Merge pull request #3211 from OffchainLabs/dependabot/npm_and_yarn/po… #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SBOM Export & Centralize | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| schedule: | |
| - cron: '49 7 * * 2' | |
| permissions: | |
| contents: read | |
| jobs: | |
| generate-and-upload: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Source Code | |
| uses: actions/checkout@v6 | |
| - name: Check for recent changes | |
| id: check | |
| run: | | |
| if [ -z "$(git log --since='7 days ago' --oneline | head -1)" ]; then | |
| echo "No commits in the last 7 days, skipping SBOM generation." | |
| echo "skip=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Generate CycloneDX SBOM via cdxgen | |
| if: steps.check.outputs.skip != 'true' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| docker run --rm \ | |
| --user "$(id -u):$(id -g)" \ | |
| -v /tmp:/tmp \ | |
| -v "${{ github.workspace }}:/app:rw" \ | |
| -e FETCH_LICENSE=true \ | |
| -e GITHUB_TOKEN \ | |
| ghcr.io/cdxgen/cdxgen:v12.1.1 \ | |
| -r /app \ | |
| -o /app/sbom.cdx.json \ | |
| --no-install-deps \ | |
| --spec-version 1.6 | |
| if [ ! -s sbom.cdx.json ]; then | |
| echo "::error::cdxgen SBOM generation failed or returned empty." | |
| exit 1 | |
| fi | |
| echo "SBOM generated successfully:" | |
| ls -lh sbom.cdx.json | |
| - name: Upload SBOM to Dependency Track | |
| if: steps.check.outputs.skip != 'true' | |
| env: | |
| DT_API_KEY: ${{ secrets.DEPENDENCY_TRACK_API_KEY }} | |
| DT_URL: ${{ secrets.DEPENDENCY_TRACK_URL }} | |
| run: | | |
| REPO_NAME=${GITHUB_REPOSITORY##*/} | |
| curl -sf -X POST "${DT_URL}/api/v1/bom" \ | |
| -H "X-Api-Key: ${DT_API_KEY}" \ | |
| -F "autoCreate=true" \ | |
| -F "projectName=${REPO_NAME}" \ | |
| -F "projectVersion=${{ github.ref_name }}" \ | |
| -F "bom=@sbom.cdx.json" | |
| echo "SBOM uploaded to Dependency Track for ${REPO_NAME}@${{ github.ref_name }}" |