chore: add oss clearance tools

Author: r0b1n

automation/utils/bin/rui-oss-clearance.ts

@@ -0,0 +1,247 @@
+#!/usr/bin/env ts-node-script
+
+import { gh, GitHubDraftRelease, GitHubReleaseAsset } from "../src/github";
+import { join } from "path";
+import { exec, mkdir, mv, rm, zip } from "../src/shell";
+import { prompt } from "enquirer";
+import chalk from "chalk";
+import * as fs from "node:fs";
+import * as crypto from "crypto";
+import { pipeline } from "stream/promises";
+import { mkdtemp } from "node:fs/promises";
+import { homedir, tmpdir } from "node:os";
+
+// ============================================================================
+// Constants
+// ============================================================================
+
+const SBOM_GENERATOR_JAR = join(homedir(), "SBOM_Generator.jar");
+
+// ============================================================================
+// Utility Functions
+// ============================================================================
+
+function printHeader(title: string): void {
+    console.log("\n" + chalk.bold.cyan("═".repeat(60)));
+    console.log(chalk.bold.cyan(`  ${title}`));
+    console.log(chalk.bold.cyan("═".repeat(60)) + "\n");
+}
+
+function printStep(step: number, total: number, message: string): void {
+    console.log(chalk.bold.blue(`\n[${step}/${total}]`) + chalk.white(` ${message}`));
+}
+
+function printSuccess(message: string): void {
+    console.log(chalk.green(`✅ ${message}`));
+}
+
+function printError(message: string): void {
+    console.log(chalk.red(`❌ ${message}`));
+}
+
+function printWarning(message: string): void {
+    console.log(chalk.yellow(`⚠️  ${message}`));
+}
+
+function printInfo(message: string): void {
+    console.log(chalk.cyan(`ℹ️  ${message}`));
+}
+
+function printProgress(message: string): void {
+    console.log(chalk.gray(`   → ${message}`));
+}
+
+// ============================================================================
+// Core Functions
+// ============================================================================
+
+async function verifyGitHubAuth(): Promise<void> {
+    printStep(1, 6, "Verifying GitHub authentication...");
+
+    try {
+        await gh.ensureAuth();
+        printSuccess("GitHub authentication verified");
+    } catch (error) {
+        printError(`GitHub authentication failed: ${(error as Error).message}`);
+        console.log(chalk.yellow("\n💡 Setup Instructions:\n"));
+        console.log(chalk.white("1. Install GitHub CLI:"));
+        console.log(chalk.cyan("   • Download: https://cli.github.com/"));
+        console.log(chalk.cyan("   • Or via brew: brew install gh\n"));
+        console.log(chalk.white("2. Authenticate (choose one option):"));
+        console.log(chalk.cyan("   • Option A: export GITHUB_TOKEN=your_token_here"));
+        console.log(chalk.cyan("   • Option B: export GH_PAT=your_token_here"));
+        console.log(chalk.cyan("   • Option C: gh auth login\n"));
+        console.log(chalk.white("3. For A and B get your token at:"));
+        console.log(chalk.cyan("   https://github.com/settings/tokens\n"));
+        throw new Error("GitHub authentication required");
+    }
+}
+
+async function selectRelease(): Promise<GitHubDraftRelease> {
+    printStep(2, 6, "Fetching draft releases...");
+
+    const releases = await gh.getDraftReleases();
+    printSuccess(`Found ${releases.length} draft release${releases.length !== 1 ? "s" : ""}`);
+
+    if (releases.length === 0) {
+        printWarning("No draft releases found");
+        throw new Error("No releases available");
+    }
+
+    console.log(); // spacing
+    const { tag_name } = await prompt<{ tag_name: string }>({
+        type: "select",
+        name: "tag_name",
+        message: "Select a release to process:",
+        choices: releases.map(r => ({
+            name: r.tag_name,
+            message: `${r.name} ${chalk.gray(`(${r.tag_name})`)}`
+        }))
+    });
+
+    const release = releases.find(r => r.tag_name === tag_name);
+    if (!release) {
+        throw new Error(`Release not found: ${tag_name}`);
+    }
+
+    printInfo(`Selected release: ${chalk.bold(release.name)}`);
+    return release;
+}
+
+async function findAndValidateMpkAsset(release: GitHubDraftRelease): Promise<GitHubReleaseAsset> {
+    printStep(3, 6, "Locating MPK asset...");
+
+    const mpkAsset = release.assets.find(asset => asset.name.endsWith(".mpk"));
+
+    if (!mpkAsset) {
+        printError("No MPK asset found in release");
+        printInfo(`Available assets: ${release.assets.map(a => a.name).join(", ")}`);
+        throw new Error("MPK asset not found");
+    }
+
