test Frogbot

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Docker-build-with-evidence
+name: ptfl-build-with-evidence
 
 on:
   [workflow_dispatch]
@@ -9,9 +9,12 @@ permissions:
 
 jobs:
   Docker-build-with-evidence:
+    environment: Jfrog
     runs-on: ubuntu-latest
     env:
-      REPO_NAME: evidence-demo-docker-dev
+      REPO_NAME: ptfl-oci-dev-local
+      JF_PROJECT: ptfl 
+
     steps:
 
       - uses: actions/checkout@v4
@@ -25,46 +28,48 @@ jobs:
       - name: Build Docker image
         run: |
           URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||')
+          echo ${URL}
           REPO_URL=${URL}/${REPO_NAME}
+          echo ${REPO_URL}
           docker build -t ${REPO_URL}/example-go-app:${{ github.run_number }} .
-          jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }}
+          jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }} --project ${JF_PROJECT}
 
       - name: Evidence on docker
         run: |
           echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json
-          jf evd create --package-name example-go-app --package-version ${{ github.run_number }} --package-repo-name ${REPO_NAME} \
-          --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \
-          --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 
+          cat ./sign.json
+          jf evd create --package-name example-go-app --package-version ${{ github.run_number }} --package-repo-name ${REPO_NAME} --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 --project ${JF_PROJECT} 
           echo '🔎 Evidence attached: `signature` 🔏 ' 
 
       - name: Collecting Information from Git
-        run: jf rt build-add-git
+        run: jf rt build-add-git --project ${JF_PROJECT}
 
       - name: Collecting Environment Variables
-        run: jf rt build-collect-env
+        run: jf rt build-collect-env --project ${JF_PROJECT}
 
       - name: Publish build info
-        run: jfrog rt build-publish
+        run: jfrog rt build-publish --project ${JF_PROJECT}
 
       - name: Sign build evidence
         run: |
           echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json
           jf evd create --build-name ${{ github.workflow }} --build-number ${{ github.run_number }} \
             --predicate ./sign.json --predicate-type https://jfrog.com/evidence/build-signature/v1 \
-            --key "${{ secrets.PRIVATE_KEY }}"  --key-alias ${{ secrets.KEY_ALIAS }}
+            --key "${{ secrets.PRIVATE_KEY }}"  --key-alias ${{ secrets.KEY_ALIAS }} --project ${JF_PROJECT}
           echo '🔎 Evidence attached: `build-signature` 🔏 ' >> $GITHUB_STEP_SUMMARY
 
       - name: Create release bundle
         run: |
-          echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" } ] }' > bundle-spec.json
-          jf release-bundle-create ${{ github.actor }}-evidence-training ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true
-          VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evidence-training'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion'
-          echo '📦 Release bundle ['${{ github.actor }}-evidence-training:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY
+          echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" , "project" : "'"${JF_PROJECT}"'" } ] }' > bundle-spec.json
+          cat  ./bundle-spec.json
+          jf release-bundle-create ${{ github.actor }}-evd-flow ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true --project ${JF_PROJECT}
+          VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evd-flow'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion'
+          echo '📦 Release bundle ['${{ github.actor }}-evd-flow:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY
 
-      # - name: Approve release-bundle
-      #   run: |
-      #     echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'", "approved": "true" }' > rbv2_approval_evidence.json
-      #     jf evd create --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \
-      #       --release-bundle ${{ github.actor }}-evidence-training --release-bundle-version ${{ github.run_number }} \
-      #       --predicate ./rbv2_approval_evidence.json --predicate-type https://jfrog.com/evidence/approval/v1
-      #     echo 'Approval of Release bundle ${{ github.actor }}-evidence-training':'${{ github.run_number }} succeded' >> $GITHUB_STEP_SUMMARY
+      - name: Approve release-bundle
+        run: |
+           echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'", "approved": "true" }' > rbv2_approval_evidence.json
+           jf evd create --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \
+             --release-bundle ${{ github.actor }}-evd-flow --release-bundle-version ${{ github.run_number }} \
+             --predicate ./rbv2_approval_evidence.json --predicate-type https://jfrog.com/evidence/approval/v1 --project ${JF_PROJECT}
+           echo 'Approval of Release bundle ${{ github.actor }}-evd-flow':'${{ github.run_number }} succeded' >> $GITHUB_STEP_SUMMARY

.github/workflows/distribute.yml

@@ -0,0 +1,34 @@
+name: distribute-to-edge-nodes
+on:
+  workflow_dispatch:
+    inputs:
+      rb-version:
+        description: 'Release bundle version'     
+        required: true
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  Promote-to-qa-and-test:
+    environment: Jfrog-US
+    runs-on: ubuntu-latest
+    env:
+      PROMOTE_REPO_NAME: ptfl1-docker
+      JF_PROJECT: ptfl1
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install jfrog cli
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
+
+      - name: Distribute to Edge nodes 
+        run: |
+            echo '{ "distribution_rules": [ {"site_name": "SolEngEdgeSaaS"} ] }' > distr-rule.json  
+            jf   release-bundle-distribute --sync=true --project ${JF_PROJECT} --dist-rules=distr-rule.json ${{ github.actor }}-evd-flow ${{ inputs.rb-version }} --sync=true --project ${JF_PROJECT} 
+            echo "🚀 Succesfully promoted to \`QA\` environemnt" >> $GITHUB_STEP_SUMMARY

.github/workflows/frogbot-scan-fix.yaml

@@ -0,0 +1,137 @@
+name: "Frogbot Scan and Fix"
+on:
+  schedule:
+    # The repository will be scanned based on the following cron expression
+    - cron: "0 0 * 1 *"
+  workflow_dispatch:
+    inputs:
+      run_reason:
+        required: false
+        type: string
+        default: "On-demand workflow run"
+        description: "Reason for manually triggering the workflow"
+permissions:
+  contents: write
+  pull-requests: write
+  security-events: write
+  id-token: write
+jobs:
+  create-fix-pull-requests:
+    environment: Jfrog
+    runs-on: ubuntu-latest
+    env:
+      REPO_NAME: ptfl1-docker
+      JF_PROJECT: ptfl1 
+
+    strategy:
+      matrix:
+        # The repository scanning will be triggered periodically on the following branches.
+        branch: [ "main" ]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.branch }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '^1.23.3' # The Go version to download (if necessary) and use.
+      # Install prerequisites
+      - name: Setup Frogbot
+        uses: jfrog/frogbot@v2
+        env:
+          # [Mandatory]
+          # JFrog platform URL
+          JF_URL: ${{ vars.ARTIFACTORY_URL}}
+          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
+          JFROG_CLI_LOG_LEVEL: "DEBUG"
+
+          # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+          # JFrog access token with 'read' permissions on Xray service
+          # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+          # [Mandatory if JF_ACCESS_TOKEN is not provided]
+          # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+          # JF_USER: ${{ secrets.JF_USER }}
+
+          # [Mandatory if JF_ACCESS_TOKEN is not provided]
+          # JFrog password. Must be provided with JF_USER
+          # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+          # [Mandatory]
+          # The GitHub token automatically generated for the job
+          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # [Optional, default: https://api.github.com]
+          # API endpoint to GitHub
+          # JF_GIT_API_ENDPOINT: https://github.example.com
+
+          # [Optional]
+          # If the machine that runs Frogbot has no access to the internet, set the name of a remote repository
+          # in Artifactory, which proxies https://releases.jfrog.io
+          # The 'frogbot' executable and other tools it needs will be downloaded through this repository.
+          # JF_RELEASES_REPO: ""
+
+
+
+          ##########################################################################
+          ##   If your project uses a 'frogbot-config.yml' file, you can define   ##
+          ##   the following variables inside the file, instead of here.          ##
+          ##########################################################################
+
+          # [Mandatory if the two conditions below are met]
+          # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies
+          # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+          #
+          # The command that installs the project dependencies (e.g "nuget restore")
+          # JF_INSTALL_DEPS_CMD: ""
+
+          # [Optional, default: "."]
+          # Relative path to the root of the project in the Git repository
+          # JF_WORKING_DIR: path/to/project/dir
+
+          # [Optional]
+          # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
+          # JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
+
+          # [Optional]
+          # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
+          JF_PROJECT:  ${JF_PROJECT}
+
+          # [Optional, default: "TRUE"]
+          # Fails the Frogbot task if any security issue is found.
+          # JF_FAIL: "FALSE"
+
+          # [Optional]
+          # Frogbot will download the project dependencies if they're not cached locally. To download the
+          # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
+          # need to set this value, if it is set in the frogbot-config.yml file.
+          # JF_DEPS_REPO: ""
+
+          # [Optional]
+          # Template for the branch name generated by Frogbot when creating pull requests with fixes.
+          # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
+          # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+          # JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
+
+          # [Optional]
+          # Template for the commit message generated by Frogbot when creating pull requests with fixes
+          # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+          # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
+
+          # [Optional]
+          # Template for the pull request title generated by Frogbot when creating pull requests with fixes.
+          # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+          # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to to ${FIX_VERSION}"
+
+          # [Optional, Default: "FALSE"]
+          # If TRUE, Frogbot creates a single pull request with all the fixes.
+          # If FALSE, Frogbot creates a separate pull request for each fix.
+          # JF_GIT_AGGREGATE_FIXES: "FALSE"
+
+          # [Optional, Default: "FALSE"]
+          # Handle vulnerabilities with fix versions only
+          # JF_FIXABLE_ONLY: "TRUE"
+
+          # [Optional]
+          # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
+          # The following values are accepted: Low, Medium, High or Critical
+          JF_MIN_SEVERITY: "High"

