-
Notifications
You must be signed in to change notification settings - Fork 1
159 lines (135 loc) · 4.31 KB
/
build.yml
File metadata and controls
159 lines (135 loc) · 4.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Build and Release SBOM Uploader
on:
push:
branches: ['**']
tags:
- 'v*.*.*' # Triggers on version tags like v1.2.3
pull_request:
permissions:
contents: write
packages: write
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.24
- name: Run tests
run: go test ./...
build:
name: Build Cross-Platform Binaries
runs-on: ubuntu-latest
needs: test
if: startsWith(github.ref, 'refs/tags/')
strategy:
matrix:
goos: [linux, windows, darwin]
goarch: [amd64, arm64]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.24
- name: Build ${{ matrix.goos }}-${{ matrix.goarch }}
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
run: |
mkdir -p dist/
OUTPUT=sbom-uploader-${GOOS}-${GOARCH}
if [ "$GOOS" = "windows" ]; then
OUTPUT="${OUTPUT}.exe"
fi
go build -o dist/$OUTPUT .
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: binaries-${{ matrix.goos }}-${{ matrix.goarch }}
path: dist/
docker:
name: Build Docker Image
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from tag
id: vars
run: |
VERSION="${GITHUB_REF#refs/tags/}"
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
echo "OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
- name: Build Docker image
run: |
docker build -t upload-sbom-go:${{ steps.vars.outputs.VERSION }} .
- name: Tag and Push to GHCR
run: |
IMAGE=ghcr.io/${{ steps.vars.outputs.OWNER }}/upload-sbom-go
docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:${{ steps.vars.outputs.VERSION }}
docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:latest
docker push $IMAGE:${{ steps.vars.outputs.VERSION }}
docker push $IMAGE:latest
- name: Generate SBOM with Trivy
uses: aquasecurity/trivy-action@0.34.2
with:
format: 'cyclonedx'
scan-type: 'fs'
scan-ref: 'go.mod'
output: 'sbom.json'
- name: Upload SBOM as Artifact
uses: actions/upload-artifact@v4
with:
name: sbom.json
path: sbom.json
overwrite: true
- name: Upload SBOM to Dependency Track. How meta 🤯
run: |
docker run --rm \
-e SBOM_UPLOADER_URL='${{ secrets.DTRACK_URL }}' \
-e SBOM_UPLOADER_API_KEY='${{ secrets.DTRACK_KEY }}' \
-e SBOM_UPLOADER_NAME='upload-sbom-go' \
-e SBOM_UPLOADER_VERSION='${{ steps.vars.outputs.VERSION }}' \
-e SBOM_UPLOADER_PARENT='upload-sbom-go' \
-e SBOM_UPLOADER_TAGS='upload-sbom-go' \
-v "$(pwd)/sbom.json:/tmp/sbom.json" \
upload-sbom-go:${{ steps.vars.outputs.VERSION }} \
--sbom /tmp/sbom.json \
--latest \
--poll
release:
name: Create GitHub Release
runs-on: ubuntu-latest
needs: [build, docker]
steps:
- name: Download all binary artifacts
uses: actions/download-artifact@v4
with:
path: all-binaries/
- name: Collect all binaries into release-assets
run: |
mkdir -p release-assets
find all-binaries -type f -exec cp {} release-assets/ \;
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
name: "SBOM Uploader ${{ github.ref_name }}"
tag_name: ${{ github.ref_name }}
draft: false
prerelease: false
files: |
release-assets/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}