+
- name: "remove links from /tmp/dpdk-sys/builds"
run: |
for f in /tmp/dpdk-sys/builds/*; do
[ -h "$f" ] && rm "$f"
done
+
- uses: "actions/upload-artifact@v4"
with:
name: "builds-${{ matrix.toolchain.key }}"
path: "/tmp/dpdk-sys/builds"
- - name: "Setup tmate session for debug"
- if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
- uses: "mxschmitt/action-tmate@v3"
- timeout-minutes: 60
- with:
- limit-access-to-actor: true
- name: "outdated packages (gnu64)"
uses: "actions/github-script@v7"
@@ -199,8 +184,12 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
script: |
let fs = require('fs');
- let body = "# Outdated packages (gnu64):\n";
+ let body = "\n";
+ body += "\n\n";
+ body += "## Outdated packages (gnu64):\n\n";
+ body += "
\n\n";
body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md');
+ body += "\n \n";
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
@@ -216,8 +205,12 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
script: |
let fs = require('fs');
- let body = "# Outdated packages (musl64):\n";
+ let body = "\n";
+ body += "\n\n";
+ body = "## Outdated packages (musl64):\n";
+ body += "
\n\n";
body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md');
+ body += "\n \n";
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
@@ -233,8 +226,12 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
script: |
let fs = require('fs');
- let body = "# Vulnerable packages (gnu64):\n";
+ let body = "\n";
+ body += "\n\n";
+ body = "## Vulnerable packages (gnu64):\n";
+ body += "
\n\n";
body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md');
+ body += "\n \n";
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
@@ -250,8 +247,12 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
script: |
let fs = require('fs');
- let body = "# Vulnerable packages (musl64):\n";
+ let body = "\n";
+ body += "\n\n";
+ body = "## Vulnerable packages (musl64):\n";
+ body += "
\n\n";
body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md');
+ body += "\n \n";
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
@@ -259,6 +260,14 @@ jobs:
body: body
});
+ - name: "Setup tmate session for debug"
+ if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
+ uses: "mxschmitt/action-tmate@v3"
+ timeout-minutes: 60
+ with:
+ limit-access-to-actor: true
+
+
summary:
name: "summary"
if: ${{ always() }}
diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
index b03708c..8233d20 100644
--- a/.github/workflows/bump.yml
+++ b/.github/workflows/bump.yml
@@ -7,7 +7,7 @@
# Production artifacts are produced in a sterile environment (in another CI workflow).
-name: "bump"
+name: "bump.yml"
on:
workflow_dispatch:
inputs:
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
index 1402396..39cd522 100755
--- a/scripts/sbom.sh
+++ b/scripts/sbom.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env bash
-set -euxo pipefail
+set -euo pipefail
declare -r sbomnix="github:tiiuae/sbomnix"
@@ -12,8 +12,20 @@ declare -r package="env.sysroot"
nix build "${sbomnix}" --out-link /tmp/sbomnix
+declare -a cleanup_cmds=()
+cleanup() {
+ declare cmd
+ for cmd in "${cleanup_cmds[@]}"; do
+ ${cmd}
+ done
+}
+trap cleanup EXIT
+
+declare summary="${builds}/${package}.summary.md"
+truncate --size 0 "${summary}"
+
for libc in "gnu64" "musl64"; do
- cd "$(mktemp -d)"
+ pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
nix run \
"${sbomnix}#sbomnix" \
-- \
@@ -22,47 +34,80 @@ for libc in "gnu64" "musl64"; do
--spdx "${builds}/${package}.${libc}.sbom.spdx.json" \
--verbose=1 \
--include-vulns \
- "${builds}/${package}.${libc}.release" &
- cd "$(mktemp -d)"
+ "${builds}/${package}.${libc}.release"
+ pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
nix run \
"${sbomnix}#vulnxscan" \
-- \
--out "${builds}/${package}.${libc}.vulns.csv" \
--triage \
--verbose=1 \
- "${builds}/${package}.${libc}.release" &
- cd "$(mktemp -d)"
+ "${builds}/${package}.${libc}.release"
+ pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
nix run \
"${sbomnix}#nix_outdated" \
-- \
--out "${builds}/${package}.${libc}.outdated.csv" \
--verbose=1 \
- "${builds}/${package}.${libc}.release" &
- cd "$(mktemp -d)"
+ "${builds}/${package}.${libc}.release"
+ pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
nix run \
"${sbomnix}#provenance" \
-- \
--out "${builds}/${package}.${libc}.provenance.json" \
--verbose=1 \
--recursive \
- "${builds}/${package}.${libc}.release" &
- cd "$(mktemp -d)"
+ "${builds}/${package}.${libc}.release"
+ pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
nix run \
"${sbomnix}#nixgraph" \
-- \
--out "${builds}/${package}.${libc}.nixgraph.dot" \
- --depth=15 \
+ --depth=99 \
--verbose=1 \
- "${builds}/${package}.${libc}.release" &
-done
+ "${builds}/${package}.${libc}.release"
-wait
+ for file in "${builds}/${package}.${libc}."*".csv"; do
+ csview --style markdown "$file" > "${file%.csv}.md"
+ done
-for file in "${builds}/"*.csv; do
- csview --style markdown "$file" > "${file%.csv}.md"
-done
+ for file in "${builds}/${package}.${libc}."*".dot"; do
+ dot -Tsvg "$file" > "${file%.dot}.svg"
+ done
-for file in "${builds}/"*.dot; do
- dot -Tsvg "$file" > "${file%.dot}.svg"
- dot -Gdpi=300 -Tpng "$file" > "${file%.dot}.png"
+ {
+ echo "";
+ echo "";
+ echo "";
+ echo "## Vuln scan (${libc}):";
+ echo "";
+ echo "
";
+ echo "";
+ cat ${builds}/${package}.${libc}.vulns.triage.md;
+ echo "";
+ echo " ";
+ echo "";
+ echo "";
+ echo "";
+ echo "";
+ echo "## Outdated packages (${libc}):";
+ echo "";
+ echo "
";
+ echo "";
+ cat ${builds}/${package}.${libc}.outdated.md;
+ echo "";
+ echo " ";
+ echo "";
+ echo "";
+ echo "";
+ echo "";
+ echo "## SBOM (${libc}):";
+ echo "";
+ echo "
";
+ echo "";
+ cat ${builds}/${package}.${libc}.sbom.md;
+ echo "";
+ echo " ";
+ echo "";
+ } >> "${summary}"
done