Add SBOM handling action

README.md

@@ -116,6 +116,22 @@ It will create the file `$S3_ASSETS/authorized_publication.txt`
     token: ${{ github.token }}
 ```
 
+### Software Bill of Materials (SBOM)
+
+This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.
+
+```yaml
+- name: Setup
+  uses: mongodb-labs/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- name: Create SBOM
+  uses: mongodb-labs/drivers-github-tools/sbom@v2
+  with:
+    silk_asset_group: mongodb-python-driver
+```
+
 ## Python Helper Scripts
 
 These scripts are opinionated helper scripts for Python releases.

python/publish/action.yml

@@ -14,6 +14,9 @@ inputs:
   product_name:
     description: "The name of the product"
     required: true
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
+    required: true
   token:
     description: "The GitHub access token"
     required: true
@@ -42,6 +45,9 @@ runs:
         release_version: ${{ inputs.version }}
         filenames: dist/*
         token: ${{ inputs.token }}
+    - uses: mongodb-labs/drivers-github-tools/sbom@v2
+      with:
+        silk_asset_group: ${{ inputs.silk_asset_group }}
     - name: Generate Sarif Report
       uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
       with:

sbom/action.yml

@@ -0,0 +1,20 @@
+name: Download the Augmented SBOM
+description: Downloads the Augmented SBOM for the project
+inputs:
+  silk_asset_group:
+    description: The Silk Asset Group for the Project
+    required: true
+  artifactory_image:
+    description: Image to use for artifactory
+    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
+
+runs:
+  using: composite
+  steps:
+    - name: Download the Augmented SBOM file to the release assets folder
+      shell: bash
+      run: |
+        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
+          --env-file=${SILKBOMB_ENVFILE} \
+          ${{ inputs.artifactory_image }} \
+          download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json

setup/setup.sh

@@ -14,13 +14,22 @@ echo "::group::Set up artifactory"
 echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY
 echo "::endgroup::"
 
-echo "Set up envfile for artifactory image"
-GARASIGN_ENVFILE=/tmp/envfile
+echo "Set up envfile for garasign"
+GARASIGN_ENVFILE=/tmp/garasign-envfile
 cat << EOF > $GARASIGN_ENVFILE
 GRS_CONFIG_USER1_USERNAME=$GARASIGN_USERNAME
 GRS_CONFIG_USER1_PASSWORD=$GARASIGN_PASSWORD
 EOF
 
+if [ -n "${SILKBOMB_USER:-}" ]; then
+  echo "Set up envfile for silkbomb"
+  SILKBOMB_ENVFILE=/tmp/silkbomb-envfile
+  cat << EOF > $SILKBOMB_ENVFILE
+SILK_CLIENT_ID=${SILKBOMB_USER}
+SILK_CLIENT_SECRET=${SILKBOMB_KEY}
+EOF
+fi
+
 echo "Set up output directories"
 export RELEASE_ASSETS=/tmp/release-assets
 mkdir $RELEASE_ASSETS
@@ -34,6 +43,7 @@ AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}"
 GPG_KEY_ID=$GPG_KEY_ID
 GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}"
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
+SILKBOMB_ENVFILE=$SILKBOMB_ENVFILE
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS