FOSSA License Compliance and Security Check

FOSSA License Compliance and Security Check #3

Workflow file for this run

.github/workflows/fossa_ai.yml at 10704e9

	name: FOSSA License Compliance and Security Check

	on:
	workflow_call:
	inputs:
	check_snippets:
	description: "Run FOSSA Snippets Detection"
	required: false
	default: false
	type: boolean
	check_ai_generated_code:
	description: "Run FOSSA AI Generated Code Detection"
	required: false
	default: false
	type: boolean
	generate_sbom:
	description: "Generate FOSSA SBOM Report"
	required: false
	default: false
	type: boolean
	latest_version:
	required: false
	type: string
	repo_name:
	required: false
	type: string
	workflow_dispatch:
	inputs:
	latest_version:
	required: true
	type: string
	repo_name:
	required: true
	type: string
	branch_name:
	required: true
	type: string
	repository_dispatch:
	types: [oss-released-version]

	jobs:
	fossa-scan:
	runs-on: ubuntu-latest
	permissions: write-all
	if: github.event_name != 'repository_dispatch' && github.event_name != 'workflow_dispatch'
	env:
	FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}
	fetch-depth: 0

	- name: Get Fossa Configuration
	if: ${{ inputs.check_ai_generated_code }}
	run: \|
	curl -o $PWD/.github/.fossa.yml https://raw.githubusercontent.com/liquibase/build-logic/main/.github/.fossa.yml

	- name: Install FOSSA CLI
	run: \|
	curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh \| bash

	- name: Run FOSSA Snippets Detection
	if: ${{ inputs.check_snippets }}
	id: snippets
	run: \|
	# https://github.com/fossas/fossa-cli/blob/master/docs/references/subcommands/snippets/analyze.md
	fossa snippets analyze -o snippets 2>&1 \| tee snippets.out
	FILE="snippets.out"
	if [ -f "$FILE" ]; then
	if grep -q "0 matches" "$FILE"; then
	echo "The file '$FILE' contains '0 matches'."
	else
	echo "The file '$FILE' does not contain '0 matches'."
	exit 1
	fi
	else
	echo "Error: The file '$FILE' does not exist."
	fi

	- name: Generate Snippet Dependencies
	if: ${{ inputs.check_snippets }}
	run: \|
	# https://github.com/fossas/fossa-cli/blob/master/docs/references/subcommands/snippets/commit.md
	fossa snippets commit --analyze-output snippets --overwrite-fossa-deps --format yml

	- name: Run FOSSA Analyze with AI Generated Code Detection
	id: analyze-ai
	if: ${{ inputs.check_ai_generated_code }}
	run: \|
	# https://github.com/fossas/fossa-cli/tree/master/docs/references/subcommands/analyze
	mkdir patch
	cp $PWD/.github/.fossa.yml patch/.fossa.yml
	# Export the full content of changed files to 'patch.zip'
	git diff --name-only HEAD~1 HEAD \| xargs zip patch.zip
	unzip patch.zip -d patch/
	# Analyze the changes using FOSSA and redirect output to analyze.out
	fossa analyze -p ${{ github.event.repository.name }} patch -o 2>&1 \| tee analyze.out

	- name: Run FOSSA Analyze
	id: analyze
	run: \|
	# https://github.com/fossas/fossa-cli/tree/master/docs/references/subcommands/analyze
	# Run the full analyze on the current branch to be checked by the test command
	fossa analyze -p ${{ github.event.repository.name }} -b ${{ github.head_ref \|\| github.ref_name }} 2>&1 \| tee analyze_no_ai.out

	- name: Run FOSSA Test
	id: test
	run: \|
	# https://github.com/fossas/fossa-cli/tree/master/docs/references/subcommands/test
	fossa test -p ${{ github.event.repository.name }} 2>&1 \| tee test.out
	FILE="test.out"
	if [ -f "$FILE" ]; then
	if grep -q "Test passed" "$FILE"; then
	echo "The file '$FILE' contains 'Test passed'."
	else
	echo "The file '$FILE' does not contain 'Test passed'."
	exit 1
	fi
	else
	echo "Error: The file '$FILE' does not exist."
	fi

