diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml new file mode 100644 index 0000000000..adad518e7d --- /dev/null +++ b/.github/actions/sbom-update/action.yml @@ -0,0 +1,27 @@ +name: Generate SBOM +description: Generates CycloneDX SBOM using cdxgen +inputs: + output-file: + description: "Output filename for the SBOM" + required: false + default: "sbom.json" + +runs: + using: composite + steps: + - name: Generate SBOM + shell: bash + working-directory: ${{ inputs.working-directory }} + run: | + echo "Generating SBOM for 'node' project..." + npx @cyclonedx/cyclonedx-npm --output-file sbom.json --output-format json --spec-version 1.5 + + - name: Validate SBOM + shell: bash + run: | + if [ ! -f "${{ inputs.output-file }}" ]; then + echo "Error: SBOM file not found" + exit 1 + fi + + echo "SBOM file validated: ${{ inputs.output-file }}" \ No newline at end of file diff --git a/.github/actions/setup-sbom/action.yml b/.github/actions/setup-sbom/action.yml new file mode 100644 index 0000000000..3f8fa173ed --- /dev/null +++ b/.github/actions/setup-sbom/action.yml @@ -0,0 +1,19 @@ +name: Setup PHP SBOM +description: Sets up environment for generating SBOM in PHP projects +inputs: + working-directory: + description: "The directory where composer.json is located" + required: false + default: "." + +runs: + using: composite + steps: + - name: Setup Node.js (for cdxgen) + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install dependencies + shell: bash + run: npm ci diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml new file mode 100644 index 0000000000..e865cbc789 --- /dev/null +++ b/.github/actions/setup/action.yml @@ -0,0 +1,19 @@ +name: Setup Node SBOM +description: Sets up environment for generating SBOM in Node.js projects +inputs: + working-directory: + description: "The directory where package.json is located" + required: false + default: "." + +runs: + using: composite + steps: + - name: Setup Node.js (for cdxgen) + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install cdxgen + shell: bash + run: npm install -g @cyclonedx/cdxgen \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000000..ac77d44075 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,115 @@ +name: Post-Merge SBOM Update + +on: + push: + branches: + - main + paths: + - 'package.json' + - 'package-lock.json' + workflow_dispatch: +env: + SBOM_FILE: "sbom.json" +permissions: + contents: write + pull-requests: write + +jobs: + sbom: + name: Generate SBOM and Create PR + runs-on: ubuntu-latest + + concurrency: + group: sbom-${{ github.ref }} + cancel-in-progress: false + + steps: + - name: Checkout repository (Base Branch) + uses: actions/checkout@v5 + with: + ref: ${{ github.event.pull_request.base.ref || github.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v3 + with: + ignore_install_scripts: false + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 + with: + npm_package_name: mongodb + + - name: Generate/Update package-lock.json + run: | + echo "Resolving dependencies and generating package-lock.json..." + npm install --package-lock-only + echo "package-lock.json generated with resolved versions" + + - name: Setup SBOM environment + uses: ./.github/actions/setup-sbom + + - name: Generate SBOM + uses: ./.github/actions/sbom-update + with: + output-file: ${SBOM_FILE} + + - name: Check for Changes in sbom.json + id: git_status + run: | + # Filter to remove/normalize serialNumber and timestamp fields + JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)' + + # Check if the base file exists in Git (to prevent errors on first commit) + if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then + echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + exit 0 + fi + + # Compare the normalized committed version vs. the normalized current version + if diff -q \ + <(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \ + <(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then + + echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT + echo "No changes detected in sbom.json" + else + echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + echo "Changes detected in sbom.json" + fi + + - name: Create Pull Request + if: steps.git_status.outputs.HAS_CHANGES == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore: update SBOM after dependency changes' + add-paths: | + sbom.json + branch: auto-update-sbom-${{ github.run_id }} + delete-branch: true + title: 'chore: Update SBOM' + body: | + ## Automated SBOM Update + + This PR was automatically generated because package files changed. + + ### Environment + - Node.js version: ${{ steps.versions.outputs.node-version }} + + ### Changes + - Updated `sbom.json` to reflect current dependencies + + ### Verification + The SBOM was generated using CycloneDX NPM. + + ### Triggered by + - Commit: ${{ github.sha }} + - Workflow run: ${{ github.run_id }} + + --- + _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ + labels: | + sbom + automated + dependencies \ No newline at end of file