Skip to content
SBOM Generation

refactor: rename .hpp to .h and move include path to kcenon/pacs/ #1224

Sign in to view logs

refactor: rename .hpp to .h and move include path to kcenon/pacs/

refactor: rename .hpp to .h and move include path to kcenon/pacs/ #1224

Workflow file for this run

.github/workflows/sbom.yml at 4c0fcee
name: SBOM Generation
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
release:
types: [ published ]
schedule:
# Generate SBOM weekly on Sunday at 3 AM UTC
- cron: '0 3 * * 0'
workflow_dispatch:
permissions:
contents: write
packages: read
security-events: write
jobs:
generate-sbom:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: true
- name: Generate SBOM with Syft (CycloneDX)
uses: anchore/sbom-action@v0
with:
path: .
format: cyclonedx-json
output-file: sbom-cyclonedx.json
artifact-name: sbom-cyclonedx
- name: Generate SBOM with Syft (SPDX)
uses: anchore/sbom-action@v0
with:
path: .
format: spdx-json
output-file: sbom-spdx.json
artifact-name: sbom-spdx
- name: Setup Node.js for web frontend SBOM
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Generate npm SBOM (CycloneDX)
working-directory: web
run: |
npm ci --ignore-scripts
npx @cyclonedx/cyclonedx-npm --output-file ../sbom-npm-cyclonedx.json --output-format JSON || true
- name: Run npm audit
working-directory: web
continue-on-error: true
run: |
npm audit --json > ../npm-audit-report.json 2>&1 || true
echo "## npm Audit Summary" > ../npm-audit-summary.md
npm audit --omit=dev 2>&1 | tail -20 >> ../npm-audit-summary.md || true
- name: Build dependency provenance summary
run: |
python3 << 'EOF' > dependency-provenance.md
import json
with open('dependency-manifest.json', 'r', encoding='utf-8') as f:
manifest = json.load(f)
print("# Dependency Provenance")
print()
print(f"Generated: workflow run")
print()
print("## Internal ecosystem")
for dep in manifest.get("internal_ecosystem", []):
print(f"- {dep['name']}: {dep['version']} ({dep['license']})")
print()
print("## Native and system dependencies")
for dep in manifest.get("native_and_system", []):
print(f"- {dep['name']}: {dep['resolution']} [{dep['license']}]")
print()
print("## FetchContent / vendored inputs")
for dep in manifest.get("fetched_content", []):
print(f"- {dep['name']}: {dep['version']} ({dep['license']})")
print()
print("## Frontend inputs")
print(f"- package manifest: {manifest['web_frontend']['manifest']}")
print(f"- lockfile: {manifest['web_frontend']['lockfile']}")
EOF
- name: Create combined SBOM report
run: |
echo "# Software Bill of Materials (SBOM)" > SBOM_REPORT.md
echo "" >> SBOM_REPORT.md
echo "**Repository**: ${{ github.repository }}" >> SBOM_REPORT.md
echo "**Branch**: ${{ github.ref_name }}" >> SBOM_REPORT.md
echo "**Commit**: ${{ github.sha }}" >> SBOM_REPORT.md
echo "**Generated**: $(date -u)" >> SBOM_REPORT.md
echo "" >> SBOM_REPORT.md
echo "## Available Formats" >> SBOM_REPORT.md
echo "" >> SBOM_REPORT.md
echo "- **CycloneDX**: sbom-cyclonedx.json" >> SBOM_REPORT.md
echo "- **SPDX**: sbom-spdx.json" >> SBOM_REPORT.md
echo "" >> SBOM_REPORT.md
cat dependency-provenance.md >> SBOM_REPORT.md
- name: Upload SBOM artifacts
uses: actions/upload-artifact@v7
with:
name: sbom-${{ github.sha }}
path: |
sbom-cyclonedx.json
sbom-spdx.json
sbom-npm-cyclonedx.json
npm-audit-report.json
npm-audit-summary.md
dependency-provenance.md
dependency-manifest.json
LICENSE-THIRD-PARTY
SBOM_REPORT.md
retention-days: 90
- name: Upload SBOM to release
if: github.event_name == 'release'
uses: softprops/action-gh-release@v2
with:
files: |
sbom-cyclonedx.json
sbom-spdx.json
sbom-npm-cyclonedx.json
dependency-manifest.json
LICENSE-THIRD-PARTY
SBOM_REPORT.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Submit SBOM to Dependency Graph
uses: advanced-security/spdx-dependency-submission-action@v0.1.1
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
continue-on-error: true
with:
filePath: sbom-spdx.json