├── LICENSE ├── NOTICE ├── README.md └── action.yml /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | The ORT Project 2 | 3 | Copyright (C) 2020-2022 HERE Europe B.V. 4 | Copyright (C) 2022 Alliander N.V. 5 | Copyright (C) 2022 EPAM Systems, Inc. 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GitHub Action for ORT 2 | 3 | Run licensing, security and best practices checks and generate reports/SBOMs using [ORT][ort]. 4 | 5 | ## Usage 6 | 7 | See [action.yml](action.yml) 8 | 9 | ### Basic 10 | 11 | ```yaml 12 | jobs: 13 | ort: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Use HTTPS instead of SSH for Git cloning 17 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 18 | - name: Checkout project 19 | uses: actions/checkout@v3 20 | - name: Run GitHub Action for ORT 21 | uses: oss-review-toolkit/ort-ci-github-action@v1 22 | ``` 23 | 24 | Alternatively, you can also use ORT to download the project sources using Git, Git-repo, Mercurial or Subversion. 25 | 26 | ```yaml 27 | jobs: 28 | ort: 29 | runs-on: ubuntu-latest 30 | steps: 31 | - name: Use HTTPS instead of SSH for Git cloning 32 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 33 | - name: Run GitHub Action for ORT 34 | uses: oss-review-toolkit/ort-ci-github-action@v1 35 | with: 36 | vcs-url: 'https://github.com/jshttp/mime-types.git' 37 | ``` 38 | 39 | ### Scenarios 40 | 41 | - [Run ORT and analyze only specified package managers](#Run-ORT-and-analyze-only-specified-package-managers) 42 | - [Run ORT with labels](#Run-ORT-with-labels) 43 | - [Run ORT and fail job on policy violations or security issues](#Run-ORT-and-fail-job-on-policy-violations-or-security-issues) 44 | - [Run ORT on private repositories](#Run-ORT-on-private-repositories) 45 | - [Run ORT on multiple repositories using a matrix](#Run-ORT-on-multiple-repositories-using-a-matrix) 46 | - [Run ORT with a custom global configuration](#Run-ORT-with-a-custom-global-configuration) 47 | - [Run ORT with a custom Docker image](#Run-ORT-with-a-custom-Docker-image) 48 | - [Run ORT with PostgreSQL database](#Run-ORT-with-PostgreSQL-database) 49 | - [Run only parts of the GitHub Action for ORT](#Run-only-parts-of-the-GitHub-Action-for-ORT) 50 | 51 | #### Run ORT and analyze only specified package managers 52 | 53 | ```yaml 54 | jobs: 55 | ort: 56 | runs-on: ubuntu-latest 57 | steps: 58 | - name: Use HTTPS instead of SSH for Git cloning 59 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 60 | - name: Checkout project 61 | uses: actions/checkout@v3 62 | with: 63 | repository: 'jshttp/mime-types' 64 | - name: Run GitHub Action for ORT 65 | uses: oss-review-toolkit/ort-ci-github-action@v1 66 | with: 67 | allow-dynamic-versions: 'true' 68 | ort-cli-args: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2' 69 | ``` 70 | 71 | #### Run ORT with labels 72 | 73 | Use labels to track scan related info or execute policy rules for specific product, delivery or organization. 74 | 75 | ```yaml 76 | jobs: 77 | ort: 78 | runs-on: ubuntu-latest 79 | steps: 80 | - name: Use HTTPS instead of SSH for Git cloning 81 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 82 | - name: Checkout project 83 | uses: actions/checkout@v3 84 | with: 85 | repository: 'jshttp/mime-types' 86 | - name: Run GitHub Action for ORT 87 | uses: oss-review-toolkit/ort-ci-github-action@v1 88 | with: 89 | allow-dynamic-versions: 'true' 90 | ort-cli-analyze-args: > 91 | -l project=oss-project 92 | -l dist=external 93 | -l org=engineering-sdk-xyz-team-germany-berlin 94 | ``` 95 | 96 | ### Run ORT and fail job on policy violations or security issues 97 | 98 | Set `fail-on` to fail the action if: 99 | - policy violations reported by Evaluator exceed the `severeRuleViolationThreshold` level. 100 | - security issues reported by the Advisor exceed the `severeIssueThreshold` level. 101 | 102 | By default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING` 103 | but you can change this to for example `ERROR` in your [config.yml][ort-config-yml]. 104 | 105 | ```yaml 106 | jobs: 107 | ort: 108 | runs-on: ubuntu-latest 109 | steps: 110 | - name: Use HTTPS instead of SSH for Git cloning 111 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 112 | - name: Checkout project 113 | uses: actions/checkout@v3 114 | with: 115 | repository: 'jshttp/mime-types' 116 | - name: Run GitHub Action for ORT 117 | uses: oss-review-toolkit/ort-ci-github-action@v1 118 | with: 119 | allow-dynamic-versions: 'true' 120 | fail-on: 'violations' 121 | ``` 122 | 123 | #### Run ORT on private repositories 124 | 125 | To run ORT on private Git repositories, we recommend to: 126 | - Set up an account with read-only access rights 127 | - Use a .netrc file, SSH keys or [GitHub tokens][gh-tokens] for authentication. 