fix(ci): add git pull --rebase before push in auto-release jobs #134
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example workflow showing how to use the AI-BOM GitHub Action. | |
| # | |
| # Add this to your repository at .github/workflows/ai-bom.yml | |
| # For the latest action version, see: https://github.com/trusera/ai-bom | |
| name: AI-BOM Scan | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| security-events: write # Required for SARIF upload to GitHub Code Scanning | |
| contents: read # Required for actions/checkout | |
| jobs: | |
| # ────────────────────────────────────────────── | |
| # Job 1: Basic table scan (console output) | |
| # ────────────────────────────────────────────── | |
| basic-scan: | |
| name: Basic AI-BOM scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run AI-BOM scan | |
| uses: trusera/ai-bom@main | |
| with: | |
| path: "." | |
| format: "table" | |
| # ────────────────────────────────────────────── | |
| # Job 2: SARIF scan uploaded to GitHub Security | |
| # ────────────────────────────────────────────── | |
| sarif-scan: | |
| name: SARIF scan (GitHub Security tab) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run AI-BOM scan (SARIF) | |
| uses: trusera/ai-bom@main | |
| with: | |
| format: "sarif" | |
| output: "ai-bom-results.sarif" | |
| scan-level: "deep" | |
| # ────────────────────────────────────────────── | |
| # Job 3: CycloneDX SBOM generation | |
| # ────────────────────────────────────────────── | |
| sbom: | |
| name: Generate CycloneDX SBOM | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run AI-BOM scan (CycloneDX) | |
| uses: trusera/ai-bom@main | |
| with: | |
| format: "cyclonedx" | |
| output: "ai-bom.cdx.json" | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: ai-bom-cyclonedx | |
| path: ai-bom.cdx.json | |
| # ────────────────────────────────────────────── | |
| # Job 4: Policy gate — fail on high severity | |
| # ────────────────────────────────────────────── | |
| # Scans only src/ to avoid demo/test API keys in examples/ and tests/. | |
| # In your own repo, use path: "." to scan the full codebase. | |
| policy-gate: | |
| name: Security policy gate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run AI-BOM scan with policy | |
| uses: trusera/ai-bom@main | |
| with: | |
| path: "src" | |
| format: "table" | |
| fail-on: "high" | |
| scan-level: "deep" | |
| # ────────────────────────────────────────────── | |
| # Job 5: Cedar policy gate | |
| # ────────────────────────────────────────────── | |
| # Uses a Cedar-like policy file to enforce fine-grained rules | |
| # on discovered AI components. Fails the pipeline if any | |
| # component violates a policy rule. | |
| cedar-policy-gate: | |
| name: Cedar policy gate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run AI-BOM scan with Cedar policy | |
| uses: trusera/ai-bom@main | |
| with: | |
| path: "." | |
| format: "table" | |
| scan-level: "deep" | |
| policy-gate: "true" | |
| cedar-policy-file: ".cedar/ai-policy.cedar" |