From 744670d6347aa38cd2f81b3bba115208b914d4bd Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 16:49:04 +0530 Subject: [PATCH 1/7] Adding actual integration tests --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ee013ec1..f7362ae5 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Kubernetes Discord Stars + Integration Tests

--- From bb3eb8410cbce71d43bd8d864140ee1fbb6cfbe1 Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 16:50:01 +0530 Subject: [PATCH 2/7] Update integration tests workflow name for clarity --- .github/workflows/integration-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index c08a32ff..3f422e32 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -1,4 +1,4 @@ -name: Integration Tests for Exosphere +name: Integration Tests on: push: From ac87dc6c24e79db35493af77aebf760291d5c43a Mon Sep 17 00:00:00 2001 From: Nivedit Jain Date: Thu, 4 Sep 2025 16:50:52 +0530 Subject: [PATCH 3/7] Update README.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f7362ae5..542ea423 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Kubernetes Discord Stars - Integration Tests + Integration Tests

--- From 14dd7ed61d979e0b47ddc98c7b58766d7a2887a2 Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 16:52:34 +0530 Subject: [PATCH 4/7] Update README.md to enhance integration tests badge link for clarity --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 542ea423..b0704ffa 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Kubernetes Discord Stars - Integration Tests + Integration Tests (main)

--- From 67e001ae48d6b02d65c22fd308fa21fb96f6e6b3 Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 17:09:54 +0530 Subject: [PATCH 5/7] Enhance CI workflows with SBOM generation and security features - Updated integration-tests.yml to set a working directory for tests. - Added SBOM generation steps in publish-python-sdk.yml and release-python-sdk.yml, including tools installation, SBOM creation in JSON and XML formats, and vulnerability report generation. - Updated README.md to document supply chain security features, including package provenance, SBOM details, and verification instructions for enhanced transparency and security compliance. --- .github/workflows/integration-tests.yml | 4 ++ .github/workflows/publish-python-sdk.yml | 33 +++++++++++- .github/workflows/release-python-sdk.yml | 68 +++++++++++++++++++++++- python-sdk/README.md | 44 +++++++++++++++ 4 files changed, 147 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 3f422e32..10378c0a 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -11,6 +11,10 @@ on: jobs: test: + defaults: + run: + working-directory: integration-tests + if: github.repository == 'exospherehost/exospherehost' runs-on: ubuntu-latest services: mongodb: diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml index ea08fe12..9964f617 100644 --- a/.github/workflows/publish-python-sdk.yml +++ b/.github/workflows/publish-python-sdk.yml @@ -90,6 +90,37 @@ jobs: print(f'Version {version} is valid for PyPI publishing (contains beta indicator)') " + - name: Generate requirements file for SBOM + run: | + uv export --format=requirements-txt --output-file=requirements.txt + echo "Generated requirements.txt for SBOM creation" + + - name: Install SBOM generation tools + run: | + uv tool install cyclonedx-bom + uv tool install pip-audit + + - name: Generate SBOM with CycloneDX + run: | + uv tool run cyclonedx-py requirements --format json --output-file sbom-cyclonedx.json requirements.txt + echo "Generated CycloneDX SBOM in JSON format" + + - name: Generate vulnerability report with pip-audit + run: | + uv tool run pip-audit --format json --output vulnerability-report.json --requirement requirements.txt || true + echo "Generated vulnerability report (non-blocking)" + - run: uv build - - run: uv publish + - name: Publish to PyPI with provenance + run: uv publish --provenance + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-artifacts-beta-${{ github.sha }} + path: | + python-sdk/sbom-cyclonedx.json + python-sdk/requirements.txt + python-sdk/vulnerability-report.json + retention-days: 30 diff --git a/.github/workflows/release-python-sdk.yml b/.github/workflows/release-python-sdk.yml index b62061cc..3e110548 100644 --- a/.github/workflows/release-python-sdk.yml +++ b/.github/workflows/release-python-sdk.yml @@ -122,6 +122,72 @@ jobs: print(f'Version {version} is valid for release publishing') " + - name: Generate requirements file for SBOM + run: | + uv export --format=requirements-txt --output-file=requirements.txt + echo "Generated requirements.txt for SBOM creation" + + - name: Install SBOM generation tools + run: | + uv tool install cyclonedx-bom + uv tool