From c523080b22c5634409541ad0d073916c083cbe35 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 15 Dec 2025 23:16:17 +0530 Subject: [PATCH 1/8] added config to run bundle install to generate lock file at runtime Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request.yml | 8 +++++++- .github/workflows/sbom.yml | 12 ++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index d5fea9e..6d0847f 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -340,6 +340,11 @@ on: required: false type: boolean default: true + run-bundle-install: + description: 'Run bundle install before scanning to generate Gemfile.lock at runtime' + required: false + type: boolean + default: false udf1: description: 'User defined flag 1' required: false @@ -1281,7 +1286,7 @@ jobs: generate-sbom: name: 'Generating SBOM' if: ${{ inputs.generate-sbom == true }} - uses: chef/common-github-actions/.github/workflows/sbom.yml@main + uses: chef/common-github-actions/.github/workflows/sbom.yml@nikhil/-create-lock-file-runtime needs: ci-build secrets: inherit with: @@ -1294,6 +1299,7 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} + run-bundle-install: ${{ inputs.run-bundle-install }} quality-dashboard: name: 'Reporting to quality dashboard' diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e957a6c..86774da 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -65,6 +65,11 @@ on: go-private-modules: required: false type: string + run-bundle-install: + description: 'Run bundle install before scanning to generate Gemfile.lock at runtime' + required: false + type: boolean + default: false env: # Set the default SBOM filename prefix @@ -190,6 +195,13 @@ jobs: - name: Checkout source uses: actions/checkout@v6 + - name: Set up Ruby and run bundle install + if: ${{ inputs.run-bundle-install == true }} + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.4' + bundler-cache: true + - name: Configure git for private Go modules env: GOPRIVATE: ${{ inputs.go-private-modules }} From ffd2a24acac2c7432bc8344881fb9955e16ffc6c Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 15 Dec 2025 23:29:01 +0530 Subject: [PATCH 2/8] corrected branchname Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 6d0847f..b766d17 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -1286,7 +1286,7 @@ jobs: generate-sbom: name: 'Generating SBOM' if: ${{ inputs.generate-sbom == true }} - uses: chef/common-github-actions/.github/workflows/sbom.yml@nikhil/-create-lock-file-runtime + uses: chef/common-github-actions/.github/workflows/sbom.yml@nikhil/create-lock-file-runtime needs: ci-build secrets: inherit with: From 5d7e5f0349f6b76fb42b808ded83e86685bbabc9 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:08:47 +0530 Subject: [PATCH 3/8] Add runtime Gemfile.lock generation for SBOM scanning - Add run-bundle-install parameter to enable bundle install before SBOM scan - Products without committed Gemfile.lock can now generate it at runtime - Add Ruby setup step in ci-build job for Ruby projects - Pass run-bundle-install parameter through workflow chain --- .github/workflows/ci-main-pull-request.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index b766d17..ce19e7b 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -732,6 +732,12 @@ jobs: # - name: Build for Ruby binary # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem # https://bundler.io/man/bundle-install.1.html + - name: Set up Ruby + if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.4' + - name: 'Ruby build' if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} run: | From d76f5c4a9d055576b3592d4d9838a4bf5faf175b Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:23:25 +0530 Subject: [PATCH 4/8] Simplify Gemfile.lock generation - remove deployment flags and build step - Change condition from language/build-profile to run-bundle-install parameter - Remove --deployment and --path flags that require existing lockfile - Remove bundle exec rake build - only need lockfile for SBOM scan - Rename step to clarify purpose: Generate Gemfile.lock for SBOM scanning --- .github/workflows/ci-main-pull-request.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index ce19e7b..000eeef 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -733,22 +733,17 @@ jobs: # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem # https://bundler.io/man/bundle-install.1.html - name: Set up Ruby - if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} + if: ${{ inputs.run-bundle-install == true }} uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' - - name: 'Ruby build' - if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} + - name: 'Generate Gemfile.lock for SBOM scanning' + if: ${{ inputs.run-bundle-install == true }} run: | - mkdir -p vendor - if [ -f "Gemfile.lock" ]; then - bundle install --deployment - else - echo "No .gemlock file found, creating it now" - bundle install --path vendor/bundle --deployment - fi - bundle exec rake build + echo "Generating Gemfile.lock for SBOM scanning" + bundle install + continue-on-error: true # - name: Configure git for private modules From 55369c57a2847bdd3522894713b9695f7868f632 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 13:55:58 +0530 Subject: [PATCH 5/8] Add run-bundle-install parameter for runtime Gemfile.lock generation - Added new input parameter run-bundle-install to support generating Gemfile.lock at runtime - This enables BlackDuck SCA scanning for projects like chef-cli that don't commit lockfiles - Parameter passed through to sbom.yml workflow for lockfile generation before scanning --- .github/workflows/ci-main-pull-request.