From c2151a1bf8e2f7f6eaa7503c145708dc49692571 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Thu, 20 Nov 2025 07:54:53 +0000 Subject: [PATCH 01/14] Initial set of github actions --- .github/actions/auxiliry/sbom-update.yml | 35 +++++++++++ .github/workflows/sbom.yml | 75 ++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 .github/actions/auxiliry/sbom-update.yml create mode 100644 .github/workflows/sbom.yml diff --git a/.github/actions/auxiliry/sbom-update.yml b/.github/actions/auxiliry/sbom-update.yml new file mode 100644 index 000000000..bb340b894 --- /dev/null +++ b/.github/actions/auxiliry/sbom-update.yml @@ -0,0 +1,35 @@ +name: Update the SBOM +description: Updates the SBOM for the project +inputs: + sbom_in_path: + description: The path of the input sbom file. + default: sbom.json + container_image: + description: "The container image to use" + default: "artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0" + +runs: + using: composite + steps: + - name: Updates the SBOM file and writes it to the release assets and s3 assets folders + shell: bash + env: + SBOM_IN_PATH: ${{ inputs.sbom_in_path }} + CONTAINER_IMAGE: ${{ inputs.container_image }} + SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} + PURLS_FILE="${PWD}/purls.txt" + run: | + set -eu + + LIBMONGOC_VERSION=$(cat ${PWD}/src/LIBMONGOC_VERSION_CURRENT | tr -d '[:space:]') + LIBMONGOCRYPT_VERSION=$(cat ${PWD}/src/LIBMONGOCRYPT_VERSION_CURRENT | tr -d '[:space:]') + + # Generate purls file from stored versions + echo "pkg:github/mongodb/mongo-c-driver@${LIBMONGOC_VERSION}" > $PURLS_FILE + echo "pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" >> $PURLS_FILE + + # Use silkbomb to update the sbom.json file + docker run --platform="linux/amd64" -it --rm -v $PWD:/pwd ${CONTAINER_IMAGE} \ + update --sbom-in /pwd/sbom.json --purls /pwd/purls.txt --sbom-out /pwd/sbom.json + + echo "Generating SBOM file done." \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 000000000..55f979678 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,75 @@ +name: Post-Merge SBOM Update + +on: + pull_request: + types: [closed] + + paths: + - 'src/libmongoc/**' + - 'src/libmongocrypt/**' + +permissions: + contents: write + pull-requests: write + +jobs: + sbom: + name: Generate SBOM and Create PR + runs-on: ubuntu-latest + + if: github.event.pull_request.merged == true + + concurrency: + group: sbom-${{ github.ref }} + cancel-in-progress: false + + steps: + - name: Checkout repository (Base Branch) + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.base.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run SBOM Updater + uses: ./.github/actions/sbom + + - name: Check for Changes in sbom.json + id: git_status + run: | + # Use git to check if the sbom.json file differs from the current commit + if git diff --exit-code sbom.json ; then + echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT + else + echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.git_status.outputs.HAS_CHANGES == 'true' + uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore: Update SBOM after dependency changes' + branch: auto-update-sbom-${{ github.run_id }} + delete-branch: true + title: 'chore: Update SBOM' + body: | + ## Automated SBOM Update + + This PR was automatically generated because dependency manifest files changed. + + ### Changes + - Updated `sbom.json` to reflect current dependencies + + ### Verification + The SBOM was generated using SilkBomb v1.0. + + ### Triggered by + - Commit: ${{ github.sha }} + - Workflow run: ${{ github.run_id }} + + --- + _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ + labels: | + sbom + automated + dependencies \ No newline at end of file From 9abfbb0851c8d63233388db1a861fc9b6b9d744f Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Thu, 20 Nov 2025 08:31:23 +0000 Subject: [PATCH 02/14] Adding manual trigger --- .github/workflows/sbom.