128 | 129 | ```yaml 130 | jobs: 131 | ort: 132 | runs-on: ubuntu-latest 133 | steps: 134 | - name: Checkout project 135 | uses: actions/checkout@v3 136 | with: 137 | repository: 'jshttp/mime-types' 138 | - name: Add .netrc 139 | run: > 140 | default 141 | login ${{ secrets.NETRC_LOGIN }} 142 | password ${{ secrets.NETRC_PASSWORD }}" > ~/.netrc 143 | - name: Add SSH key 144 | run: | 145 | mkdir -p ~/.ssh 146 | echo "${{ secrets.SSH_KEY }}" > ~/.ssh/id_github 147 | echo "${{ secrets.SSH_PUBLIC_KEY }}" > ~/.ssh/id_github.pub 148 | chmod 600 ~/.ssh/id_github* 149 | cat >>~/.ssh/config <> "$GITHUB_ENV" 175 | - name: Use HTTPS with personal token always for Git cloning 176 | run: | 177 | git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_1 }}@github.com/".insteadOf "ssh://git@github.com/" 178 | git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "ssh://git@git.example.com/" 179 | git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "https://git.example.com/" 180 | - name: Checkout project 181 | uses: actions/checkout@v3 182 | with: 183 | repository: 'example-org/alpha' 184 | ref: 'master' 185 | github-server-url: 'https://git.example.com' 186 | token: ${{ secrets.PERSONAL_TOKEN_2 }} 187 | - name: Run GitHub action for ORT 188 | uses: oss-review-toolkit/ort-ci-github-action@v1 189 | with: 190 | ort-config-repository: 'https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/ort-project/ort-config.git' 191 | run: > 192 | cache-dependencies, 193 | metadata-labels, 194 | analyzer, 195 | advisor, 196 | reporter, 197 | upload-results 198 | ``` 199 | 200 | #### Run ORT on multiple repositories using a matrix 201 | 202 | ```yaml 203 | jobs: 204 | ort: 205 | strategy: 206 | fail-fast: false 207 | matrix: 208 | include: 209 | - repository: example-org/alpha 210 | sw-name: alpha 211 | - repository: example-org/beta 212 | sw-name: beta 213 | runs-on: ubuntu-latest 214 | steps: 215 | - uses: actions/checkout@v3 216 | with: 217 | repository: ${{ matrix.repository }} 218 | - uses: oss-review-toolkit/ort-ci-github-action@v1 219 | with: 220 | sw-name: ${{ matrix.sw-name }} 221 | ``` 222 | 223 | ### Run ORT with a custom global configuration 224 | 225 | Use `ort-config-repository` to specify the location of your ORT global configuration repository. 226 | If `ort-config-revision` is not automatically latest state of configuration repository will be used. 227 | 228 | Alternatively, you can also place your ORT global configuration files in `~/.ort/config` 229 | prior to running GitHub Action for ORT. 230 | 231 | ```yaml 232 | jobs: 233 | ort: 234 | runs-on: ubuntu-latest 235 | steps: 236 | - name: Use HTTPS instead of SSH for Git cloning 237 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 238 | - name: Checkout project 239 | uses: actions/checkout@v3 240 | with: 241 | repository: 'jshttp/mime-types' 242 | - name: Run GitHub Action for ORT 243 | uses: oss-review-toolkit/ort-ci-github-action@v1 244 | with: 245 | ort-config-repository: 'https://github.com/oss-review-toolkit/ort-config' 246 | ort-config-revision: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514' 247 | ``` 248 | 249 | ### Run ORT with a custom Docker image 250 | 251 | ```yaml 252 | jobs: 253 | ort: 254 | runs-on: ubuntu-latest 255 | steps: 256 | - name: Use HTTPS instead of SSH for Git cloning 257 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 258 | - name: Checkout project 259 | uses: actions/checkout@v3 260 | - name: Run GitHub Action for ORT 261 | uses: oss-review-toolkit/ort-ci-github-action@v1 262 | with: 263 | image: 'my-org/ort-images/ort:latest' 264 | ``` 265 | 266 | ### Run ORT with PostgreSQL database 267 | 268 | ORT supports using a PostgreSQL database to caching scan data to speed-up scans. 269 | 270 | Use the following [action secrets at GitHub org or repository level][gh-action-secrets] to specified the database to use: 271 | - `POSTGRES_URL`: 'jdbc:postgresql://ort-db.example.com:5432/ort' 272 | - `POSTGRES_USERNAME`: 'ort-db-username' 273 | - `POSTGRES_PASSWORD`: 'ort-db-password' 274 | 275 | Next, pass these secrets to GitHub Action for ORT: 276 | 277 | ```yaml 278 | jobs: 279 | ort: 280 | runs-on: ubuntu-latest 281 | steps: 282 | - name: Use HTTPS instead of SSH for Git cloning 283 | run: git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 284 | - name: Checkout project 285 | uses: actions/checkout@v3 286 | with: 287 | repository: 'jshttp/mime-types' 288 | ref: '2.1.35' 289 | - name: Run GitHub Action for ORT 290 | uses: oss-review-toolkit/ort-ci-github-action@v1 291 | with: 292 | db-url: ${{ secrets.POSTGRES_URL }} 293 | db-username: ${{ secrets.POSTGRES_USERNAME }} 294 | db-password: ${{ secrets.POSTGRES_PASSWORD }} 295 | run: 'cache-dependencies,analyzer,scanner,evaluator,advisor,reporter,upload-results' 296 | sw-name: 'Mime Types' 297 | sw-version: '2.1.35' 298 | ``` 299 | 300 | ### Run only parts of the GitHub Action for ORT 301 | 302 | ```yaml 303 | jobs: 304 | ort: 305 | runs-on: ubuntu-latest 306 | steps: 307 | - name: Checkout project 308 | uses: actions/checkout@v3 309 | - name: Run GitHub Action for ORT 310 | uses: oss-review-toolkit/ort-ci-github-action@v1 311 | with: 312 | run: > 313 | cache-dependencies, 314 | metadata-labels, 315 | analyzer, 316 | advisor, 317 | reporter, 318 | upload-results, 319 | upload-evaluation-result 320 | ``` 321 | 322 | # Want to Help or have Questions? 