Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add provenance to releases and publish SBOMs (#7784)

Browse Source 
* Add more names

* split build and publish

* add attestation and SBOM

* format file

* Add toplevel permissions

* fix missing path

* move provenance down

* fix release workflow

* simplify steps
This commit is contained in:
Matthias Mair 2024-08-02 02:54:19 +02:00 committed by GitHub
parent 2cb8f4128e
commit dcc351be11
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
.github/workflows/release.yaml vendored
View File

@ -1,13 +1,16 @@
# Runs on releases # Runs on releases
name: Publish release notes name: Publish release
on: on:
release: release:
types: [published] types: [published]
permissions:
contents: read
jobs: jobs:
stable: stable:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Write release to stable branch
permissions: permissions:
contents: write contents: write
pull-requests: write pull-requests: write
@ -28,11 +31,13 @@ jobs:
branch: stable branch: stable
force: true force: true
publish-build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Build and attest frontend
permissions: permissions:
id-token: write
contents: write contents: write
pull-requests: write attestations: write
steps: steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
- name: Environment Setup - name: Environment Setup
@ -43,6 +48,11 @@ jobs:
run: cd src/frontend && yarn install run: cd src/frontend && yarn install
- name: Build frontend - name: Build frontend
run: cd src/frontend && npm run compile && npm run build run: cd src/frontend && npm run compile && npm run build
- name: Create SBOM for frontend
uses: anchore/sbom-action@v0
with:
artifact-name: frontend-build.spdx
path: src/frontend
- name: Write version file - SHA - name: Write version file - SHA
run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt
- name: Write version file - TAG - name: Write version file - TAG
@ -51,10 +61,25 @@ jobs:
run: | run: |
cd src/backend/InvenTree/web/static/web cd src/backend/InvenTree/web/static/web
zip -r ../frontend-build.zip * .vite zip -r ../frontend-build.zip * .vite
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0 - name: Attest Build Provenance
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"
- name: Upload frontend
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
with: with:
repo_token: ${{ secrets.GITHUB_TOKEN }} repo_token: ${{ secrets.GITHUB_TOKEN }}
file: src/backend/InvenTree/web/static/frontend-build.zip file: src/backend/InvenTree/web/static/frontend-build.zip
asset_name: frontend-build.zip asset_name: frontend-build.zip
tag: ${{ github.ref }} tag: ${{ github.ref }}
overwrite: true overwrite: true
- name: Upload Attestation
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
asset_name: frontend-build.intoto.jsonl
file: ${{ steps.attest.outputs.bundle-path}}
tag: ${{ github.ref }}
overwrite: true

2
pyproject.toml
View File

@ -87,4 +87,4 @@ known_django="django"
sections=["FUTURE","STDLIB","DJANGO","THIRDPARTY","FIRSTPARTY","LOCALFOLDER"] sections=["FUTURE","STDLIB","DJANGO","THIRDPARTY","FIRSTPARTY","LOCALFOLDER"]
[tool.codespell] [tool.codespell]
ignore-words-list = ["assertIn","SME"] ignore-words-list = ["assertIn","SME","intoto"]