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 55f979678..a56c26c5a 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -8,6 +8,13 @@ on: - 'src/libmongoc/**' - 'src/libmongocrypt/**' + workflow_dispatch: + inputs: + debug: + description: 'Enable debug mode' + required: false + default: 'false' + permissions: contents: write pull-requests: write From fd2ed57f6327b48167f13d591949a050d7ac42c9 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 00:53:50 +0000 Subject: [PATCH 03/14] Workflow trigger update --- .github/workflows/sbom.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a56c26c5a..a1a9ef2e9 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -1,19 +1,14 @@ name: Post-Merge SBOM Update on: - pull_request: - types: [closed] - + push: + branches: + - v1.21 paths: - 'src/libmongoc/**' - 'src/libmongocrypt/**' workflow_dispatch: - inputs: - debug: - description: 'Enable debug mode' - required: false - default: 'false' permissions: contents: write @@ -23,9 +18,7 @@ jobs: sbom: name: Generate SBOM and Create PR runs-on: ubuntu-latest - - if: github.event.pull_request.merged == true - + concurrency: group: sbom-${{ github.ref }} cancel-in-progress: false From f57c91724bcba0e2e5d8dcc23722875ee71753ff Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:05:11 +0000 Subject: [PATCH 04/14] v2 --- .../actions/{auxiliry/sbom-update.yml => sbom-update/action.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/actions/{auxiliry/sbom-update.yml => sbom-update/action.yml} (100%) diff --git a/.github/actions/auxiliry/sbom-update.yml b/.github/actions/sbom-update/action.yml similarity index 100% rename from .github/actions/auxiliry/sbom-update.yml rename to .github/actions/sbom-update/action.yml From ebf53c4cceffb997c684e83eaa85feb2f408154b Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:12:26 +0000 Subject: [PATCH 05/14] v3 --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a1a9ef2e9..52683f4a7 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: Run SBOM Updater - uses: ./.github/actions/sbom + uses: ./.github/actions/sbom-update - name: Check for Changes in sbom.json id: git_status From bd6176a6a3bef4771efce80f658854ce74347eb3 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:22:52 +0000 Subject: [PATCH 06/14] v4 --- .github/actions/sbom-update/action.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml index bb340b894..aa0436ed9 100644 --- a/.github/actions/sbom-update/action.yml +++ b/.github/actions/sbom-update/action.yml @@ -4,6 +4,9 @@ inputs: sbom_in_path: description: The path of the input sbom file. default: sbom.json + sbom_file_name: + description: The name of the output sbom file. + default: sbom.json container_image: description: "The container image to use" default: "artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0" @@ -17,7 +20,7 @@ runs: SBOM_IN_PATH: ${{ inputs.sbom_in_path }} CONTAINER_IMAGE: ${{ inputs.container_image }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} - PURLS_FILE="${PWD}/purls.txt" + PURLS_FILE: "${PWD}/purls.txt" run: | set -eu @@ -29,7 +32,7 @@ runs: echo "pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" >> $PURLS_FILE # Use silkbomb to update the sbom.json file - docker run --platform="linux/amd64" -it --rm -v $PWD:/pwd ${CONTAINER_IMAGE} \ - update --sbom-in /pwd/sbom.json --purls /pwd/purls.txt --sbom-out /pwd/sbom.json + docker run --platform="linux/amd64" -i --rm -v $PWD:/pwd ${CONTAINER_IMAGE} \ + update --sbom-in ${SBOM_IN_PATH} --purls /pwd/purls.txt --sbom-out ${SBOM_FILE_NAME} echo "Generating SBOM file done." \ No newline at end of file From 38f7c073d2ea546ffed44a5de22be4ebf37d21cf Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:31:34 +0000 Subject: [PATCH 07/14] v5 --- .github/actions/sbom-update/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml index aa0436ed9..98b0cd8d9 100644 --- a/.github/actions/sbom-update/action.yml +++ b/.github/actions/sbom-update/action.yml @@ -20,7 +20,7 @@ runs: SBOM_IN_PATH: ${{ inputs.sbom_in_path }} CONTAINER_IMAGE: ${{ inputs.container_image }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} - PURLS_FILE: "${PWD}/purls.txt" + PURLS_FILE: "${{ github.workspace }}/purls.txt" run: | set -eu From