323 | 324 | All contributions are welcome. If you are interested in contributing, please read our 325 | [contributing guide][ort-contributing-md], and to get quick answers 326 | to any of your questions we recommend you [join our Slack community][ort-slack]. 327 | 328 | # License 329 | 330 | Copyright (C) 2020-2022 [The ORT Project Authors](./NOTICE). 331 | 332 | See the [LICENSE](./LICENSE) file in the root of this project for license details. 333 | 334 | OSS Review Toolkit (ORT) is a [Linux Foundation project][lf] and part of [ACT][act]. 335 | 336 | [act]: https://automatecompliance.org/ 337 | [gh-action-secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository 338 | [gh-tokens]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token 339 | [ort]: https://github.com/oss-review-toolkit/ort 340 | [ort-config-yml]: https://github.com/oss-review-toolkit/ort/blob/main/model/src/main/resources/reference.yml 341 | [ort-contributing-md]: https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md 342 | [ort-slack]: http://slack.oss-review-toolkit.org 343 | [lf]: https://www.linuxfoundation.org 344 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright (C) 2022 The ORT Project Authors 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # https://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # SPDX-License-Identifier: Apache-2.0 17 | # License-Filename: LICENSE 18 | 19 | name: 'GitHub Action for ORT' 20 | description: 'A GitHub Action workflow to run ORT.' 21 | author: 'The ORT Project Authors' 22 | 23 | inputs: 24 | vcs-type: 25 | default: 'git' 26 | description: | 27 | Type of version control system. 28 | Accepted values are 'git', 'git-repo', 'mercurial' or 'subversion'. 29 | required: false 30 | vcs-url: 31 | default: '' 32 | description: | 33 | Repository or clone URL of project to scan. 34 | required: false 35 | vcs-revision: 36 | default: '' 37 | description: | 38 | SHA1 or tag to scan (do not use branch names as they can move). 39 | If vcs-type is 'git-repo', SHA1 must be unabbreviated. 40 | Tag names must be prefixed with 'refs/tags/'. 41 | required: false 42 | vcs-path: 43 | default: '' 44 | description: | 45 | Leave this field empty unless one of the following special cases applies: 46 | 1) project vcs-type is git-repo - specify path to repo manifest file 47 | (e.g. sdk.xml, note vcs-url must point to a manifest repository) 48 | 2) you require sparse checkout - specify repository sub-path to download and scan 49 | (e.g. projects/gradle/, note sparse checkout is possible only for vcs-type git, mercurial or subversion) 50 | advisors: 51 | default: 'OSV' 52 | description: | 53 | Comma-separated list of security vulnerability advisors to use. 54 | required: false 55 | allow-dynamic-versions: 56 | default: 'false' 57 | description: | 58 | Set to 'true' only if dynamic dependency versions are allowed (note version ranges specified for dependencies may cause unstable results). 59 | This field applies only to package managers that support lock files, e.g. NPM. 60 | required: false 61 | db-url: 62 | default: '' 63 | description: | 64 | URL of the PostgreSQL database used for caching scan-results and storing file archives. 65 | required: false 66 | db-username: 67 | default: '' 68 | description: | 69 | Username for the PostgreSQL database used for caching scan-results and storing file archives. 70 | required: false 71 | db-password: 72 | default: '' 73 | description: | 74 | Password for the PostgreSQL database used for caching scan-results and storing file archives. 75 | required: false 76 | docker-cli-args: 77 | default: '' 78 | description: | 79 | List of arguments to pass to Docker CLI. 80 | required: false 81 | fail-on: 82 | default: '' 83 | description: | 84 | Comma-separated list of ORT results that if exceeding their severity threshold will fail the action. 85 | Accepted values are '', 'issues', 'violations' or 'issues,violations'. 86 | If empty, then exceeding severity threshold will not fail the action. 87 | required: false 88 | http-file-server-url: 89 | default: '' 90 | description: | 91 | URL of the HTTP file server used for caching scan-results and storing file archives. 92 | required: false 93 | http-file-server-username: 94 | default: '' 95 | description: | 96 | Username for HTTP file server used for caching scan-results and storing file archives. 