install pip-audit + + - name: Generate SBOM with CycloneDX + run: | + uv tool run cyclonedx-py requirements --format json --output-file sbom-cyclonedx.json requirements.txt + uv tool run cyclonedx-py requirements --format xml --output-file sbom-cyclonedx.xml requirements.txt + echo "Generated CycloneDX SBOM in JSON and XML formats" + + - name: Generate vulnerability report with pip-audit + run: | + uv tool run pip-audit --format json --output vulnerability-report.json --requirement requirements.txt || true + echo "Generated vulnerability report (non-blocking)" + + - name: Create SBOM summary + run: | + echo "## Software Bill of Materials (SBOM)" > sbom-summary.md + echo "" >> sbom-summary.md + echo "This release includes the following supply chain security artifacts:" >> sbom-summary.md + echo "" >> sbom-summary.md + echo "- **Provenance**: Cryptographic proof of build integrity using GitHub's OIDC tokens" >> sbom-summary.md + echo "- **SBOM**: Complete dependency inventory in CycloneDX format" >> sbom-summary.md + echo "- **Vulnerability Report**: Security scan results for all dependencies" >> sbom-summary.md + echo "" >> sbom-summary.md + echo "### Dependencies Count:" >> sbom-summary.md + echo "- Direct dependencies: $(grep -c '^[^#]' requirements.txt || echo '0')" >> sbom-summary.md + echo "- Total dependencies (including transitive): $(wc -l < requirements.txt)" >> sbom-summary.md + echo "" >> sbom-summary.md + echo "### Verification:" >> sbom-summary.md + echo "You can verify this package's provenance on PyPI using:" >> sbom-summary.md + echo '```bash' >> sbom-summary.md + echo 'pip install sigstore' >> sbom-summary.md + echo 'python -m sigstore verify --bundle exospherehost==${{ github.ref_name }}' >> sbom-summary.md + echo '```' >> sbom-summary.md + - run: uv build - - run: uv publish \ No newline at end of file + - name: Publish to PyPI with provenance + run: uv publish --provenance + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-artifacts-${{ github.ref_name }} + path: | + python-sdk/sbom-cyclonedx.json + python-sdk/sbom-cyclonedx.xml + python-sdk/requirements.txt + python-sdk/vulnerability-report.json + python-sdk/sbom-summary.md + retention-days: 90 + + - name: Add SBOM to release assets + uses: softprops/action-gh-release@v2 + if: startsWith(github.ref, 'refs/tags/') + with: + files: | + python-sdk/sbom-cyclonedx.json + python-sdk/sbom-cyclonedx.xml + python-sdk/sbom-summary.md + body_path: python-sdk/sbom-summary.md + append_body: true \ No newline at end of file diff --git a/python-sdk/README.md b/python-sdk/README.md index fcfbb8f6..43719f3b 100644 --- a/python-sdk/README.md +++ b/python-sdk/README.md @@ -79,6 +79,50 @@ export EXOSPHERE_API_KEY="your-api-key" - **Scalability**: Designed for high-volume batch processing and workflows - **Graph Store (beta)**: Strings-only key-value store with per-run scope for sharing data across nodes (not durable across separate runs or clusters) +## Supply Chain Security + +The ExosphereHost Python SDK includes comprehensive supply chain security features to ensure package integrity and transparency: + +### Package Provenance + +All releases are published with cryptographic provenance using GitHub's OIDC tokens and the Sigstore ecosystem. This provides: + +- **Cryptographic proof** that packages were built by the official ExosphereHost repository +- **Tamper detection** to verify packages haven't been modified after publication +- **Build transparency** showing exactly how and where packages were created + +### Software Bill of Materials (SBOM) + +Each release includes a complete Software Bill of Materials in industry-standard CycloneDX format: + +- **Complete dependency inventory** listing all direct and transitive dependencies +- **Vulnerability scanning** results for all dependencies +- **License compliance** information for enterprise environments +- **Version tracking** for security auditing and compliance + +### Verification + +You can verify the authenticity of any ExosphereHost package: + +```bash +# Install verification tools +pip install sigstore + +# Verify package provenance (replace X.Y.Z with actual version) +python -m sigstore verify --bundle exospherehost==X.Y.Z +``` + +### Security Artifacts + +For each release, you can find the following security artifacts: + +- **SBOM files** (JSON and XML formats) attached to GitHub releases +- **Vulnerability reports** showing security scan results +- **Provenance attestations** available on PyPI +- **Build logs** publicly available in GitHub Actions + +These features align with modern software supply chain security best practices and help meet enterprise security requirements. + ## Architecture The SDK is built around two core concepts: From de419d9fdc7ed011429a3d326f6b9040f9f0ba2e Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 17:25:28 +0530 Subject: [PATCH 6/7] Update integration-tests.yml to trigger workflows on pull requests to the main branch - Added pull_request event configuration to the integration-tests.yml file, specifying paths for integration tests, state manager, and Python SDK to ensure proper testing on PRs. --- .github/workflows/integration-tests.