Kura core SBOM upload #46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Kura core SBOM upload | |
| on: | |
| schedule: | |
| # At 00:00 on Saturday | |
| - cron: "0 0 * * 6" | |
| workflow_dispatch: | |
| inputs: | |
| target_branch: | |
| type: string | |
| default: 'develop' | |
| required: true | |
| workflow_run: | |
| workflows: ["Release Notes automation"] | |
| types: | |
| - completed | |
| # Product specific settings | |
| env: | |
| JAVA_VERSION: '21' # java version used by the product | |
| JAVA_DISTRO: 'temurin' # java distro used by the product | |
| PRODUCT_PATH: "kura" # path within project repository for SBOM source | |
| PLUGIN_VERSION: '2.9.1' # cyclonedx-maven-plugin version to use | |
| WORKFLOW_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} | |
| INPUT_TARGET_BRANCH: ${{ github.event.inputs.target_branch }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| GITHUB_REF_NAME: ${{ github.ref_name }} | |
| permissions: | |
| contents: read | |
| jobs: | |
| generate-sbom: | |
| name: Generate Kura core SBOM | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} | |
| outputs: | |
| project-version: ${{ steps.get-version.outputs.PROJECT_VERSION }} # required for DependencyTrack upload | |
| steps: | |
| - name: Set checkout ref | |
| id: set-checkout-ref | |
| shell: bash | |
| run: | | |
| if [[ "$EVENT_NAME" == "workflow_run" ]]; then | |
| echo "CHECKOUT_REF=$WORKFLOW_HEAD_BRANCH" >> $GITHUB_ENV | |
| elif [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then | |
| echo "CHECKOUT_REF=$INPUT_TARGET_BRANCH" >> $GITHUB_ENV | |
| else | |
| echo "CHECKOUT_REF=$GITHUB_REF_NAME" >> $GITHUB_ENV | |
| fi | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ env.CHECKOUT_REF }} | |
| - name: Debug branch information | |
| run: | | |
| echo "=== Debug Branch Information ===" | |
| echo "Event name: $EVENT_NAME" | |
| echo "Current branch (git): $(git branch --show-current)" | |
| echo "===============================" | |
| - name: Setup Java SDK | |
| uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 | |
| with: | |
| java-version: ${{ env.JAVA_VERSION }} | |
| distribution: ${{ env.JAVA_DISTRO }} | |
| - name: Generate sbom | |
| run: | | |
| mvn org.cyclonedx:cyclonedx-maven-plugin:${{ env.PLUGIN_VERSION }}:makeAggregateBom -DprojectType=framework -DexcludeArtifactId=target-definition,emulator,distrib,test,tools,kura-addon-archetype,kura-pde-deps -f ${{ env.PRODUCT_PATH }}/pom.xml | |
| - name: Extract product version | |
| id: get-version | |
| shell: bash | |
| run: | | |
| VERSION="$(jq -r '.metadata.component.version' < ./${{ env.PRODUCT_PATH }}/target/bom.json)" | |
| # Substitute "-SNAPSHOT" suffix with "@dev" if present | |
| VERSION="${VERSION/-SNAPSHOT/@dev}" | |
| echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT | |
| echo "Product version: $VERSION" | |
| - name: Upload sbom | |
| uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
| with: | |
| name: kura-core-sbom | |
| path: ${{ env.PRODUCT_PATH }}/target/bom.json | |
| store-sbom-data: | |
| needs: ['generate-sbom'] | |
| uses: eclipse-csi/workflows/.github/workflows/store-sbom-data.yml@88508d92f2638d942a88744431f017225ed8c14c # main@08/04/2026 | |
| with: | |
| projectName: 'kura-core' | |
| projectVersion: ${{ needs.generate-sbom.outputs.project-version }} | |
| bomArtifact: 'kura-core-sbom' | |
| bomFilename: 'bom.json' | |
| parentProject: 'f295fa60-24df-44d9-83ff-00b3ff8d6131' |