.github/workflows/jf_build.yml

@@ -0,0 +1,52 @@
+name: ptfl1-build-with-rb
+
+on:
+  [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  Docker-build-with-evidence:
+    environment: Jfrog-US
+    runs-on: ubuntu-latest
+    env:
+      REPO_NAME: ptfl1-docker
+      JF_PROJECT: ptfl1 
+
+    steps:
+
+      - uses: actions/checkout@v4
+
+      - name: Install jfrog cli
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
+
+      - name: Build Docker image
+        run: |
+          URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||')
+          echo ${URL}
+          REPO_URL=${URL}/${REPO_NAME}
+          echo ${REPO_URL}
+          docker build -t ${REPO_URL}/example-go-app:${{ github.run_number }} .
+          jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }} --project ${JF_PROJECT}
+
+      - name: Collecting Information from Git
+        run: jf rt build-add-git --project ${JF_PROJECT}
+
+      - name: Collecting Environment Variables
+        run: jf rt build-collect-env --project ${JF_PROJECT}
+
+      - name: Publish build info
+        run: jfrog rt build-publish --project ${JF_PROJECT}
+
+      - name: Create release bundle
+        run: |
+          echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" , "project" : "'"${JF_PROJECT}"'" } ] }' > bundle-spec.json
+          cat  ./bundle-spec.json
+          jf release-bundle-create ${{ github.actor }}-evd-flow ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true --project ${JF_PROJECT}
+          VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evd-flow'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion'
+          echo '📦 Release bundle ['${{ github.actor }}-evd-flow:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY

.github/workflows/promote.yml

@@ -11,7 +11,11 @@ permissions:
 
 jobs:
   Promote-to-qa-and-test:
+    environment: Jfrog
     runs-on: ubuntu-latest
+    env:
+      PROMOTE_REPO_NAME: ptfl-oci-dev-local
+      JF_PROJECT: ptfl
     steps:
 
       - name: Checkout
@@ -31,7 +35,7 @@ jobs:
 
       - name: Call GraphQL
         run: |
-          ./scripts/graphql.sh ${{ vars.ARTIFACTORY_URL }} ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} release-bundles-v2 ${{ github.actor }}-evidence-training ${{ inputs.rb-version }}
+          ./scripts/graphql.sh ${{ vars.ARTIFACTORY_URL }} ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} ${JF_PROJECT}-release-bundles-v2 ${{ github.actor }}-evd-flow ${{ inputs.rb-version }}
           cat evidence_graph.json
 
       - name: Run policy
@@ -44,7 +48,7 @@ jobs:
       - name: Promote to Test
         run: |
           if [ "${{ env.RESULT }}" == "true" ]; then
-            jf release-bundle-promote ${{ github.actor }}-evidence-training ${{ inputs.rb-version }} QA --signing-key ${{ secrets.RB_KEY }} --sync=true
+            jf release-bundle-promote ${{ github.actor }}-evd-flow ${{ inputs.rb-version }} QA --signing-key ${{ secrets.RB_KEY }} --sync=true --project ${JF_PROJECT}
             echo "🚀 Succesfully promoted to \`QA\` environemnt" >> $GITHUB_STEP_SUMMARY
           else
             opa eval --input ./evidence_graph.json --data policy/policy.rego "data.policy.output" | jq '.result[0].expressions[0].value'