Combine to single action

Author: jasonhills-mongodb

.github/workflows/endor_labs_pr_scan.yml

@@ -0,0 +1,113 @@
+name: Generate SBOM
+
+on:
+  pull_request:
+    branches:
+      - "master"
+      - "releases/v*"
+      - "debian/*"
+    paths:
+      - "**/CMakeLists.txt"
+      - "**/*.cmake"
+  push:
+    branches:
+      - "master"
+      - "releases/v*"
+      - "debian/*"
+    paths:
+      - "**/CMakeLists.txt"
+      - "**/*.cmake"
+
+jobs:
+  endor_scan_and_generate_sbom:
+    permissions:
+      id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
+      contents: write # Required for commit
+      pull-requests: write # Required for PR
+    runs-on: ubuntu-latest
+    env:
+      PR_SCAN: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+        with:
+          fetch-tags: true
+          submodules: recursive
+
+      - name: Configure CMake and fetch dependency sources
+        env:
+          BUILD_TYPE: Release
+          BUILD: ${{github.workspace}}/build
+          CXX_STANDARD: 17
+        working-directory: ${{env.BUILD}}
+        run: |
+          cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} -DENABLE_TESTS=ON
+          git rm .gitignore # prevent exclusion of build/_deps from endorctl scan
+
+      - name: Endor Labs Scan (PR or Monitoring)
+        uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # v1.1.8
+        env:
+          ENDOR_SCAN_EMBEDDINGS: true
+        with:
+          additional_args: '--languages=c --include-path="build/_deps/**"'
+          enable_pr_comments: ${{ env.PR_SCAN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }} # Required for endorctl to write pr comments
+          log_level: info
+          log_verbose: false
+          namespace: mongodb.${{github.repository_owner}}
+          pr: ${{ env.PR_SCAN }}
+          scan_dependencies: true
+          scan_summary_output_type: "table"
+          tags: github_action
+
+      # - name: Set up Python
+      #   if: env.PR_SCAN == false
+      #   uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      #   with:
+      #     python-version: "3.10"
+
+      - name: Install uv
+        if: env.PR_SCAN == false
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+        with:
+          python-version: "3.10"
+          activate-environment: true
+          enable-cache: true
+
+      - name: Stash existing SBOM, generate new SBOM
+        if: env.PR_SCAN == false
+        run: |
+          # Existing SBOM: Strip out nondeterministic SBOM fields and save to temp file
+          jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.existing.cdx.json
+          # etc/sbom/generate_sbom.py
+          uv run --group generate_sbom etc/sbom/generate_sbom.py --enable-github-action-token --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json --save-warnings=${{runner.temp}}/warnings.txt
+          # Generated SBOM: Strip out nondeterministic SBOM fields and save to temp file
+          jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.generated.cdx.json
+
+      - name: Check for SBOM changes
+        if: env.PR_SCAN == false
+        id: sbom_diff
+        run: |
+          # diff the temp SBOM files, save output to variable, supress exit code
+          RESULT=$(diff --brief ${{runner.temp}}/sbom.existing.cdx.json ${{runner.temp}}/sbom.generated.cdx.json)
+          # Set the output variable
+          echo "result=$RESULT" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate pull request content and notice message, if SBOM has changed
+        if: env.PR_SCAN == false && steps.sbom_diff.outputs.result
+        run: |
+          printf "SBOM updated after commit ${{ github.sha }}.\n\n" | cat - ${{runner.temp}}/warnings.txt > ${{runner.temp}}/pr_body.txt
+          echo "::notice title=SBOM-Diff::SBOM has changed"
+
+      - name: Open Pull Request, if SBOM has changed
+        if: env.PR_SCAN == false && steps.sbom_diff.outputs.result
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        env:
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        with:
+          add-paths: sbom.json
+          body-path: ${{runner.temp}}/pr_body.txt
+          branch: cxx-sbom-update-${{ env.BRANCH_NAME }}
+          commit-message: Update SBOM file(s)
+          delete-branch: true
+          title: CXX Update SBOM action - ${{ env.BRANCH_NAME }}