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 10378c0a..00aa7835 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -8,6 +8,14 @@ on: - 'state-manager/**' - 'python-sdk/**' - '.github/workflows/integration-tests.yml' + pull_request: + branches: [main] + paths: + - 'integration-tests/**' + - 'state-manager/**' + - 'python-sdk/**' + - '.github/workflows/integration-tests.yml' + jobs: test: From 586ec1af119c8c54e727e6392bc8c9126a0bf3fd Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Thu, 4 Sep 2025 17:34:09 +0530 Subject: [PATCH 7/7] Enhance publish and release workflows for Python SDK - Updated publish-python-sdk.yml and release-python-sdk.yml to generate requirements.txt from the lockfile for improved dependency management. - Added version checks before publishing to PyPI to prevent overwriting existing versions. - Included version output for installed SBOM generation tools to ensure transparency in the CI process. --- .github/workflows/publish-python-sdk.yml | 33 +++++++++++++++++++++--- .github/workflows/release-python-sdk.yml | 7 ++--- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml index 9964f617..1c5a891c 100644 --- a/.github/workflows/publish-python-sdk.yml +++ b/.github/workflows/publish-python-sdk.yml @@ -92,13 +92,17 @@ jobs: - name: Generate requirements file for SBOM run: | - uv export --format=requirements-txt --output-file=requirements.txt - echo "Generated requirements.txt for SBOM creation" + uv export --locked --format=requirements-txt --output-file=requirements.txt + echo "Generated requirements.txt for SBOM creation from lockfile" - name: Install SBOM generation tools run: | uv tool install cyclonedx-bom + echo "Installed cyclonedx-bom version:" + uv tool run cyclonedx-bom --version uv tool install pip-audit + echo "Installed pip-audit version:" + uv tool run pip-audit --version - name: Generate SBOM with CycloneDX run: | @@ -113,7 +117,30 @@ jobs: - run: uv build - name: Publish to PyPI with provenance - run: uv publish --provenance + run: | + # Get the current version + VERSION=$(uv run python -c " + import sys + sys.path.append('.') + from exospherehost._version import version + print(version) + ") + + echo "Checking if exospherehost version $VERSION already exists on PyPI..." + + # Query PyPI JSON API to check if version exists + HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://pypi.org/pypi/exospherehost/$VERSION/json") + + if [ "$HTTP_STATUS" = "200" ]; then + echo "Version $VERSION already exists on PyPI. Skipping publish." + exit 0 + elif [ "$HTTP_STATUS" = "404" ]; then + echo "Version $VERSION not found on PyPI. Proceeding with publish." + uv publish --provenance + else + echo "Unexpected HTTP status $HTTP_STATUS when checking PyPI. Proceeding with publish." + uv publish --provenance + fi - name: Upload SBOM artifacts uses: actions/upload-artifact@v4 diff --git a/.github/workflows/release-python-sdk.yml b/.github/workflows/release-python-sdk.yml index 3e110548..eac8025f 100644 --- a/.github/workflows/release-python-sdk.yml +++ b/.github/workflows/release-python-sdk.yml @@ -124,8 +124,8 @@ jobs: - name: Generate requirements file for SBOM run: | - uv export --format=requirements-txt --output-file=requirements.txt - echo "Generated requirements.txt for SBOM creation" + uv export --locked --format=requirements-txt --output-file=requirements.txt + echo "Generated requirements.txt for SBOM creation from lockfile" - name: Install SBOM generation tools run: | @@ -161,7 +161,7 @@ jobs: echo "You can verify this package's provenance on PyPI using:" >> sbom-summary.md echo '```bash' >> sbom-summary.md echo 'pip install sigstore' >> sbom-summary.md - echo 'python -m sigstore verify --bundle exospherehost==${{ github.ref_name }}' >> sbom-summary.md + echo 'python -m sigstore verify --bundle exospherehost==${{ startsWith(github.ref_name, 'v') && substring(github.ref_name, 1) || github.ref_name }}' >> sbom-summary.md echo '```' >> sbom-summary.md - run: uv build @@ -189,5 +189,6 @@ jobs: python-sdk/sbom-cyclonedx.json python-sdk/sbom-cyclonedx.xml python-sdk/sbom-summary.md + python-sdk/vulnerability-report.json body_path: python-sdk/sbom-summary.md append_body: true \ No newline at end of file