+    printSuccess(`Found MPK asset: ${chalk.bold(mpkAsset.name)}`);
+    printInfo(`Asset ID: ${mpkAsset.id}`);
+    return mpkAsset;
+}
+
+async function downloadAndVerifyAsset(mpkAsset: GitHubReleaseAsset, downloadPath: string): Promise<string> {
+    printStep(4, 6, "Downloading and verifying MPK asset...");
+
+    printProgress(`Downloading to: ${downloadPath}`);
+    await gh.downloadReleaseAsset(mpkAsset.id, downloadPath);
+    printSuccess("Download completed");
+
+    printProgress("Computing SHA-256 hash...");
+    const fileHash = await computeHash(downloadPath);
+    printInfo(`Computed hash: ${fileHash}`);
+
+    const expectedDigest = mpkAsset.digest.replace("sha256:", "");
+    if (fileHash !== expectedDigest) {
+        printError("Hash mismatch detected!");
+        printInfo(`Expected: ${expectedDigest}`);
+        printInfo(`Got:      ${fileHash}`);
+        throw new Error("Asset integrity verification failed");
+    }
+
+    printSuccess("Hash verification passed");
+    return fileHash;
+}
+
+async function runSbomGenerator(tmpFolder: string): Promise<void> {
+    printStep(5, 6, "Running SBOM Generator...");
+
+    printProgress("Unzipping MPK...");
+    await exec(`java -jar ${SBOM_GENERATOR_JAR} SBOM_GENERATOR unzip`, { cwd: tmpFolder });
+    printSuccess("MPK unzipped");
+
+    printProgress("Scanning dependencies...");
+    await exec(`java -jar ${SBOM_GENERATOR_JAR} SBOM_GENERATOR scan`, { cwd: tmpFolder });
+    printSuccess("Scan completed");
+}
+
+async function createOutputArchive(tmpFolder: string, releaseName: string, fileHash: string): Promise<void> {
+    printStep(6, 6, "Creating output archive...");
+
+    const resultsFolder = join(tmpFolder, "CCA_JSON");
+    const archiveName = `${releaseName}.zip`;
+    const finalName = `${releaseName} [${fileHash}].zip`;
+
+    printProgress(`Archiving results from: ${resultsFolder}`);
+    await zip(resultsFolder, archiveName);
+    printSuccess("Archive created");
+
+    const ossArtifactZip = join(resultsFolder, archiveName);
+    const downloadsFolder = join(homedir(), "Downloads");
+    const finalPath = join(downloadsFolder, finalName);
+
+    printProgress(`Moving to: ${finalPath}`);
+    mv(ossArtifactZip, finalPath);
+    printSuccess("Archive moved to Downloads folder");
+
+    printProgress("Cleaning up temporary files...");
+    rm("-rf", tmpFolder);
+    printSuccess("Cleanup completed");
+
+    console.log(chalk.bold.green(`\n🎉 Success! Output file:`));
+    console.log(chalk.cyan(`   ${finalPath}\n`));
+}
+
+async function computeHash(filepath: string): Promise<string> {
+    const input = fs.createReadStream(filepath);
+    const hash = crypto.createHash("sha256");
+    await pipeline(input, hash);
+    return hash.digest("hex");
+}
+
+async function createFolderStructure(name: string): Promise<[string, string]> {
+    const tmpFolder = await mkdtemp(join(tmpdir(), "tmp_OSS_Clearance_Artifacts_"));
+    const artifactsFolder = join(tmpFolder, "SBOM_GENERATOR", name);
+    await mkdir("-p", artifactsFolder);
+    return [tmpFolder, join(artifactsFolder, `${name}.mpk`)];
+}
+
+// ============================================================================
+// Main Function
+// ============================================================================
+
+async function main(): Promise<void> {
+    printHeader("OSS Clearance Artifacts Preparation Tool");
+
+    try {
+        // Step 1: Verify authentication
+        await verifyGitHubAuth();
+
+        // Step 2: Select release
+        const release = await selectRelease();
+
+        // Step 3: Find MPK asset
+        const mpkAsset = await findAndValidateMpkAsset(release);
+
+        // Prepare folder structure
+        const [tmpFolder, downloadPath] = await createFolderStructure(release.name);
+        printInfo(`Working directory: ${tmpFolder}`);
+
+        // Step 4: Download and verify
+        const fileHash = await downloadAndVerifyAsset(mpkAsset, downloadPath);
+
+        // Step 5: Run SBOM Generator
+        await runSbomGenerator(tmpFolder);
+
+        // Step 6: Create final archive
+        await createOutputArchive(tmpFolder, release.name, fileHash);
+    } catch (error) {
+        console.log("\n" + chalk.bold.red("═".repeat(60)));
+        printError(`Process failed: ${(error as Error).message}`);
+        console.log(chalk.bold.red("═".repeat(60)) + "\n");
+        process.exit(1);
+    }
+}
+
+// ============================================================================
+// Entry Point
+// ============================================================================
+
+main().catch(e => {
+    console.error(chalk.red("\n💥 Unexpected error:"), e);
+    process.exit(1);
+});

