From e103bf1b1947b925a8ef68713f349322eb4bfe94 Mon Sep 17 00:00:00 2001 From: "Calvin A. Allen" Date: Thu, 21 Nov 2024 14:27:06 -0500 Subject: [PATCH 1/2] Add FOSSA integration --- .github/workflows/build_image.yml | 49 +++++++++++++++-------------- .github/workflows/publish_image.yml | 15 ++++----- Dockerfile | 5 +++ 3 files changed, 38 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml index 25f6a98..1f237f8 100644 --- a/.github/workflows/build_image.yml +++ b/.github/workflows/build_image.yml @@ -1,34 +1,35 @@ name: Build the Docker Image on: - pull_request: - types: [ opened, reopened, synchronize ] - branches: - - main + pull_request: + types: [opened, reopened, synchronize] + branches: + - main env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: - build-image: - runs-on: ubuntu-latest + build-image: + runs-on: ubuntu-latest - permissions: write-all + permissions: write-all - steps: - - name: Checkout repository - uses: actions/checkout@v4 + steps: + - name: Checkout repository + uses: actions/checkout@v4 - - name: Build Docker image - id: push - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 - with: - context: . - push: false - build-args: | - BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }} - BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }} - BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }} - BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }} - BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }} + - name: Build Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: false + build-args: | + BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }} + BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }} + BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }} + BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }} + BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }} + FOSSA_API_KEY=${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/publish_image.yml b/.github/workflows/publish_image.yml index ce6cb1e..1700792 100644 --- a/.github/workflows/publish_image.yml +++ b/.github/workflows/publish_image.yml @@ -42,13 +42,14 @@ jobs: labels: ${{ steps.meta.outputs.labels }} github-token: ${{ secrets.GITHUB_TOKEN }} build-args: | - BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }} - BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }} - BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }} - BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }} - BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }} - NEW_RELIC_METADATA_COMMIT=${{ github.sha }} - NEW_RELIC_METADATA_RELEASE_TAG=${{ github.ref_name }} + BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }} + BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }} + BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }} + BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }} + BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }} + FOSSA_API_KEY=${{ secrets.FOSSA_API_KEY }} + NEW_RELIC_METADATA_COMMIT=${{ github.sha }} + NEW_RELIC_METADATA_RELEASE_TAG=${{ github.ref_name }} - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 diff --git a/Dockerfile b/Dockerfile index aa05d97..c8b4977 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,16 +29,21 @@ ARG BROWSER_ACCOUNT_ID ARG BROWSER_TRUST_KEY ARG BROWSER_AGENT_ID ARG BROWSER_APPLICATION_ID +ARG FOSSA_API_KEY ENV BROWSER_LICENSE_KEY=$BROWSER_LICENSE_KEY ENV BROWSER_ACCOUNT_ID=$BROWSER_ACCOUNT_ID ENV BROWSER_TRUST_KEY=$BROWSER_TRUST_KEY ENV BROWSER_AGENT_ID=$BROWSER_AGENT_ID ENV BROWSER_APPLICATION_ID=$BROWSER_APPLICATION_ID +ENV FOSSA_API_KEY=$FOSSA_API_KEY RUN --mount=type=cache,target=/root/.gradle ./gradlew downloadNewRelicAgent --console=plain --info --no-daemon --no-watch-fs RUN --mount=type=cache,target=/root/.gradle ./gradlew build --console=plain --info --no-daemon --no-watch-fs +RUN curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash +RUN fossa analyze + FROM base AS final WORKDIR /app COPY --from=build /src/build/libs/petclinic-backend-1.0.0.jar . From 492b80f6aacebaaa2c3f33403dac51294a3d1bd5 Mon Sep 17 00:00:00 2001 From: "Calvin A. Allen" Date: Thu, 21 Nov 2024 14:31:56 -0500 Subject: [PATCH 2/2] Don't scan on PRs --- .github/workflows/build_image.yml | 1 - Dockerfile | 12 ++++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml index 1f237f8..f969b91 100644 --- a/.github/workflows/build_image.yml +++ b/.github/workflows/build_image.yml @@ -32,4 +32,3 @@ jobs: BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }} BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }} BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }} - FOSSA_API_KEY=${{ secrets.FOSSA_API_KEY }} diff --git a/Dockerfile b/Dockerfile index c8b4977..1faa600 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,16 @@ ENV FOSSA_API_KEY=$FOSSA_API_KEY RUN --mount=type=cache,target=/root/.gradle ./gradlew downloadNewRelicAgent --console=plain --info --no-daemon --no-watch-fs RUN --mount=type=cache,target=/root/.gradle ./gradlew build --console=plain --info --no-daemon --no-watch-fs -RUN curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash -RUN fossa analyze +RUN if [ -z "$FOSSA_API_KEY" ] ; then \ + echo --SKIPPING FOSSA CLI DOWNLOAD ; \ + else \ + curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash; \ + fi +RUN if [ -z "$FOSSA_API_KEY" ] ; then \ + echo --SKIPPING FOSSA SCAN ; \ + else \ + fossa analyze; \ + fi FROM base AS final WORKDIR /app