refactor build and publish pipeline to add provenance and sbom scan

Kong · May 15, 2024 · 8353598 · 8353598
1 parent a6c94de
commit 8353598
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 21 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,16 +1,38 @@
-name: Build
+name: Build and Publish Httpsnippet
 
 on:
   push:
     branches:
       - master
+    tags:
+      - '*' # Restrict any specific tag formats
   pull_request:
     types:
       - opened
       - synchronize
   workflow_dispatch:
 
 jobs:
+  scan:
+    permissions:
+      packages: write 
+      contents: write # publish sbom to GH releases/tag assets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v3
+        with:
+          path: ${{ github.repository }}
+
+      # Perform SCA analysis for the code repository
+      # Produces SBOM and CVE report
+      # Helps understand vulnerabilities / license compliance across third party dependencies
+      - id: sca-project
+        uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
+        with:
+          dir: ${{ github.repository }}
+          upload-sbom-release-assets: true
+
   build:
     runs-on: ubuntu-latest
     strategy:
@@ -37,3 +59,31 @@ jobs:
 
       - name: Build
         run: npm run build
+
+  publish:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref_type == 'tag' && github.repository_owner == 'Kong' }}
+    steps:
+      # checkout tag
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.9.0
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish to NPM
+        run: npm publish --no-git-checks --provenance --tag ${{ github.sha }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
diff --git a/.github/workflows/publish.yml → .github/workflows/release.yml b/.github/workflows/publish.yml → .github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Publish httpsnippet
+name: Release httpsnippet
 
 on:
   workflow_dispatch:
@@ -8,20 +8,14 @@ on:
         required: true
 
 jobs:
-  publish:
+  release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20.9.0
-          registry-url: 'https://registry.npmjs.org'
-
       - name: Configure Git user
         uses: Homebrew/actions/git-user-config@master
         with:
@@ -42,15 +36,4 @@ jobs:
           prerelease: false
           draft: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install
-        run: npm ci
-
-      - name: Build
-        run: npm run build
-
-      - name: Publish to NPM
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}