97 | required: false 98 | http-file-server-password: 99 | default: '' 100 | description: | 101 | Password for HTTP file server used for caching scan-results and storing file archives. 102 | required: false 103 | http-file-server-token: 104 | default: '' 105 | description: | 106 | API token for HTTP file server used for caching scan-results and storing file archives. 107 | required: false 108 | image: 109 | default: 'ghcr.io/oss-review-toolkit/ort:latest' 110 | description: | 111 | URL for ORT Docker image to use. 112 | required: false 113 | log-level: 114 | default: 'warn' 115 | description: | 116 | Set value to 'debug' to see additional debug output to help tracking down errors. 117 | required: false 118 | ort-cli-args: 119 | default: '-P ort.forceOverwrite=true --stacktrace' 120 | description: | 121 | List of arguments to pass to ORT CLI, applies to all commands. 122 | required: false 123 | ort-cli-analyze-args: 124 | default: '' 125 | description: | 126 | List of arguments to pass to ORT Analyzer CLI. 127 | required: false 128 | ort-cli-scan-args: 129 | default: '' 130 | description: | 131 | List of arguments to pass to ORT Scanner CLI. 132 | required: false 133 | ort-cli-evaluate-args: 134 | default: '' 135 | description: | 136 | List of arguments to pass to ORT Evaluator CLI. 137 | required: false 138 | ort-cli-advise-args: 139 | default: '' 140 | description: | 141 | List of arguments to pass to ORT Advisor CLI. 142 | required: false 143 | ort-cli-report-args: 144 | default: '-O CycloneDX=output.file.formats=json,xml -O SpdxDocument=output.file.formats=json,yaml' 145 | description: | 146 | List of arguments to pass to ORT Reporter CLI. 147 | required: false 148 | ort-config-path: 149 | default: '' 150 | description: | 151 | Path to ORT configuration directory within the user home directory. 152 | required: false 153 | ort-home-path: 154 | default: '.ort' 155 | description: | 156 | Path to ORT 'home' or 'data' directory within the user home directory. 157 | required: false 158 | ort-config-repository: 159 | default: 'https://github.com/oss-review-toolkit/ort-config.git' 160 | description: | 161 | URL to ORT configuration repository to use. 162 | required: false 163 | ort-config-revision: 164 | default: 'main' 165 | description: | 166 | The Git revision or branch of the ORT configuration repository to use. 167 | required: false 168 | ort-yml-path: 169 | default: '' 170 | description: | 171 | Path to file containing the repository configuration. 172 | If set, the '.ort.yml' file from the repository is ignored. 173 | required: false 174 | project-path: 175 | default: '${{ github.workspace }}' 176 | description: | 177 | Path within $GITHUB_WORKSPACE to be analyzed/scanned with ORT. 178 | If empty, $GITHUB_WORKSPACE directory is scanned. 179 | required: false 180 | report-formats: 181 | default: 'CycloneDx,SpdxDocument,WebApp' 182 | description: | 183 | Comma-separated list of ORT reporters to run. 184 | required: false 185 | run: 186 | default: > 187 | cache-dependencies, 188 | labels, 189 | analyzer, 190 | evaluator, 191 | advisor, 192 | reporter, 193 | upload-results 194 | description: | 195 | Comma-separated list of optional workflow steps to run. 196 | required: false 197 | sw-name: 198 | default: '' 199 | description: | 200 | Name of project, product or component to be scanned. 201 | By default the name of the repository is used as shown in its clone URL. 202 | required: false 203 | sw-version: 204 | default: '' 205 | description: | 206 | Project version number or release name (use the version from package metadata, not VCS revision). 207 | By default, the Git short SHA is used. 208 | required: false 209 | 210 | outputs: 211 | evaluator-exit-code: 212 | description: The exit code of the evaluator CLI command. 213 | value: "${{ steps.ort-evaluator.outputs.exit-code }}" 214 | advisor-exit-code: 215 | description: The exit code of the advisor CLI command. 216 | value: "${{ steps.ort-advisor.outputs.exit-code }}" 217 | results-path: 218 | description: Path to the result directory. 219 | value: "${{ steps.ort-init.outputs.results-path }}" 220 | results-advisor-path: 221 | description: Path to the advisor result file. 222 | value: "${{ steps.ort-init.outputs.results-advisor-path }}" 223 | results-evaluator-path: 224 | description: Path to the evaluator result file. 225 | value: "${{ steps.ort-init.outputs.results-evaluator-path }}" 226 | results-scanner-path: 227 | description: Path to the scanner result file. 228 | value: "${{ steps.ort-init.outputs.results-scanner-path }}" 229 | results-html-report-path: 230 | description: Path to the HTML report file. 231 | value: "${{ steps.ort-init.outputs.results-html-report-path }}" 232 | results-sbom-cyclonedx-xml-path: 233 | description: Path to the CycloneDX XML SBoM file. 234 | value: "${{ steps.ort-init.outputs.results-sbom-cyclonedx-xml-path }}" 235 | results-sbom-cyclonedx-json-path: 236 | description: Path to the CycloneDX JSON SBoM file. 237 | value: "${{ steps.ort-init.outputs.results-sbom-cyclonedx-json-path }}" 238 | results-sbom-spdx-json-path: 239 | description: Path to the SPDX JSON SBoM file. 240 | value: "${{ steps.ort-init.outputs.results-sbom-spdx-json-path }}" 241 | results-sbom-spdx-yml-path: 242 | description: Path to the SPDX YML SBoM file. 243 | value: "${{ steps.ort-init.outputs.results-sbom-spdx-yml-path }}" 244 | results-web-app-path: 245 | description: Path to the Web App Report file. 246 | value: "${{ steps.ort-init.outputs.results-web-app-path }}" 247 | 248 | runs: 249 | using: 'composite' 250 | steps: 251 | - name: Init Workspace 252 | id: ort-init 253 | shell: bash 254 | env: 255 | HTTP_FILE_SERVER_PASSWORD: ${{ inputs.http-file-server-password }} 256 | HTTP_FILE_SERVER_TOKEN: ${{ inputs.http-file-server-token }} 257 | HTTP_FILE_SERVER_URL: ${{ inputs.http-file-server-url }} 258 | HTTP_FILE_SERVER_USERNAME: ${{ inputs.http-file-server-username }} 259 | ORT_CLI_ARGS: ${{ inputs.ort-cli-args }} 260 | ORT_CLI_ANALYZE_ARGS: ${{ inputs.ort-cli-analyze-args }} 261 | ORT_CLI_SCAN_ARGS: ${{ inputs.ort-cli-scan-args }} 262 | ORT_CLI_EVALUATE_ARGS: ${{ inputs.ort-cli-evaluate-args }} 263 | ORT_CLI_ADVISE_ARGS: ${{ inputs.ort-cli-advise-args }} 264 | ORT_CLI_REPORT_ARGS: ${{ inputs.ort-cli-report-args }} 265 | ORT_CONFIG_PATH: ${{ inputs.ort-config-path }} 266 | ORT_DOCKER_CLI_ARGS: ${{ inputs.docker-cli-args }} 267 | ORT_DOCKER_IMAGE: ${{ inputs.image }} 268 | ORT_HOME_PATH: ${{ inputs.ort-home-path }} 269 | ORT_LOG_LEVEL: ${{ inputs.log-level }} 270 | ORT_RUN_COMMANDS: ${{ inputs.run }} 271 | ORT_YML_PATH: ${{ inputs.ort-yml-path }} 272 | PROJECT_PATH: ${{ inputs.project-path }} 273 | SW_NAME: ${{ inputs.sw-name }} 274 | SW_VERSION: ${{ inputs.sw-version }} 275 | POSTGRES_PASSWORD: ${{ inputs.db-password }} 276 | POSTGRES_URL: ${{ inputs.db-url }} 277 | POSTGRES_USERNAME: ${{ inputs.db-username }} 278 | run: | 279 | echo -e "\e[1;33m Initializing ORT in GitHub workspace... " 280 | mkdir -p $HOME/.cache/scancode-tk/; chmod -R aug+w ${HOME}/.cache/ || : 281 | mkdir -p $HOME/.config/jgit/; chmod -R aug+w ${HOME}/.config/ || : 282 | mkdir -p $HOME/$ORT_HOME_PATH/{cache,config,ort-results,scanner/archive/,scanner/provenance/}; chmod -R aug+w ${HOME}/$ORT_HOME_PATH/ || : 283 | mkdir -p $HOME/.gradle/; chmod -R aug+w ${HOME}/.gradle/ || : 284 | mkdir -p $HOME/.rustup/{cache,download,tmp}; chmod -R aug+w ${HOME}/.rustup/ || : 285 | mkdir -p $HOME/go/; chmod -R aug+w ${HOME}/go/ || : 286 | export ORT_CONFIG_PATH=${ORT_CONFIG_PATH:-"$HOME/$ORT_HOME_PATH/config"} 287 | export ORT_RESULTS_PATH="$HOME/$ORT_HOME_PATH/ort-results" 288 | echo "results-path=${ORT_RESULTS_PATH}" >> "$GITHUB_OUTPUT" 289 | export ORT_RESULTS_ADVISOR_PATH="${ORT_RESULTS_PATH}/advisor-result.json" 290 | echo "results-advisor-path=${ORT_RESULTS_ADVISOR_PATH}" >> "$GITHUB_OUTPUT" 291 | export ORT_RESULTS_ANALYZER_PATH="${ORT_RESULTS_PATH}/analyzer-result.json" 292 | echo "results-analyzer-path=${ORT_RESULTS_ANALYZER_PATH}" >> "$GITHUB_OUTPUT" 293 | export ORT_RESULTS_CURRENT_PATH="${ORT_RESULTS_PATH}/current-result.json" 294 | export ORT_RESULTS_EVALUATED_MODEL_PATH="${ORT_RESULTS_PATH}/evaluated-model.json" 295 | export ORT_RESULTS_EVALUATOR_PATH="${ORT_RESULTS_PATH}/evaluation-result.json" 296 | echo "results-evaluator-path=${ORT_RESULTS_EVALUATOR_PATH}" >> "$GITHUB_OUTPUT" 297 | export ORT_RESULTS_HTML_REPORT_PATH="${ORT_RESULTS_HTML_REPORT_PATH}/ort-results/scan-report.html" 298 | echo "results-html-report-path=${ORT_RESULTS_SCANNER_PATH}" >> "$GITHUB_OUTPUT" 299 | export ORT_RESULTS_SCANNER_PATH="${ORT_RESULTS_PATH}/scan-result.json" 300 | echo "results-scanner-path=${ORT_RESULTS_SCANNER_PATH}" >> "$GITHUB_OUTPUT" 301 | export ORT_RESULTS_SBOM_CYCLONE_XML_PATH="${ORT_RESULTS_PATH}/bom.cyclonedx.xml" 302 | echo "results-sbom-cyclonedx-xml-path=${ORT_RESULTS_SBOM_CYCLONE_XML_PATH}" >> "$GITHUB_OUTPUT" 303 | export ORT_RESULTS_SBOM_CYCLONE_JSON_PATH="${ORT_RESULTS_PATH}/bom.cyclonedx.json" 304 | echo "results-sbom-cyclonedx-json-path=${ORT_RESULTS_SBOM_CYCLONE_JSON_PATH}" >> "$GITHUB_OUTPUT" 305 | export ORT_RESULTS_SBOM_SPDX_JSON_PATH="${ORT_RESULTS_PATH}/bom.spdx.json" 306 | echo "results-sbom-spdx-json-path=${ORT_RESULTS_SBOM_SPDX_JSON_PATH}" >> "$GITHUB_OUTPUT" 307 | export ORT_RESULTS_SBOM_SPDX_YML_PATH="${ORT_RESULTS_PATH}/bom.spdx.yml" 308 | echo "results-sbom-spdx-yml-path=${ORT_RESULTS_SBOM_SPDX_YML_PATH}" >> "$GITHUB_OUTPUT" 309 | export ORT_RESULTS_WEB_APP_PATH="${ORT_RESULTS_PATH}/scan-report-web-app.html" 310 | echo "results-web-app-path=${ORT_RESULTS_WEB_APP_PATH}" >> "$GITHUB_OUTPUT" 311 | SW_NAME=${SW_NAME:-"unknown"} 312 | SW_VERSION=${SW_VERSION:-"unknown"} 