	- name: Label PR with AI label
	if: ${{ inputs.check_ai_generated_code }}
	uses: actions/github-script@v6
	continue-on-error: true
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const fs = require('fs')
	const analyze_file = fs.readFileSync('analyze.out', 'utf8')
	if (analyze_file.includes('GitHub Copilot generated code') \|\| analyze_file.includes('AI generated code')) {
	github.rest.issues.addLabels({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	labels: ['AI Generated Code']
	})
	}
	else {
	github.rest.issues.removeLabel({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	name: 'AI Generated Code'
	})
	}

	- name: Run FOSSA SBOM Report
	if: ${{ inputs.generate_sbom }}
	run: \|
	# https://github.com/fossas/fossa-cli/blob/master/docs/references/subcommands/report.md
	fossa report -p ${{ github.event.repository.name }} attribution --format html 2>&1 \| tee sbom.html

	- name: Archive FOSSA SBOM Report
	if: ${{ inputs.generate_sbom }}
	uses: actions/upload-artifact@v4
	with:
	name: sbom
	path: sbom.html

	generate-oss-pro-sbom-reports:
	runs-on: ubuntu-latest
	permissions: write-all
	if: github.event_name == 'repository_dispatch' \|\| github.event_name == 'workflow_dispatch'

	env:
	FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
	steps:
	- name: Checkout Code
	if: github.event_name == 'repository_dispatch'
	uses: actions/checkout@v4

	- name: Checkout Code
	if: github.event_name == 'workflow_dispatch'
	uses: actions/checkout@v4
	with:
	repository: ${{ github.event.inputs.repo_name }}
	ref: ${{ github.event.inputs.branch_name }}

	- name: Setup
	id: setup
	run: \|
	echo "repo_name=${{ github.event.inputs.repo_name \|\| github.event.client_payload.repo_name}}" >> $GITHUB_OUTPUT
	echo "latest_version=${{ github.event.inputs.latest_version \|\| github.event.client_payload.latest_version}}" >> $GITHUB_OUTPUT


	- name: Install FOSSA CLI
	run: \|
	curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh \| bash

	- name: Run FOSSA SBOM Report for OSS
	if: ${{ steps.setup.outputs.repo_name == 'liquibase' }}
	run: \|
	# https://github.com/fossas/fossa-cli/blob/master/docs/references/subcommands/report.md
	fossa report -p ${{ steps.setup.outputs.repo_name }} attribution --format html 2>&1 \| tee oss-sbom.html

	- name: Run FOSSA SBOM Reports for OSS-pro
	if: ${{ steps.setup.outputs.repo_name == 'liquibase-pro' }}
	run: \|
	# https://github.com/fossas/fossa-cli/blob/master/docs/references/subcommands/report.md
	fossa report -p ${{ steps.setup.outputs.repo_name }} attribution --format cyclonedx-json 2>&1 \| tee pro-sbom-cyclonedx-json.json
	fossa report -p ${{ steps.setup.outputs.repo_name }} attribution --format spdx-json 2>&1 \| tee pro-sbom-spdx-json.json

	- name: Set up AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-access-key-id: ${{ secrets.LIQUIBASEORIGIN_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.LIQUIBASEORIGIN_SECRET_ACCESS_KEY }}
	aws-region: us-east-1

	- name: Get current timestamp
	id: timestamp
	run: echo "timestamp=$(date +'%Y-%m-%d')" >> $GITHUB_ENV

	- name: Upload OSS FOSSA Results to s3
	run: \|
	aws s3 cp oss-sbom.html s3://liquibaseorg-origin/sbom-lb-lbpro-releases/liquibase-${{ steps.setup.outputs.latest_version }}_${{ env.timestamp }}/
	aws s3 cp pro-sbom-cyclonedx-json.json s3://liquibaseorg-origin/sbom-lb-lbpro-releases/liquibase-${{ steps.setup.outputs.latest_version }}_${{ env.timestamp }}/
	aws s3 cp pro-sbom-spdx-json.json s3://liquibaseorg-origin/sbom-lb-lbpro-releases/liquibase-${{ steps.setup.outputs.latest_version }}_${{ env.timestamp }}/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FOSSA License Compliance and Security Check #3

Workflow file

FOSSA License Compliance and Security Check #3

Jobs

Run details

Workflow file for this run