da0a90f88357e029f590d3b124015323dce311af Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:36:26 +0000 Subject: [PATCH 08/14] v6 --- .github/actions/sbom-update/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml index 98b0cd8d9..cef556a30 100644 --- a/.github/actions/sbom-update/action.yml +++ b/.github/actions/sbom-update/action.yml @@ -3,10 +3,10 @@ description: Updates the SBOM for the project inputs: sbom_in_path: description: The path of the input sbom file. - default: sbom.json + default: ./sbom.json sbom_file_name: description: The name of the output sbom file. - default: sbom.json + default: ./sbom.json container_image: description: "The container image to use" default: "artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0" From 5a847f55e23a77c08bbf06d75aa4c5ab0cbee2e7 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:42:06 +0000 Subject: [PATCH 09/14] v7 --- .github/actions/sbom-update/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml index cef556a30..71d211694 100644 --- a/.github/actions/sbom-update/action.yml +++ b/.github/actions/sbom-update/action.yml @@ -33,6 +33,6 @@ runs: # Use silkbomb to update the sbom.json file docker run --platform="linux/amd64" -i --rm -v $PWD:/pwd ${CONTAINER_IMAGE} \ - update --sbom-in ${SBOM_IN_PATH} --purls /pwd/purls.txt --sbom-out ${SBOM_FILE_NAME} + update --sbom-in /pwd/${SBOM_IN_PATH} --purls /pwd/purls.txt --sbom-out /pwd/${SBOM_FILE_NAME} echo "Generating SBOM file done." \ No newline at end of file From 0b1500db76291de0b6ca9ef01dfdb1eedab6b2fe Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:47:08 +0000 Subject: [PATCH 10/14] v8 --- .github/workflows/sbom.yml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 52683f4a7..ab2a1cae5 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -36,11 +36,25 @@ jobs: - name: Check for Changes in sbom.json id: git_status run: | - # Use git to check if the sbom.json file differs from the current commit - if git diff --exit-code sbom.json ; then - echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT + # Filter to remove/normalize serialNumber and timestamp fields + JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)' + + # Check if the base file exists in Git (to prevent errors on first commit) + if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then + echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + exit 0 + fi + + # Compare the normalized committed version vs. the normalized current version + if diff -q \ + <(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \ + <(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then + + echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT + echo "No changes detected in sbom.json" else - echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT + echo "Changes detected in sbom.json" fi - name: Create Pull Request From 6f62dc6649a40965578015ab06fa6c55ac675518 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:52:22 +0000 Subject: [PATCH 11/14] v9 --- .github/workflows/sbom.yml | 42 ++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index ab2a1cae5..26be48444 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -35,26 +35,38 @@ jobs: - name: Check for Changes in sbom.json id: git_status + env: + SBOM_FILE: ${{ env.SBOM_FILE_NAME }} run: | - # Filter to remove/normalize serialNumber and timestamp fields - JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)' + set -e - # Check if the base file exists in Git (to prevent errors on first commit) - if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then - echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT - exit 0 + # Validate current SBOM is valid JSON + if ! jq empty "$SBOM_FILE" 2>/dev/null; then + echo "Error: $SBOM_FILE is not valid JSON" + cat "$SBOM_FILE" + exit 1 fi - # Compare the normalized committed version vs. the normalized current version - if diff -q \ - <(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \ - <(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then - - echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT - echo "No changes detected in