feat: add workflow for dependency-track

dhis2 · Dec 19, 2024 · 434a178 · 434a178
1 parent b890115
commit 434a178
Show file tree

Hide file tree

Showing 3 changed files with 24,890 additions and 18,055 deletions.
diff --git a/.github/workflows/generate-and-upload-bom.yml b/.github/workflows/generate-and-upload-bom.yml
@@ -0,0 +1,52 @@
+name: 'This workflow creates bill of material and uploads it to Dependency-Track each night'
+
+on:
+    pull_request:
+
+    schedule:
+        - cron: '0 0 * * *'
+
+concurrency:
+    group: ${{ github.workflow}}-${{ github.ref }}
+    cancel-in-progress: true
+
+defaults:
+    run:
+        shell: bash
+
+jobs:
+    create-bom:
+        runs-on: ubuntu-latest
+
+        strategy:
+            matrix:
+                containers: [1, 2, 3, 4]
+
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-node@v4
+              with:
+                  node-version: 18.x
+
+            - name: Install
+              run: yarn install --frozen-lockfile
+
+            - name: Install CycloneDX CLI
+              run: |
+                  curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i -
+                  sudo mv cyclonedx-linux-x64 /usr/local/bin/
+                  sudo chmod +x /usr/local/bin/cyclonedx-linux-x64
+
+            - name: Generate BOMs
+              run: yarn run create-sbom
+
+            - name: Upload SBOM to DependencyTrack
+              env:
+                  DEPENDENCY_TRACK_API: 'https://dt.security.dhis2.org/api/v1/bom'
+              run: |
+                  curl -X POST "$DEPENDENCY_TRACK_API" \
+                      --fail-with-body \
+                      -H "Content-Type: multipart/form-data" \
+                      -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
+                      -F "project=c0bd0f2d-d512-460a-81f9-e256e4fb1054" \
+                      -F "[email protected]"
diff --git a/package.json b/package.json
@@ -38,11 +38,13 @@
         "postinstall": "patch-package",
         "cy:start": "BROWSER=none yarn start",
         "cy:open": "start-server-and-test 'yarn cy:start' http://localhost:3000 'yarn cypress open --e2e'",
-        "cy:run": "start-server-and-test 'yarn cy:start' http://localhost:3000 'yarn cypress run --browser chrome headless'"
+        "cy:run": "start-server-and-test 'yarn cy:start' http://localhost:3000 'yarn cypress run --browser chrome headless'",
+        "create-sbom": "yarn exec cyclonedx-yarn --output-file bom.json"
     },
     "devDependencies": {
         "@badeball/cypress-cucumber-preprocessor": "^20.1.0",
         "@bahmutov/cypress-esbuild-preprocessor": "^2.2.1",
+        "@cyclonedx/yarn-plugin-cyclonedx": "^1.0.2",
         "@cypress/webpack-preprocessor": "^6.0.2",
         "@dhis2/cli-app-scripts": "^11.7.1",
         "@dhis2/cli-style": "^10.7.3",