313 | [[ -d "$PROJECT_PATH/.git" && "$SW_NAME" = "unknown" ]] && SW_NAME=$(cd $PROJECT_PATH; basename -s .git `git config --get remote.origin.url`) 314 | [[ -d "$PROJECT_PATH/.git" && "$SW_VERSION" = "unknown" ]] && SW_VERSION=$(cd $PROJECT_PATH; git rev-parse --short HEAD) 315 | # Remove all special characters and whitespace from software name as some tools cannot handle them. 316 | SW_NAME_SAFE=$(echo $SW_NAME | sed -e 's/[^A-Za-z0-9 \-\_]//g' -e 's/\s/-/g' -e 's/\([A-Z]\)/\L\1/g') 317 | ORT_RESULTS_ARTIFACT_NAME="ort-results-${SW_NAME_SAFE}" 318 | ORT_RESULTS_ARTIFACT_NAME="${ORT_RESULTS_ARTIFACT_NAME}-${SW_VERSION}" 319 | export ORT_RESULTS_ARTIFACT_NAME SW_NAME SW_REVISION SW_NAME_SAFE 320 | printenv >> "$GITHUB_ENV" 321 | - name: Shallow clone ort-config repository if ORT_CONFIG_PATH is empty 322 | id: ort-config 323 | shell: bash 324 | env: 325 | ORT_CONFIG_VCS_URL: ${{ inputs.ort-config-repository }} 326 | ORT_CONFIG_VCS_REVISION: ${{ inputs.ort-config-revision }} 327 | run: | 328 | if [[ -z "$(ls -A ${ORT_CONFIG_PATH})" ]]; then 329 | # Using bash instead of actions/checkout as we need to capture Git revision of ort-config 330 | ORT_CONFIG_VCS_REVISION=${ORT_CONFIG_VCS_REVISION:-$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')} 331 | echo -e "\e[1;33m Retrieving ORT config ORT from ${ORT_CONFIG_VCS_URL}... " 332 | cd $ORT_CONFIG_PATH 333 | git init -q 334 | git remote add origin $ORT_CONFIG_VCS_URL 335 | git fetch -q --depth 1 origin $ORT_CONFIG_VCS_REVISION 336 | 337 | git checkout -q FETCH_HEAD 338 | fi 339 | - name: Capture ORT config URL and revision 340 | id: ort-config-url-and-revision 341 | shell: bash 342 | run: | 343 | cd $ORT_CONFIG_PATH 344 | export ORT_CONFIG_VCS_URL=$(git config remote.origin.url) 345 | export ORT_CONFIG_VCS_REVISION=$(git rev-parse HEAD) 346 | echo "ORT_CONFIG_VCS_URL: ${ORT_CONFIG_VCS_URL}" 347 | echo "ORT_CONFIG_VCS_REVISION: ${ORT_CONFIG_VCS_REVISION}" 348 | printenv >> "$GITHUB_ENV" 349 | - name: Compute ORT labels 350 | id: ort-labels 351 | shell: bash 352 | if: contains(inputs.run, 'labels') 353 | run: | 354 | echo -e "\e[1;33m Compute ORT labels... " 355 | export GITHUB_RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" 356 | 357 | ORT_CLI_ANALYZE_ARGS="\ 358 | -l ci-url=${GITHUB_RUN_URL} \ 359 | -l ci-actor=${GITHUB_ACTOR} \ 360 | -l ci-event-name=${GITHUB_EVENT_NAME} \ 361 | -l ci-date=$(date +"%Y-%m-%d") \ 362 | -l ci-retention-days=${GITHUB_RETENTION_DAYS} ${ORT_CLI_ANALYZE_ARGS}" 363 | 364 | [[ -n "${ORT_ALLOW_DYNAMIC_VERSIONS}" ]] && ORT_CLI_ANALYZE_ARGS="-l allow-dynamic-versions=${ORT_ALLOW_DYNAMIC_VERSIONS} ${ORT_CLI_ANALYZE_ARGS}" 365 | [[ -n "${ORT_DOCKER_IMAGE}" ]] && ORT_CLI_ANALYZE_ARGS="-l ort-docker-image=${ORT_DOCKER_IMAGE} ${ORT_CLI_ANALYZE_ARGS}" 366 | [[ -n "${ORT_CONFIG_VCS_REVISION}" ]] && ORT_CLI_ANALYZE_ARGS="-l ort-config-revision=${ORT_CONFIG_VCS_REVISION} ${ORT_CLI_ANALYZE_ARGS}" 367 | [[ -n "${ORT_CONFIG_VCS_URL}" ]] && ORT_CLI_ANALYZE_ARGS="-l ort-config-repository=${ORT_CONFIG_VCS_URL//oauth2*@/} ${ORT_CLI_ANALYZE_ARGS}" 368 | [[ ! "$SW_VERSION" = "unknown" ]] && ORT_CLI_ANALYZE_ARGS="-l sw-version=${SW_VERSION} ${ORT_CLI_ANALYZE_ARGS}" 369 | [[ ! "$SW_NAME" = "unknown" ]] && ORT_CLI_ANALYZE_ARGS="-l sw-name=${SW_NAME_SAFE} ${ORT_CLI_ANALYZE_ARGS}" 370 | 371 | if [[ -s "${ORT_YML_PATH}" ]]; then 372 | ORT_CLI_ANALYZE_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_ANALYZE_ARGS}" 373 | ORT_CLI_EVALUATE_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_EVALUATE_ARGS}" 374 | ORT_CLI_REPORT_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_REPORT_ARGS}" 375 | elif [[ ! -z "${ORT_YML_PATH}" ]]; then 376 | echo -e "\e[1;31m File ${ORT_YML_PATH} not found!." 377 | fi 378 | export ORT_CLI_ANALYZE_ARGS ORT_CLI_EVALUATE_ARGS ORT_CLI_REPORT_ARGS 379 | printenv >> "$GITHUB_ENV" 380 | - name: Cache dependencies 381 | id: cache-dependencies 382 | uses: actions/cache@v4 383 | if: contains(inputs.run, 'cache-dependencies') && startsWith(runner.os, 'Linux') 384 | env: 385 | ORT_HOME_PATH: ${{ inputs.ort-home-path }} 386 | with: 387 | path: | 388 | ~/.cabal/packages 389 | ~/.cabal/store 390 | ~/.cache/go-build 391 | ~/.cache/pip 392 | ~/.cache/yarn 393 | ~/.cargo/bin/ 394 | ~/.cargo/registry/index/ 395 | ~/.cargo/registry/cache/ 396 | ~/.cargo/git/db/ 397 | ~/.composer 398 | ~/.gradle/caches 399 | ~/.gradle/wrapper 400 | ~/.ivy2/cache 401 | ~/.local/share/virtualenvs 402 | ~/.m2/repository 403 | ~/.npm 404 | ~/.nuget/packages 405 | !