124 lines
3.8 KiB
YAML
124 lines
3.8 KiB
YAML
name: generate-srcinfo
|
|
|
|
concurrency: ci-${{ github.ref }}
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
update-srcinfo-win:
|
|
runs-on: windows-2022
|
|
if: ${{ github.repository == 'msys2/MSYS2-packages' || github.event_name == 'workflow_dispatch' }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
filter: tree:0
|
|
|
|
- uses: actions/setup-python@v5
|
|
id: setup-python
|
|
with:
|
|
python-version: '3.11'
|
|
cache: 'pip'
|
|
cache-dependency-path: .github/workflows/generate-srcinfo.yml
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
pipx install --python '${{ steps.setup-python.outputs.python-path }}' 'msys2-devtools[srcinfo-cache] @ git+https://github.com/msys2/msys2-devtools'
|
|
|
|
- uses: msys2/setup-msys2@v2
|
|
id: msys2
|
|
with:
|
|
msystem: MSYS
|
|
update: true
|
|
|
|
- name: Download srcinfo.json.gz and set up the environment
|
|
shell: msys2 {0}
|
|
run: |
|
|
# makepkg requires strip in PATH even if it wont be used
|
|
touch /usr/bin/strip.exe
|
|
curl --fail -L --retry 5 -o srcinfo.json.gz "https://github.com/$GITHUB_REPOSITORY/releases/download/srcinfo-cache/srcinfo.json.gz"
|
|
|
|
- name: Parse PKGBUILDs and update srcinfo.json.gz
|
|
run: |
|
|
msys2-srcinfo-cache --time-limit 19800 msys '${{ steps.msys2.outputs.msys2-location }}' . srcinfo.json.gz
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: result-win
|
|
path: |
|
|
srcinfo.json.gz
|
|
|
|
update-srcinfo-linux:
|
|
needs: update-srcinfo-win
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
name: result-win
|
|
|
|
- uses: actions/setup-python@v5
|
|
id: setup-python
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
pipx install --python '${{ steps.setup-python.outputs.python-path }}' 'msys2-devtools[pypi-cache,sbom] @ git+https://github.com/msys2/msys2-devtools'
|
|
|
|
- name: Update the PyPI cache
|
|
run: |
|
|
curl --fail -L --retry 5 -o pypi.json.gz "https://github.com/$GITHUB_REPOSITORY/releases/download/srcinfo-cache/pypi.json.gz" || true
|
|
msys2-pypi-cache srcinfo.json.gz pypi.json.gz
|
|
|
|
- name: Install grype
|
|
run: |
|
|
curl --retry 5 -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s --
|
|
./bin/grype db list --output json > grype-db.json
|
|
|
|
- name: Cache grype DB
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cache/grype
|
|
key: grype-db-${{ runner.os }}-${{ hashFiles('grype-db.json') }}
|
|
restore-keys: |
|
|
grype-db-${{ runner.os }}-
|
|
|
|
- name: Update vulnerability database
|
|
run: |
|
|
msys2-sbom create srcinfo.json.gz sbom.cdx.json
|
|
./bin/grype sbom:sbom.cdx.json -o cyclonedx-json=sbom.vuln.cdx.json -o json=sbom.grype.json
|
|
msys2-sbom fixup sbom.vuln.cdx.json --grype-json sbom.grype.json --srcinfo-cache srcinfo.json.gz
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: result-linux
|
|
path: |
|
|
pypi.json.gz
|
|
sbom.cdx.json
|
|
sbom.vuln.cdx.json
|
|
|
|
upload-srcinfo:
|
|
needs: [update-srcinfo-win, update-srcinfo-linux]
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
steps:
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
pattern: result-*
|
|
merge-multiple: true
|
|
|
|
- name: Upload srcinfo.json.gz
|
|
run: |
|
|
gh release upload srcinfo-cache srcinfo.json.gz pypi.json.gz sbom.cdx.json sbom.vuln.cdx.json --clobber --repo "$GITHUB_REPOSITORY"
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- run: |
|
|
curl -X POST 'https://packages.msys2.org/api/trigger_update'
|