Migrate sbom functions to releaser task

cveticm · cveticm · commit cf4e31990b03 · 2025-05-30T17:37:46.000+01:00
diff --git a/build/ci/release.yml b/build/ci/release.yml
@@ -100,15 +100,15 @@ functions:
       params:
         shell: bash
         script: |
-          docker run \
+          podman run \
           --pull=always \
           --platform="linux/amd64" \
           --rm \
           --env-file ${workdir}/kondukto_credentials.env \
           -v ${workdir}:/workdir \
           901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
           upload \
-          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \
+          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json \
           --repo mongodb_mongodb-atlas-cli  \
           --branch ${branch_name}  
           rm ${workdir}/kondukto_credentials.env
@@ -253,6 +253,7 @@ functions:
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.json
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.sig
+          - src/github.com/mongodb/mongodb-atlas-cli/sbom.json
         remote_file: ${project}/dist/${revision}_${created_at}/
         bucket: mongodb-mongocli-build
         permissions: public-read
@@ -391,16 +392,14 @@ tasks:
           permissions: public-read
           content_type: ${content_type|application/octet-stream}
           display_name: unsigned
-  - name: generate_and_upload_sbom
-    commands:  
-      - func: "generate sbom"
-      - func: "run silkbomb"
   - name: package_goreleaser
     tags: ["packaging"]
     depends_on:
       - name: compile
         variant: "code_health"
     commands:
+      - func: "generate sbom"
+      - func: "run silkbomb"
       - func: "generate notices"
       - func: "install goreleaser"
       - func: "install macos notarization service"
@@ -413,66 +412,12 @@ tasks:
             - project
             - revision
             - created_at
-          env:
-            BUCKET: mongodb-mongocli-build
-            unstable: ${unstable}
-          binary: build/package/download-win-binaries.sh
-      - command: subprocess.exec
-        type: test
-        params:
-          include_expansions_in_env:
-            - unstable
-          env:
-            ARTIFACTORY_USERNAME: ${artifactory_username}
-            ARTIFACTORY_PASSWORD: ${artifactory_password}
-            GRS_USERNAME: ${garasign_username}
-            GRS_PASSWORD: ${garasign_password}
-            AUTHENTICODE_KEY_NAME: ${authenticode_key_name}
-          working_dir: src/github.com/mongodb/mongodb-atlas-cli
-          binary: build/package/windows_notarize.sh
-      - func: "package"
-        vars:
-          unstable: ${unstable}
-          ARTIFACTORY_USERNAME: ${artifactory_username}
-          ARTIFACTORY_PASSWORD: ${artifactory_password}
-          GRS_USERNAME: ${garasign_username}
-          GRS_PASSWORD: ${garasign_password}
-      - func: "rename pkg"
-        vars:
-          unstable: ${unstable}
-          latest_deb: ${latest_deb}
-          latest_rpm: ${latest_rpm}
-          package_name: ${package_name}
-          meta_package_name: ${meta_package_name}
-      - command: archive.targz_pack
-        params:
-          target: src/github.com/mongodb/mongodb-atlas-cli/dist/atlascli-deb-x86_64.tgz
-          source_dir: src/github.com/mongodb/mongodb-atlas-cli/dist/apt/x86_64
-          include:
-            - "*.deb"
-      - command: archive.targz_pack
-        params:
-          target: src/github.com/mongodb/mongodb-atlas-cli/dist/atlascli-deb-arm64.tgz
-          source_dir: src/github.com/mongodb/mongodb-atlas-cli/dist/apt/arm64
-          include:
-            - "*.deb"
-      - command: archive.targz_pack
-        params:
-          target: src/github.com/mongodb/mongodb-atlas-cli/dist/atlascli-rpm-x86_64.tgz
-          source_dir: src/github.com/mongodb/mongodb-atlas-cli/dist/yum/x86_64
-          include:
-            - "*.rpm"
-      - command: archive.targz_pack
-        params:
-          target: src/github.com/mongodb/mongodb-atlas-cli/dist/atlascli-rpm-aarch64.tgz
-          source_dir: src/github.com/mongodb/mongodb-atlas-cli/dist/yum/arm64
-          include:
-            - "*.rpm"
-      - func: "generate download archive json"
-        vars:
-          package_name: ${package_name}
-          FEED_FILE_NAME: "${package_name}.json"
-      - func: "upload dist"
+          script: |
+            set -e
+            ls -l ./dist
+            ls -l 
+            curl -f "https://mongodb-mongocli-build.s3.amazonaws.com/${project}/dist/${revision}_${created_at}/sbom.json" -o sbom.json
+            cat sbom.json
       - command: s3.put
         params:
           role_arn: "arn:aws:iam::119629040606:role/s3-access.cdn-origin-mongocli"
@@ -588,8 +533,6 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: "go_atlascli_msi_snapshot"
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: publish_atlascli_snapshot
     display_name: "Publish AtlasCLI Snapshot"
     run_on:
@@ -615,8 +558,6 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: release_atlascli_msi
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: copybara
     display_name: "Copybara"
     git_tag_only: true
@@ -669,11 +610,3 @@ buildvariants:
       - ubuntu2004-small
     tasks:
       - name: .smoke-test .generate .repo .atlascli
-  - name: ssdlc
-    display_name: Compliance [ssdlc]
-    run_on:
-      - ubuntu2204-small
-    expansions:
-      <<: *go_linux_version
-    tasks:
-      - name: generate_and_upload_sbom
diff --git a/build/package/.goreleaser.yml b/build/package/.goreleaser.yml
@@ -142,5 +142,5 @@ release:
   name_template: "MongoDB Atlas CLI {{.Version}}"
   extra_files:
     - glob: ./bin/*.msi
-    - glob: compliance/**/*
+    - glob: ./sbom.json
 version: 2
diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh
@@ -19,13 +19,13 @@ set -Eeou pipefail
 export WORKDIR=${workdir:?}
 
 # Authenticate Docker to AWS ECR
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
+aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
 
 echo "Generating SBOMs..."
-docker run --rm \
+podman run --rm \
   -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \
   901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
   update \
   --purls /pwd/build/package/purls.txt \
-  --sbom-out /pwd/compliance/sbom.json
+  --sbom-out /pwd/sbom.json
   