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 000eeef..b766d17 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -732,18 +732,17 @@ jobs: # - name: Build for Ruby binary # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem # https://bundler.io/man/bundle-install.1.html - - name: Set up Ruby - if: ${{ inputs.run-bundle-install == true }} - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.4' - - - name: 'Generate Gemfile.lock for SBOM scanning' - if: ${{ inputs.run-bundle-install == true }} + - name: 'Ruby build' + if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} run: | - echo "Generating Gemfile.lock for SBOM scanning" - bundle install - continue-on-error: true + mkdir -p vendor + if [ -f "Gemfile.lock" ]; then + bundle install --deployment + else + echo "No .gemlock file found, creating it now" + bundle install --path vendor/bundle --deployment + fi + bundle exec rake build # - name: Configure git for private modules From ae98335b56ef14e3e5f7538d2377ff549653f8c0 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 14:34:38 +0530 Subject: [PATCH 6/8] Add Ruby setup step before Ruby build to fix bundle: command not found error - Install Ruby 3.4 using ruby/setup-ruby@v1 before running bundle commands - Fixes broken Ruby build in ci-build job that has existed since main branch creation - Enables build to complete successfully so SBOM job can run - Works in conjunction with run-bundle-install parameter for runtime Gemfile.lock generation --- .github/workflows/ci-main-pull-request.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index b766d17..2fa6ab5 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -732,6 +732,11 @@ jobs: # - name: Build for Ruby binary # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem # https://bundler.io/man/bundle-install.1.html + - name: Set up Ruby + if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.4' - name: 'Ruby build' if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} run: | From d89e48fd5d481f51ee678bce91f289be75c0c824 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 14:39:34 +0530 Subject: [PATCH 7/8] Fix Ruby build: remove --deployment flag when Gemfile.lock doesn't exist - Remove --deployment flag from bundle install when no Gemfile.lock exists - --deployment flag requires existing Gemfile.lock, causing exit code 16 - Fix typo: .gemlock -> Gemfile.lock in echo message --- .github/workflows/ci-main-pull-request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 2fa6ab5..0a22bc8 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -744,8 +744,8 @@ jobs: if [ -f "Gemfile.lock" ]; then bundle install --deployment else - echo "No .gemlock file found, creating it now" - bundle install --path vendor/bundle --deployment + echo "No Gemfile.lock found, creating it now" + bundle install --path vendor/bundle fi bundle exec rake build From 309279af4bd7ab381c6b655a314f3e9cc54ccafe Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 21:01:24 +0530 Subject: [PATCH 8/8] added comments Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml index 0a22bc8..d946d6e 100644 --- a/.github/workflows/ci-main-pull-request.yml +++ b/.github/workflows/ci-main-pull-request.yml @@ -340,7 +340,7 @@ on: required: false type: boolean default: true - run-bundle-install: + run-bundle-install: # Added to support projects without committed Gemfile.lock (e.g., chef-cli) description: 'Run bundle install before scanning to generate Gemfile.lock at runtime' required: false type: boolean @@ -732,7 +732,7 @@ jobs: # - name: Build for Ruby binary # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem # https://bundler.io/man/bundle-install.1.html - - name: Set up Ruby + - name: Set up Ruby # Fixed: Ruby setup was missing, causing "bundle: command not found" errors if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }} uses: ruby/setup-ruby@v1 with: @@ -745,7 +745,7 @@ jobs: bundle install --deployment else echo "No Gemfile.lock found, creating it now" - bundle install --path vendor/bundle + bundle install --path vendor/bundle # Fixed: Removed --deployment flag when lockfile doesn't exist fi bundle exec rake build @@ -1304,7 +1304,7 @@ jobs: generate-msft-sbom: ${{ inputs.generate-msft-sbom }} license_scout: ${{ inputs.license_scout }} go-private-modules: ${{ inputs.go-private-modules }} - run-bundle-install: ${{ inputs.run-bundle-install }} + run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime quality-dashboard: name: 'Reporting to quality dashboard'