From c5304fdb699a233cf8ab425d3ed48a315efa499a Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Feb 2026 11:25:22 +0530 Subject: [PATCH 1/4] updated github workflow for common github action to generate SBOM using Gemfile.lock which is generated at runtime Signed-off-by: Vasu1105 --- ...ub-trufflehog-only.yml => ci-main-pull-request-stub-1.0.7.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{ci-main-pull-request-stub-trufflehog-only.yml => ci-main-pull-request-stub-1.0.7.yml} (100%) diff --git a/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml similarity index 100% rename from .github/workflows/ci-main-pull-request-stub-trufflehog-only.yml rename to .github/workflows/ci-main-pull-request-stub-1.0.7.yml From 0cb40df69c54498e4be121dffab2feb99ce6ad5c Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Feb 2026 11:54:33 +0530 Subject: [PATCH 2/4] Add current branch for test Signed-off-by: Vasu1105 --- .github/workflows/ci-main-pull-request-stub-1.0.7.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml index a5480784..32987bd9 100644 --- a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml +++ b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml @@ -4,9 +4,9 @@ name: CI Pull Request – TruffleHog Only on: pull_request: - branches: [ main ] + branches: [ vj/update-common-github-action-workflow, main ] push: - branches: [ main ] + branches: [ vj/update-common-github-action-workflow,main ] workflow_dispatch: From 07234b7b5745f7bd49ede0eb8b47c69fdf8623da Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Feb 2026 11:57:16 +0530 Subject: [PATCH 3/4] Updates the workflow Signed-off-by: Vasu1105 --- .../ci-main-pull-request-stub-1.0.7.yml | 149 +++++++++++++++--- 1 file changed, 129 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml index 32987bd9..1062be16 100644 --- a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml +++ b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml @@ -1,45 +1,154 @@ -# This stub runs only the TruffleHog scan as part of CI checks on pull requests to main branch. +# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch +# inputs are described in the chef/common-github-actions/ with same name as this stub +# +# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN -name: CI Pull Request – TruffleHog Only +name: CI Pull Request on Main Branch on: pull_request: branches: [ vj/update-common-github-action-workflow, main ] push: - branches: [ vj/update-common-github-action-workflow,main ] - + branches: [ vj/update-common-github-action-workflow, main ] workflow_dispatch: permissions: contents: read +env: + STUB_VERSION: "1.0.7" jobs: + echo_version: + name: 'Echo stub version' + runs-on: ubuntu-latest + steps: + - name: echo version of stub and inputs + run: | + echo "CI main pull request stub version $STUB_VERSION" + + detect-custom-metadata: + name: 'Detect custom properties' + runs-on: ubuntu-latest + outputs: + primaryApp: ${{ steps.set-custom-metadata.outputs.primaryApplication }} + appBuildLanguage: ${{ steps.set-custom-metadata.outputs.applicationBuildLanguage }} + appBuildProfile: ${{ steps.set-custom-metadata.outputs.applicationBuildProfile }} + steps: + - name: 'Detect app, language, and build profile environment variables from repository custom properties' + id: set-custom-metadata + # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]' + run: | + response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) + primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value') + GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value') + GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value') + echo "PRIMARY APP... $primaryApplication" + echo "BUILD LANG... $GABuildLanguage" + echo "BUILD PROFILE... $GABuildProfile" + echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV + echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV + echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV + # If workflow_dispatch, use inputs (left), if other trigger, use default env (right) + # echo "::set-output name=build-and-verify::${{ github.event.inputs.build-and-verify || 'true' }}" + echo "::set-output name=primaryApplication::$primaryApplication" + echo "::set-output name=applicationBuildLanguage::$GABuildLanguage" + echo "::set-output name=applicationBuildProfile::$GABuildProfile" + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} call-ci-main-pr-check-pipeline: uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + needs: detect-custom-metadata secrets: inherit permissions: id-token: write contents: read + with: - visibility: ${{ github.event.repository.visibility }} + application: ${{ needs.detect-custom-metadata.outputs.primaryApp }} + visibility: ${{ github.event.repository.visibility }} # private, public, or internal + # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* + + # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" + version: '3.16.1' # ${{ github.event.repository.version }} + detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" + detect-version-source-parameter: '' # use for file name + language: ${{ needs.detect-custom-metadata.outputs.appBuildLanguage }} # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting - # Enabled features + # complexity-checks, linting, trufflehog and trivy + perform-complexity-checks: true + # scc-output-filename: 'scc-output.txt' + perform-language-linting: false # Perform language-specific linting and pre-compilation checks perform-trufflehog-scan: true - generate-sbom: true - export-github-sbom: true + perform-trivy-scan: true - # All other features - perform-complexity-checks: false - perform-language-linting: false - perform-blackduck-polaris: false - perform-blackduck-sca-scan: false - build: false + # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language + build: true + build-profile: ${{ needs.detect-custom-metadata.outputs.appBuildProfile }} unit-tests: false - perform-sonarqube-scan: false + unit-test-output-path: "path/to/file.out" + unit-test-command-override: "" + + # BlackDuck SAST (Polaris) require a build or binary present in repo to do SAST testing + # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN + perform-blackduck-polaris: false + polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product + polaris-project-name: ${{ github.event.repository.name }} # arch-sample-cli + polaris-working-directory: '.' # Working directory for the scan, defaults to . but usually lang-dependent like ./src + polaris-coverity-build-command: 'go build -o bin/chef-cli.exe' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install" + polaris-coverity-clean-command: 'go clean' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean" + polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan' + polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD) + wait-for-scan: true + # polaris-detect-args: '' # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true" + # coverity_build_command: "go build" + # coverity_clean_command: "go clean" + # polaris-config-path: '' # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml + # polaris-coverity-config-path: '' # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml + # polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make + + # perform SonarQube scan, with or without unit test coverage data + # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) + perform-sonarqube-scan: true + # perform-sonar-build: true + # build-profile: 'default' + # report-unit-test-coverage: true + perform-docker-scan: false # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container" + + # report to central developer dashboard report-to-atlassian-dashboard: false - package-binaries: false - habitat-build: false - publish-packages: false - generate-blackduck-sbom: false + quality-product-name: ${{ github.event.repository.name }} # product name for quality reporting, like Chef360, Courier, Inspec + # quality-sonar-app-name: 'YourSonarAppName' + # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security + # quality-service-name: 'YourServiceOrRepoName' + # quality-junit-report: 'path/to/junit/report'' + + # perform Habitat-based and native packaging, publish to package repositories + package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA) + habitat-build: false # Create Habitat packages + publish-habitat-packages: false # Publish Habitat packages to Builder + publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx) + publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional) + publish-habitat-hab_release: "20240101010101" # Chef Habitat package release (optional) + publish-habitat-hab_channel: "stable" # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable + publish-habitat-hab_auth_token: "" # Chef Habitat Builder authentication token (uses secret if not provided) + publish-habitat-runner_os: "ubuntu-latest" # OS runner for Habitat package publishing job, can also be windows-latest + habitat-grype-scan: false # Scan built Habitat packages with Grype for vulnerabilities + publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores) + + # generate and export Software Bill of Materials (SBOM) in various formats + generate-sbom: true + export-github-sbom: true # SPDX JSON artifact on job instance generate-msft-sbom: false - license_scout: false \ No newline at end of file + license_scout: false # Run license scout for license compliance (uses .license_scout.yml) + + # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk + perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above + blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' + blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name + + run-bundle-install: true + + # udf1: 'default' # user defined flag 1 + # udf2: 'default' # user defined flag 2q + # udf3: 'default' # user defined flag 3 \ No newline at end of file From be8f5d6a43014bd4d35615bc4b46762020fc1e7a Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Feb 2026 12:54:41 +0530 Subject: [PATCH 4/4] Update the branch to main Signed-off-by: Vasu1105 --- .github/workflows/ci-main-pull-request-stub-1.0.7.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml index 1062be16..fa506d26 100644 --- a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml +++ b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml @@ -7,9 +7,9 @@ name: CI Pull Request on Main Branch on: pull_request: - branches: [ vj/update-common-github-action-workflow, main ] + branches: [ main ] push: - branches: [ vj/update-common-github-action-workflow, main ] + branches: [ main ] workflow_dispatch: permissions: