From 551fe98beaee81a740e3c4cdbb18822f3c3d1e36 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Fri, 31 Oct 2025 20:09:14 +0530 Subject: [PATCH 1/4] Add template for running D2D on project build and source archives Signed-off-by: Keshav Priyadarshi --- .../map-deploy-to-develop-template.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/map-deploy-to-develop-template.yml diff --git a/.github/workflows/map-deploy-to-develop-template.yml b/.github/workflows/map-deploy-to-develop-template.yml new file mode 100644 index 0000000..1f56033 --- /dev/null +++ b/.github/workflows/map-deploy-to-develop-template.yml @@ -0,0 +1,40 @@ +name: Run D2D on build and source archives +on: + workflow_call: + inputs: + artifact-name: + description: "Artifact containing the build archive" + required: true + type: string + steps: + description: "Comma separated D2D steps to run" + required: false + type: string + +jobs: + run-d2d-pipeline: + runs-on: 'ubuntu-latest' + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download build artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs['artifact-name'] }} + path: ../scancode-inputs/ + + - name: Prepare D2D inputs + shell: bash + run: | + for file in ../scancode-inputs/*; do + base=$(basename "$file") + mv "$file" "../scancode-inputs/to_$base" + done + git archive --format=tar.gz -o ../scancode-inputs/from.tar.gz HEAD + + - name: Run D2D pipeline + uses: aboutcode-org/scancode-action@beta + with: + pipelines: ${{ inputs.steps && format('map_deploy_to_develop:%s', inputs.steps) || 'map_deploy_to_develop' }} + inputs-path: ../scancode-inputs From 30e80be7f52599949d7af709333aca93143d692b Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Thu, 20 Nov 2025 22:20:57 +0530 Subject: [PATCH 2/4] Add documentation for D2D template Signed-off-by: Keshav Priyadarshi --- README.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e49bb6..c57d048 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,8 @@ from your **GitHub Workflows**. - [Check for compliance issues](#check-for-compliance-issues) - [Define a custom project name](#define-a-custom-project-name) - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch) -- [Where does the scan results go?](#where-does-the-scan-results-go) + - [Run source to binary mapping using GitHub action template](#run-source-to-binary-mapping-using-github-action-template) +- [Where does the scan results go?](#where-are-the-scan-results) ## Usage @@ -226,6 +227,18 @@ Activate this behavior by enabling `check-compliance` and setting scancodeio-repo-branch: "main" ``` +### Run source to binary mapping using GitHub action template +1. Add job to build your binary and upload it as a GitHub actions artifact. +2. Add a job to run `map-deploy-to-develop` pipeline. + ```yaml + run-d2d-pipeline: + needs: # Job id from step 1 + uses: aboutcode-org/scancode-action/.github/workflows/map-deploy-to-develop-template.yml + with: + artifact-name: # Label of uploaded artifact from step 1 + steps: "python,java" # Comma separated optional steps. See https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#map-deploy-to-develop + ``` + ## Where are the Scan Results? Upon completion of the workflow, you can **find the scan results** in the dedicated From fab9cbb4968f76e26193a212f15db4f58979a0bc Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Fri, 28 Nov 2025 00:20:27 +0530 Subject: [PATCH 3/4] Add a working example for Python Signed-off-by: Keshav Priyadarshi --- README.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c57d048..d30e514 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ from your **GitHub Workflows**. - [Check for compliance issues](#check-for-compliance-issues) - [Define a custom project name](#define-a-custom-project-name) - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch) - - [Run source to binary mapping using GitHub action template](#run-source-to-binary-mapping-using-github-action-template) + - [Run source to binary mapping](#run-source-to-binary-mapping) - [Where does the scan results go?](#where-are-the-scan-results) ## Usage @@ -227,11 +227,16 @@ Activate this behavior by enabling `check-compliance` and setting scancodeio-repo-branch: "main" ``` -### Run source to binary mapping using GitHub action template -1. Add job to build your binary and upload it as a GitHub actions artifact. -2. Add a job to run `map-deploy-to-develop` pipeline. +### Run source to binary mapping + +Use this [workflow template](.github/workflows/map-deploy-to-develop-template.yml) for validating the integrity of open-source binary. It compares a project’s binary to its source code. Workflow will generate mapping between compiled binary and its original source code, which helps in spotting any malicious, unexpected, or otherwise undesirable code that may have made its way into the final binary. + +#### To use follow these steps: + +1. In your workflow add job to build binary and upload it as a GitHub actions artifact. +2. Now add a second job to run source binary mapping using [template](.github/workflows/map-deploy-to-develop-template.yml). ```yaml - run-d2d-pipeline: + map-source-binary: needs: # Job id from step 1 uses: aboutcode-org/scancode-action/.github/workflows/map-deploy-to-develop-template.yml with: @@ -239,6 +244,50 @@ Activate this behavior by enabling `check-compliance` and setting steps: "python,java" # Comma separated optional steps. See https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#map-deploy-to-develop ``` +#### An end-to-end working example for Python projects: + +```yaml + name: Run source to binary mapping on tag + + on: + workflow_dispatch: + push: + tags: + - "v*.*.*" + + jobs: + build-python-wheel: + name: Build python wheel + runs-on: ubuntu-24.04 + + steps: + - uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: 3.12 + + - name: Install pypa/build and twine + run: python -m pip install --user --upgrade build twine packaging pip setuptools + + - name: Build a binary wheel + run: python -m build --wheel --outdir dist/ + + - name: Upload wheel + uses: actions/upload-artifact@v4 + with: + name: wheel_archives + path: dist/*.whl + + map-source-binary: + name: Generate source to binary mapping + needs: build-python-wheel + uses: aboutcode-org/scancode-action/.github/workflows/map-deploy-to-develop-template.yml + with: + artifact-name: wheel_archives + steps: "python" +``` + ## Where are the Scan Results? Upon completion of the workflow, you can **find the scan results** in the dedicated From c0d4b5e27d32d1aaa40142c1bc11741bef61603a Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Mon, 1 Dec 2025 13:52:15 +0530 Subject: [PATCH 4/4] Move example to workflow file Signed-off-by: Keshav Priyadarshi --- .../map-deploy-to-develop-template.yml | 6 +++ .../map-source-binary-boolean-py.yml | 44 +++++++++++++++++++ README.md | 43 +----------------- 3 files changed, 51 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/map-source-binary-boolean-py.yml diff --git a/.github/workflows/map-deploy-to-develop-template.yml b/.github/workflows/map-deploy-to-develop-template.yml index 1f56033..6256e62 100644 --- a/.github/workflows/map-deploy-to-develop-template.yml +++ b/.github/workflows/map-deploy-to-develop-template.yml @@ -10,6 +10,10 @@ on: description: "Comma separated D2D steps to run" required: false type: string + repository: + description: "Project's repository. Defaults to workflow's repository." + required: false + type: string jobs: run-d2d-pipeline: @@ -17,6 +21,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository || github.repository }} - name: Download build artifact uses: actions/download-artifact@v4 diff --git a/.github/workflows/map-source-binary-boolean-py.yml b/.github/workflows/map-source-binary-boolean-py.yml new file mode 100644 index 0000000..a180e99 --- /dev/null +++ b/.github/workflows/map-source-binary-boolean-py.yml @@ -0,0 +1,44 @@ +name: Run source to binary mapping on boolean.py + +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + +jobs: + build-python-wheel: + name: Build python wheel + runs-on: ubuntu-24.04 + + steps: + - uses: actions/checkout@v4 + with: + repository: bastikr/boolean.py + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: 3.12 + + - name: Install pypa/build and twine + run: python -m pip install --user --upgrade build twine packaging pip setuptools + + - name: Build a binary wheel + run: python -m build --wheel --outdir dist/ + + - name: Upload wheel + uses: actions/upload-artifact@v4 + with: + name: wheel_archives + path: dist/*.whl + + map-source-binary: + name: Generate source to binary mapping + needs: build-python-wheel + uses: ./.github/workflows/map-deploy-to-develop-template.yml + with: + artifact-name: wheel_archives + repository: bastikr/boolean.py + steps: "python" \ No newline at end of file diff --git a/README.md b/README.md index d30e514..664f3a2 100644 --- a/README.md +++ b/README.md @@ -244,49 +244,8 @@ Use this [workflow template](.github/workflows/map-deploy-to-develop-template.ym steps: "python,java" # Comma separated optional steps. See https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html#map-deploy-to-develop ``` -#### An end-to-end working example for Python projects: +See an end-to-end working example for a python project [here](.github/workflows/map-source-binary-boolean-py.yml) -```yaml - name: Run source to binary mapping on tag - - on: - workflow_dispatch: - push: - tags: - - "v*.*.*" - - jobs: - build-python-wheel: - name: Build python wheel - runs-on: ubuntu-24.04 - - steps: - - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: 3.12 - - - name: Install pypa/build and twine - run: python -m pip install --user --upgrade build twine packaging pip setuptools - - - name: Build a binary wheel - run: python -m build --wheel --outdir dist/ - - - name: Upload wheel - uses: actions/upload-artifact@v4 - with: - name: wheel_archives - path: dist/*.whl - - map-source-binary: - name: Generate source to binary mapping - needs: build-python-wheel - uses: aboutcode-org/scancode-action/.github/workflows/map-deploy-to-develop-template.yml - with: - artifact-name: wheel_archives - steps: "python" -``` ## Where are the Scan Results?