ci: move Syft & Grype installation into an action (#1011)

2024-10-01 01:36:09 -04:00 · 2023-01-18 17:33:10 +01:00 · 2023-01-18 17:33:10 +01:00 · 4e9c49c342
commit 4e9c49c342
parent 90ea35ae35
3 changed files with 53 additions and 31 deletions
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -17,22 +17,18 @@ inputs:
 runs:
  using: "composite"
  steps:
+    - name: Checkout
+      id: checkout
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      with:
+        ref: ${{ inputs.ref || github.head_ref }}
+
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1

-    - name: Download syft & grype
-      shell: bash
-      run: |
-        SYFT_VERSION=0.59.0
-        GRYPE_VERSION=0.51.0
-        curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
-        tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
-        ./syft version
-        curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-        tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-        ./grype version
-        echo $(pwd) >> $GITHUB_PATH
+    - name: Download Syft & Grype
+      uses: ./.github/actions/install_syft_grype

    - name: Generate SBOM
      shell: bash
--- a/.github/actions/install_syft_grype/action.yml
+++ b/.github/actions/install_syft_grype/action.yml
@ -0,0 +1,38 @@
+name: Install Syft & Grype
+description: Installs Syft & Grype.
+runs:
+  using: "composite"
+  steps:
+    - name: Install Syft & Grype
+      shell: bash
+      working-directory: /tmp
+      env:
+        SYFT_VERSION: "0.66.2"
+        GRYPE_VERSION: "0.55.0"
+        OS: ${{ runner.os }}
+        ARCH: ${{ runner.arch }}
+      run: |
+        echo "::group::Download and Install Syft & Grype"
+        # Translate GitHub runner naming conventions to GOOS / GOARCH conventions
+        if [[ "${OS}" = "macOS" ]]; then
+          OS="darwin"
+        else
+          OS=${OS,,}
+        fi
+  
+        if [[ "${ARCH}" = "X64" ]]; then
+          ARCH="amd64"
+        else
+          ARCH=${ARCH,,}
+        fi
+        
+        echo "Downloading for ${OS}/${ARCH}"
+        
+        curl -fsSLo syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
+        tar -xzf syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
+        sudo install syft /usr/bin/syft
+        syft version
+        curl -fsSLo grype_${GRYPE_VERSION}_${OS}_${ARCH}.tar.gz https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_${OS}_${ARCH}.tar.gz
+        tar -xzf grype_${GRYPE_VERSION}_${OS}_${ARCH}.tar.gz
+        sudo install grype /usr/bin/grype
+        grype version
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -100,35 +100,23 @@ jobs:
  signed-sbom:
    runs-on: ubuntu-22.04
    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
+
      - name: Setup Go environment
        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: "1.19.5"

      - name: Download Syft & Grype
-        shell: bash
-        working-directory: /tmp
-        run: |
-          SYFT_VERSION=0.66.1
-          GRYPE_VERSION=0.55.0
-          curl -Lo syft_${SYFT_VERSION}_linux_amd64.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
-          tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
-          sudo install syft /usr/bin/syft
-          syft version
-          curl -Lo grype_${GRYPE_VERSION}_linux_amd64.tar.gz https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-          tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-          sudo install grype /usr/bin/grype
-          grype version
+        uses: ./.github/actions/install_syft_grype

      - name: Install Cosign
        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1

-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-        with:
-          ref: ${{ inputs.ref || github.head_ref }}
-
      # Build one CLI since Syft's go-module catalog will default to binary parsing.
      # Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
      # This seems to work fine for one OS & one arch as long as we don't have OS specific imports.