automation/utils/package.json

@@ -30,6 +30,7 @@
         "compile:parser:widget": "peggy -o ./src/changelog-parser/parser/module/module.js ./src/changelog-parser/parser/module/module.pegjs",
         "format": "prettier --write .",
         "lint": "eslint --ext .jsx,.js,.ts,.tsx src/",
+        "oss-clearance": "ts-node bin/rui-oss-clearance.ts",
         "prepare": "pnpm run compile:parser:widget && pnpm run compile:parser:module && tsc",
         "prepare-release": "ts-node bin/rui-prepare-release.ts",
         "start": "tsc --watch",

automation/utils/src/github.ts

@@ -1,8 +1,30 @@
 import { mkdtemp, writeFile } from "fs/promises";
+import { createWriteStream } from "fs";
 import { join } from "path";
+import { pipeline } from "stream/promises";
+import nodefetch from "node-fetch";
 import { fetch } from "./fetch";
 import { exec } from "./shell";
 
+export interface GitHubReleaseAsset {
+    id: string;
+    name: string;
+    browser_download_url: string;
+    size: number;
+    content_type: string;
+    digest: string;
+}
+
+export interface GitHubDraftRelease {
+    id: string;
+    tag_name: string;
+    name: string;
+    draft: boolean;
+    created_at: string;
+    published_at: string | null;
+    assets: GitHubReleaseAsset[];
+}
+
 interface GitHubReleaseInfo {
     title: string;
     tag: string;
@@ -29,12 +51,11 @@ interface GitHubPRInfo {
 export class GitHub {
     authSet = false;
     tmpPrefix = "gh-";
+    authToken: string = "";
 
     async ensureAuth(): Promise<void> {
         if (!this.authSet) {
-            if (process.env.GITHUB_TOKEN) {
-                // when using GITHUB_TOKEN, gh will automatically use it
-            } else if (process.env.GH_PAT) {
+            if (process.env.GH_PAT) {
                 await exec(`echo "${process.env.GH_PAT}" | gh auth login --with-token`);
             } else {
                 // No environment variables set, check if already authenticated
@@ -53,8 +74,10 @@ export class GitHub {
         try {
             // Try to run 'gh auth status' to check if authenticated
             await exec("gh auth status", { stdio: "pipe" });
+            const { stdout: token } = await exec(`gh auth token`, { stdio: "pipe" });
+            this.authToken = token.trim();
             return true;
-        } catch (error) {
+        } catch (error: unknown) {
             // If the command fails, the user is not authenticated
             return false;
         }
@@ -107,7 +130,7 @@ export class GitHub {
     get ghAPIHeaders(): Record<string, string> {
         return {
             "X-GitHub-Api-Version": "2022-11-28",
-            Authorization: `Bearer ${process.env.GH_PAT}`
+            Authorization: `Bearer ${this.authToken || process.env.GH_PAT}`
         };
     }
 
@@ -165,6 +188,64 @@ export class GitHub {
         return downloadUrl;
     }
 
+    async getDraftReleases(owner = "mendix", repo = "web-widgets"): Promise<GitHubDraftRelease[]> {
+        console.log(`Fetching draft releases from ${owner}/${repo}`);
+
+        const releases = await fetch<GitHubDraftRelease[]>(
+            "GET",
+            `https://api.github.com/repos/${owner}/${repo}/releases`,
+            undefined,
+            {
+                ...this.ghAPIHeaders
+            }
+        );
+
+        // Filter only draft releases
+        return releases.filter(release => release.draft);
+    }
+
+    async downloadReleaseAsset(
+        assetId: string,
+        destinationPath: string,
+        owner = "mendix",
+        repo = "web-widgets"
+    ): Promise<void> {
+        await this.ensureAuth();
+
+        console.log(`Downloading release asset ${assetId} to ${destinationPath}`);
+
+        const url = `https://api.github.com/repos/${owner}/${repo}/releases/assets/${assetId}`;
+
+        try {
+            const response = await nodefetch(url, {
+                method: "GET",
+                headers: {
+                    Accept: "application/octet-stream",
+                    ...this.ghAPIHeaders
+                },
+                redirect: "follow"
+            });
+
+            if (!response.ok) {
+                throw new Error(`Failed to download asset ${assetId}: ${response.status} ${response.statusText}`);
+            }
+
+            if (!response.body) {
+                throw new Error(`No response body received for asset ${assetId}`);
+            }
+
+            // Stream the response body to the file
+            const fileStream = createWriteStream(destinationPath);
+            await pipeline(response.body, fileStream);
+
+            console.log(`Successfully downloaded asset to ${destinationPath}`);
+        } catch (error) {
+            throw new Error(
+                `Failed to download release asset ${assetId}: ${error instanceof Error ? error.message : String(error)}`
+            );
+        }
+    }
+
     async createReleaseNotesFile(releaseNotesText: string): Promise<string> {
         const filePath = await this.createTempFile();
         await writeFile(filePath, releaseNotesText);

package.json

@@ -9,6 +9,7 @@
     "scripts": {
         "build": "turbo run build",
         "changelog": "pnpm --filter @mendix/automation-utils run changelog",
+        "oss-clearance": "pnpm --filter @mendix/automation-utils run oss-clearance",
         "create-gh-release": "turbo run create-gh-release --concurrency 1",
         "create-translation": "turbo run create-translation",
         "postinstall": "turbo run agent-rules",