~/.nuget/packages/unwanted 406 | ~/.sbt 407 | ~/.stack-work 408 | ~/go/pkg/mod 409 | $HOME/$ORT_HOME_PATH/cache 410 | key: ${{ runner.os }}-ort-deps-cache 411 | - name: Cache ORT scan results 412 | id: cache-scan-results 413 | uses: actions/cache@v4 414 | if: contains(inputs.run, 'cache-scan-results') && startsWith(runner.os, 'Linux') 415 | with: 416 | path: '${{ env.HOME}}/${{ env.ORT_HOME_PATH }}/scanner/' 417 | key: ${{ runner.os }}-ort-scan-results-cache 418 | - name: Download project sources if vcs-url is set 419 | id: project-sources 420 | shell: bash 421 | if: ${{ inputs.vcs-url != '' }} 422 | env: 423 | ORT_CLI_DOWNLOAD_ARGS: '' 424 | PROJECT_VCS_PATH: ${{ inputs.vcs-path }} 425 | PROJECT_VCS_REVISION: ${{ inputs.vcs-revision }} 426 | PROJECT_VCS_TYPE: ${{ inputs.vcs-type }} 427 | PROJECT_VCS_URL: ${{ inputs.vcs-url }} 428 | run: | 429 | echo -e "\e[1;33m Running ORT Downloader to download project to scan... " 430 | [[ -n "$PROJECT_VCS_TYPE" ]] && ORT_CLI_DOWNLOAD_ARGS="--vcs-type ${PROJECT_VCS_TYPE} ${ORT_CLI_DOWNLOAD_ARGS}" 431 | [[ -n "$PROJECT_VCS_URL" ]] && ORT_CLI_DOWNLOAD_ARGS="--project-url ${PROJECT_VCS_URL} ${ORT_CLI_DOWNLOAD_ARGS}" 432 | [[ -n "$PROJECT_VCS_REVISION" ]] && ORT_CLI_DOWNLOAD_ARGS="--vcs-revision ${PROJECT_VCS_REVISION} ${ORT_CLI_DOWNLOAD_ARGS}" 433 | [[ -n "$PROJECT_VCS_PATH" ]] && ORT_CLI_DOWNLOAD_ARGS="--vcs-path ${PROJECT_VCS_PATH} ${ORT_CLI_DOWNLOAD_ARGS}" 434 | [[ -n "$SW_NAME_SAFE" ]] && ORT_CLI_DOWNLOAD_ARGS="--project-name ${SW_NAME_SAFE} ${ORT_CLI_DOWNLOAD_ARGS}" 435 | docker run \ 436 | --mount type=bind,source=$HOME,target=/home/ort \ 437 | -u $(id -u):$(id -g) \ 438 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 439 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 440 | $ORT_DOCKER_CLI_ARGS \ 441 | $ORT_DOCKER_IMAGE \ 442 | --$ORT_LOG_LEVEL \ 443 | $ORT_CLI_ARGS \ 444 | download \ 445 | -o ${PROJECT_PATH/$USER/ort} \ 446 | ${ORT_CLI_DOWNLOAD_ARGS} 447 | - name: Run ORT Analyzer 448 | id: ort-analyzer 449 | shell: bash 450 | if: contains(inputs.run, 'analyzer') 451 | env: 452 | ORT_ALLOW_DYNAMIC_VERSIONS: ${{ inputs.allow-dynamic-versions }} 453 | run: | 454 | echo -e "\e[1;33m Running ORT Analyzer... " 455 | docker run \ 456 | --mount type=bind,source=$HOME,target=/home/ort \ 457 | -u $(id -u):$(id -g) \ 458 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 459 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 460 | $ORT_DOCKER_CLI_ARGS \ 461 | $ORT_DOCKER_IMAGE \ 462 | --$ORT_LOG_LEVEL \ 463 | -P ort.analyzer.allowDynamicVersions=${ORT_ALLOW_DYNAMIC_VERSIONS} \ 464 | $ORT_CLI_ARGS \ 465 | analyze \ 466 | -i ${PROJECT_PATH/$USER/ort} \ 467 | -o ${ORT_RESULTS_PATH/$USER/ort} \ 468 | -f JSON \ 469 | ${ORT_CLI_ANALYZE_ARGS} || ORT_CLI_ANALYZE_EXIT_CODE=$? \ 470 | && export ORT_CLI_ANALYZE_EXIT_CODE="${ORT_CLI_ANALYZE_EXIT_CODE:-0}" \ 471 | && printenv >> "$GITHUB_ENV" 472 | [[ -f $ORT_RESULTS_ANALYZER_PATH ]] && \ 473 | ln -frs $ORT_RESULTS_ANALYZER_PATH $ORT_RESULTS_CURRENT_PATH || \ 474 | echo -e "\e[1;31m File $ORT_RESULTS_ANALYZER_PATH not found." 475 | [[ $ORT_CLI_ANALYZE_EXIT_CODE -ne 2 ]] && exit ${ORT_CLI_ANALYZE_EXIT_CODE} || exit 0 476 | - name: Run ORT Scanner 477 | id: ort-scanner 478 | shell: bash 479 | if: contains(inputs.run, 'scanner') 480 | run: | 481 | echo -e "\e[1;33m Running ORT Scanner... " 482 | eval "$(ssh-agent -s)" 483 | docker run \ 484 | --mount type=bind,source=$HOME,target=/home/ort \ 485 | --mount type=tmpfs,target=/tmp \ 486 | -v ${SSH_AUTH_SOCK}:/ssh.socket \ 487 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 488 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 489 | -e HTTP_FILE_SERVER_PASSWORD="${HTTP_FILE_SERVER_PASSWORD}" \ 490 | -e HTTP_FILE_SERVER_TOKEN="${HTTP_FILE_SERVER_TOKEN}" \ 491 | -e HTTP_FILE_SERVER_URL="${HTTP_FILE_SERVER_URL}" \ 492 | -e HTTP_FILE_SERVER_USERNAME="${HTTP_FILE_SERVER_USERNAME}" \ 493 | -e POSTGRES_URL="${POSTGRES_URL}" \ 494 | -e POSTGRES_USERNAME="${POSTGRES_USERNAME}" \ 495 | -e POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ 496 | -e SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" \ 497 | -e XDG_CONFIG_HOME="/home/ort/.config/" \ 498 | -u $(id -u):$(id -g) \ 499 | $ORT_DOCKER_CLI_ARGS \ 500 | $ORT_DOCKER_IMAGE \ 501 | --$ORT_LOG_LEVEL \ 502 | $ORT_CLI_ARGS \ 503 | scan \ 504 | -i ${ORT_RESULTS_CURRENT_PATH/$USER/ort} \ 505 | -o ${ORT_RESULTS_PATH/$USER/ort} \ 506 | -f JSON \ 507 | ${ORT_CLI_SCAN_ARGS} 508 | [[ -f $ORT_RESULTS_SCANNER_PATH ]] && \ 509 | ln -frs $ORT_RESULTS_SCANNER_PATH $ORT_RESULTS_CURRENT_PATH || \ 510 | echo -e "\e[1;31m File $ORT_RESULTS_SCANNER_PATH not found." 