sbom.json" + # JQ filter to normalize timestamps and serialNumber + JQ_NORMALIZER='del(.serialNumber, .metadata.timestamp) | walk(if type == "object" and has("timestamp") then .timestamp = "NORMALIZED" else . end)' + + # Check if the file exists in Git + if ! git show HEAD:"$SBOM_FILE" > /dev/null 2>&1; then + echo "File is new - marking as changed" + echo "HAS_CHANGES=true" >> "$GITHUB_OUTPUT" + exit 0 + fi + + # Normalize both versions and compare + NORMALIZED_OLD=$(git show HEAD:"$SBOM_FILE" | jq --sort-keys "$JQ_NORMALIZER") + NORMALIZED_NEW=$(jq --sort-keys "$JQ_NORMALIZER" "$SBOM_FILE") + + if [ "$NORMALIZED_OLD" = "$NORMALIZED_NEW" ]; then + echo "No changes detected in $SBOM_FILE" + echo "HAS_CHANGES=false" >> "$GITHUB_OUTPUT" else - echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT - echo "Changes detected in sbom.json" + echo "Changes detected in $SBOM_FILE" + echo "HAS_CHANGES=true" >> "$GITHUB_OUTPUT" fi - name: Create Pull Request From ae350dd1a6f6ae36536a3f6487579e7db7fa7086 Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 01:58:03 +0000 Subject: [PATCH 12/14] v10 --- .github/workflows/sbom.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 26be48444..db2be8e14 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -22,7 +22,8 @@ jobs: concurrency: group: sbom-${{ github.ref }} cancel-in-progress: false - + env: + SBOM_FILE: sbom.json steps: - name: Checkout repository (Base Branch) uses: actions/checkout@v4 @@ -35,8 +36,6 @@ jobs: - name: Check for Changes in sbom.json id: git_status - env: - SBOM_FILE: ${{ env.SBOM_FILE_NAME }} run: | set -e From 4a25103f94802536f3a96edcbc8a54b073fc7e8b Mon Sep 17 00:00:00 2001 From: Eduard Kovalets Date: Tue, 25 Nov 2025 02:05:14 +0000 Subject: [PATCH 13/14] v11 temp change --- .github/actions/sbom-update/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml index 71d211694..d21bed8f1 100644 --- a/.github/actions/sbom-update/action.yml +++ b/.github/actions/sbom-update/action.yml @@ -28,7 +28,7 @@ runs: LIBMONGOCRYPT_VERSION=$(cat ${PWD}/src/LIBMONGOCRYPT_VERSION_CURRENT | tr -d '[:space:]') # Generate purls file from stored versions - echo "pkg:github/mongodb/mongo-c-driver@${LIBMONGOC_VERSION}" > $PURLS_FILE + echo "pkg:github/mongodb/mongo-cc-driver@${LIBMONGOC_VERSION}" > $PURLS_FILE echo "pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" >> $PURLS_FILE # Use silkbomb to update the sbom.json file From a552f25249976bf30014d96a8cb939cbc8ef25ec Mon Sep 17 00:00:00 2001 From: ekovalets <210755696+ekovalets@users.noreply.github.com> Date: Tue, 25 Nov 2025 02:09:06 +0000 Subject: [PATCH 14/14] chore: Update SBOM after dependency changes --- sbom.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/sbom.json b/sbom.json index 0e72977bf..21a60f93b 100644 --- a/sbom.json +++ b/sbom.json @@ -19,20 +19,20 @@ "version": "1.12.0" }, { - "bom-ref": "pkg:github/mongodb/mongo-c-driver@1.30.6", + "bom-ref": "pkg:github/mongodb/mongo-cc-driver@1.30.6", "externalReferences": [ { "type": "distribution", - "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/1.30.6.tar.gz" + "url": "https://github.com/mongodb/mongo-cc-driver/archive/refs/tags/1.30.6.tar.gz" }, { "type": "website", - "url": "https://github.com/mongodb/mongo-c-driver/tree/1.30.6" + "url": "https://github.com/mongodb/mongo-cc-driver/tree/1.30.6" } ], "group": "mongodb", - "name": "mongo-c-driver", - "purl": "pkg:github/mongodb/mongo-c-driver@1.30.6", + "name": "mongo-cc-driver", + "purl": "pkg:github/mongodb/mongo-cc-driver@1.30.6", "type": "library", "version": "1.30.6" } @@ -42,11 +42,11 @@ "ref": "pkg:github/mongodb/libmongocrypt@1.12.0" }, { - "ref": "pkg:github/mongodb/mongo-c-driver@1.30.6" + "ref": "pkg:github/mongodb/mongo-cc-driver@1.30.6" } ], "metadata": { - "timestamp": "2025-10-07T14:08:41.389820+00:00", + "timestamp": "2025-11-25T02:09:05.798479+00:00", "tools": [ { "externalReferences": [ @@ -90,7 +90,7 @@ ] }, "serialNumber": "urn:uuid:acb30d08-ee47-4ff0-b301-d66ef1f54082", - "version": 13, + "version": 14, "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5",