From 2fa585cc6ae479cadad9f20e763f03498b23e7b1 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Tue, 26 Mar 2024 13:20:11 +0100
Subject: [PATCH] add shared action to export advisories in the osv format

---
 build-and-publish-osv/action.yaml | 76 +++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 build-and-publish-osv/action.yaml

diff --git a/build-and-publish-osv/action.yaml b/build-and-publish-osv/action.yaml
new file mode 100644
index 0000000..faf8054
--- /dev/null
+++ b/build-and-publish-osv/action.yaml
@@ -0,0 +1,76 @@
+---
+name: 'build-and-publish-osv'
+description: |
+  Build and publish advisories in the OSV format.
+
+inputs:
+  workload_identity_provider:
+    description: |
+      GCO Workload Identity.
+    required: true
+    default: ''
+  service_account:
+    description: |
+      GCP service account.
+    required: true
+    default: ''
+  gcp_project_id:
+    description: |
+      GCP project id.
+    required: true
+    default: ''
+  wolfictl_args:
+    description: |
+      Wolfictl args to run the advisory secdb.
+    required: true
+    default: ''
+  gcs_apk_bucket_name:
+    description: |
+      GCS bucket to store the security.json.
+    required: true
+    default: ''
+  gcs_apk_directory_name:
+    description: |
+      Directory to store the security.json.
+    required: false
+    default: ''
+  enable_acl_public_read:
+    description: |
+      Enable acl public read (set '--canned-acl=publicRead').
+    required: false
+    default: ''
+
+runs:
+  using: "composite"
+  steps:
+    - id: auth
+      name: 'Authenticate to Google Cloud'
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: ${{ inputs.workload_identity_provider }}
+        service_account: ${{ inputs.service_account }}
+
+    - uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: ${{ inputs.gcp_project_id }}
+
+    - name: 'Check that GCloud is properly configured'
+      run: |
+        gcloud info
+        gcloud --quiet alpha storage ls 1> /dev/null
+      shell: bash
+
+    - name: Build the security database
+      uses: docker://ghcr.io/wolfi-dev/sdk:latest@sha256:1caf04b3d018df12829bdeec93fb1fcc320131d87787de6995847ad1e7aaa77e
+      with:
+        entrypoint: wolfictl
+        args: advisory export --format osv -o osv.yaml ${{ inputs.wolfictl_args }}
+
+    - name: 'Upload the security database to a bucket'
+      run: |
+        # Don't cache the security.json.
+        gcloud --quiet alpha storage cp \
+            ${{ inputs.enable_acl_public_read }} --cache-control=no-store \
+            ./osv.yaml \
+            gs://${{ inputs.gcs_apk_bucket_name }}/${{ inputs.gcs_apk_directory_name}}/
+      shell: bash