511 | - name: Run ORT Advisor 512 | id: ort-advisor 513 | shell: bash 514 | if: contains(inputs.run, 'advisor') 515 | env: 516 | ORT_ADVISORS: ${{ inputs.advisors }} 517 | run: | 518 | echo -e "\e[1;33m Running ORT Advisor... " 519 | docker run \ 520 | --mount type=bind,source=$HOME,target=/home/ort \ 521 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 522 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 523 | -u $(id -u):$(id -g) \ 524 | $ORT_DOCKER_CLI_ARGS \ 525 | $ORT_DOCKER_IMAGE \ 526 | --$ORT_LOG_LEVEL \ 527 | $ORT_CLI_ARGS \ 528 | advise \ 529 | -i ${ORT_RESULTS_CURRENT_PATH/$USER/ort} \ 530 | -o ${ORT_RESULTS_PATH/$USER/ort} \ 531 | -a $ORT_ADVISORS \ 532 | -f JSON \ 533 | ${ORT_CLI_ADVISE_ARGS} || ORT_CLI_ADVISE_EXIT_CODE=$? \ 534 | && ORT_CLI_ADVISE_EXIT_CODE="${ORT_CLI_ADVISE_EXIT_CODE:-0}" \ 535 | && echo "exit-code=${ORT_CLI_EVALUATE_EXIT_CODE}" >> "$GITHUB_OUTPUT" 536 | [[ -f $ORT_RESULTS_ADVISOR_PATH ]] && \ 537 | ln -frs $ORT_RESULTS_ADVISOR_PATH $ORT_RESULTS_CURRENT_PATH || \ 538 | echo -e "\e[1;31m File $ORT_RESULTS_ADVISOR_PATH not found." 539 | [[ $ORT_CLI_ADVISE_EXIT_CODE -ne 2 ]] && exit ${ORT_CLI_ADVISE_EXIT_CODE} || exit 0 540 | - name: Run ORT Evaluator 541 | id: ort-evaluator 542 | shell: bash 543 | if: contains(inputs.run, 'evaluator') 544 | run: | 545 | echo -e "\e[1;33m Running ORT Evaluator... " 546 | docker run \ 547 | --mount type=bind,source=$HOME,target=/home/ort \ 548 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 549 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 550 | -u $(id -u):$(id -g) \ 551 | $ORT_DOCKER_CLI_ARGS \ 552 | $ORT_DOCKER_IMAGE \ 553 | --$ORT_LOG_LEVEL \ 554 | $ORT_CLI_ARGS \ 555 | evaluate \ 556 | -i ${ORT_RESULTS_CURRENT_PATH/$USER/ort} \ 557 | -o ${ORT_RESULTS_PATH/$USER/ort} \ 558 | -f JSON \ 559 | ${ORT_CLI_EVALUATE_ARGS} || ORT_CLI_EVALUATE_EXIT_CODE=$? \ 560 | && ORT_CLI_EVALUATE_EXIT_CODE="${ORT_CLI_EVALUATE_EXIT_CODE:-0}" \ 561 | && echo "exit-code=${ORT_CLI_EVALUATE_EXIT_CODE}" >> "$GITHUB_OUTPUT" 562 | [[ -f $ORT_RESULTS_EVALUATOR_PATH ]] && \ 563 | ln -frs $ORT_RESULTS_EVALUATOR_PATH $ORT_RESULTS_CURRENT_PATH || \ 564 | echo -e "\e[1;31m File $ORT_RESULTS_EVALUATOR_PATH not found." 565 | [[ $ORT_CLI_EVALUATE_EXIT_CODE -ne 2 ]] && exit ${ORT_CLI_EVALUATE_EXIT_CODE} || exit 0 566 | - name: Run ORT Reporter 567 | id: ort-reporter 568 | shell: bash 569 | env: 570 | ORT_REPORT_FORMATS: ${{ inputs.report-formats }} 571 | SW_NAME: ${{ inputs.sw-name }} 572 | if: contains(inputs.run, 'reporter') 573 | run: | 574 | echo -e "\e[1;33m Running ORT Reporter... " 575 | docker run \ 576 | --mount type=bind,source=$HOME,target=/home/ort \ 577 | -e JDK_JAVA_OPTIONS="-Xmx5120m" \ 578 | -e ORT_DATA_DIR="/home/ort/${ORT_HOME_PATH}" \ 579 | -e POSTGRES_URL="${POSTGRES_URL}" \ 580 | -e POSTGRES_USERNAME="${POSTGRES_USERNAME}" \ 581 | -e POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ 582 | -u $(id -u):$(id -g) \ 583 | $ORT_DOCKER_CLI_ARGS \ 584 | $ORT_DOCKER_IMAGE \ 585 | --$ORT_LOG_LEVEL \ 586 | $ORT_CLI_ARGS \ 587 | report \ 588 | -i ${ORT_RESULTS_CURRENT_PATH/$USER/ort} \ 589 | -o ${ORT_RESULTS_PATH/$USER/ort} \ 590 | -f $ORT_REPORT_FORMATS \ 591 | -O SpdxDocument=document.name="${SW_NAME_SAFE}" \ 592 | ${ORT_CLI_REPORT_ARGS} 593 | - name: Remove current-result.yml file if present 594 | shell: bash 595 | run: | 596 | if [[ -f "$ORT_RESULTS_CURRENT_PATH" ]]; then 597 | rm -f $ORT_RESULTS_CURRENT_PATH 598 | fi 599 | - name: Upload ORT results 600 | uses: actions/upload-artifact@v4 601 | if: contains(inputs.run, 'upload-results') 602 | with: 603 | name: ${{ env.ORT_RESULTS_ARTIFACT_NAME }} 604 | path: ${{ env.ORT_RESULTS_PATH }} 605 | if-no-files-found: warn 606 | - name: Upload ORT advisor-result.json 607 | uses: actions/upload-artifact@v4 608 | if: contains(inputs.run, 'upload-advisor-result') 609 | with: 610 | name: "${{ env.ORT_RESULTS_ARTIFACT_NAME }}-advisor-result.json.zip" 611 | path: ${{ env.ORT_RESULTS_ADVISOR_PATH }} 612 | if-no-files-found: warn 613 | - name: Upload ORT evaluation-result.json 614 | uses: actions/upload-artifact@v4 615 | if: contains(inputs.run, 'upload-evaluation-result') 616 | with: 617 | name: "${{ env.ORT_RESULTS_ARTIFACT_NAME }}-evaluation-result.json.zip" 618 | path: ${{ env.ORT_RESULTS_EVALUATOR_PATH }} 619 | if-no-files-found: warn 620 | - name: Upload ORT scan-result.json 621 | uses: actions/upload-artifact@v4 622 | if: contains(inputs.run, 'upload-scan-result') 623 | with: 624 | name: "${{ env.ORT_RESULTS_ARTIFACT_NAME }}-scan-result.json.zip" 625 | path: ${{ env.ORT_RESULTS_SCANNER_PATH }} 626 | if-no-files-found: warn 627 | - name: Conditionally fail action if returned violations from Evaluator exceeds severity threshold 628 | if: contains(inputs.fail-on, 'violations') && contains(steps.ort-evaluator.outputs.exit-code, 2) 629 | shell: bash 630 | run: | 631 | echo -e "\e[1;31m Failing action as Evaluator exceeded severity threshold... " 632 | exit 2 633 | - name: Conditionally fail action if returned issues from Advisor exceeds severity threshold 634 | if: contains(inputs.fail-on, 'issues') && contains(steps.ort-advisor.outputs.exit-code, 2) 635 | shell: bash 636 | run: | 637 | echo -e "\e[1;31m Failing action as Advisor exceeded severity threshold... " 638 | exit 2 639 | --------------------------------------------------------------------------------