refactor(api): replace throw statements with Result<T> in public head… #596

Workflow file for this run

	name: SBOM Generation

	on:
	push:
	branches: [ main ]
	pull_request:
	branches: [ main ]
	release:
	types: [ published ]
	schedule:
	# Generate SBOM weekly on Sunday at 3 AM UTC
	- cron: '0 3 * * 0'
	workflow_dispatch:

	permissions:
	contents: write
	packages: read
	security-events: write

	jobs:
	generate-sbom:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v6
	with:
	submodules: true

	- name: Checkout common_system
	uses: actions/checkout@v6
	with:
	repository: kcenon/common_system
	path: common_system
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure project to capture simdutf provenance
	run: \|
	cmake -S . -B build/sbom-provenance -G Ninja \
	-DBUILD_THREADSYSTEM_AS_SUBMODULE=ON \
	-DBUILD_WITH_COMMON_SYSTEM=ON \
	-DTHREAD_BUILD_INTEGRATION_TESTS=OFF \
	-DBUILD_DOCUMENTATION=OFF

	- name: Generate SBOM with Syft (CycloneDX)
	uses: anchore/sbom-action@v0
	with:
	path: .
	format: cyclonedx-json
	output-file: sbom-cyclonedx.json
	artifact-name: sbom-cyclonedx

	- name: Generate SBOM with Syft (SPDX)
	uses: anchore/sbom-action@v0
	with:
	path: .
	format: spdx-json
	output-file: sbom-spdx.json
	artifact-name: sbom-spdx

	- name: Parse vcpkg dependencies
	run: \|
	if [ -f "vcpkg.json" ]; then
	echo "# vcpkg Dependencies" > vcpkg-dependencies.md
	echo "" >> vcpkg-dependencies.md
	echo "Generated: $(date -u)" >> vcpkg-dependencies.md
	echo "" >> vcpkg-dependencies.md
	echo "## Direct Dependencies" >> vcpkg-dependencies.md
	echo "" >> vcpkg-dependencies.md

	python3 << 'EOF'
	import json

	with open('vcpkg.json', 'r') as f:
	manifest = json.load(f)

	print(f"Project: {manifest.get('name', 'N/A')}")
	print(f"Version: {manifest.get('version', 'N/A')}")
	print()
	print("\| Package \| Features \|")
	print("\|---------\|----------\|")

	deps = manifest.get('dependencies', [])
	for dep in deps:
	if isinstance(dep, str):
	print(f"\| {dep} \| - \|")
	elif isinstance(dep, dict):
	name = dep.get('name', 'unknown')
	features = ', '.join(dep.get('features', [])) or '-'
	print(f"\| {name} \| {features} \|")
	EOF

	python3 << 'EOF' >> vcpkg-dependencies.md
	import json

	with open('vcpkg.json', 'r') as f:
	manifest = json.load(f)

	print(f"Project: {manifest.get('name', 'N/A')}")
	print(f"Version: {manifest.get('version', 'N/A')}")
	print()
	print("\| Package \| Features \|")
	print("\|---------\|----------\|")

	deps = manifest.get('dependencies', [])
	for dep in deps:
	if isinstance(dep, str):
	print(f"\| {dep} \| - \|")
	elif isinstance(dep, dict):
	name = dep.get('name', 'unknown')
	features = ', '.join(dep.get('features', [])) or '-'
	print(f"\| {name} \| {features} \|")
	EOF
	else
	echo "No vcpkg.json found" > vcpkg-dependencies.md
	fi

	- name: Create combined SBOM report
	run: \|
	echo "# Software Bill of Materials (SBOM)" > SBOM_REPORT.md
	echo "" >> SBOM_REPORT.md
	echo "Repository: ${{ github.repository }}" >> SBOM_REPORT.md
	echo "Branch: ${{ github.ref_name }}" >> SBOM_REPORT.md
	echo "Commit: ${{ github.sha }}" >> SBOM_REPORT.md
	echo "Generated: $(date -u)" >> SBOM_REPORT.md
	echo "" >> SBOM_REPORT.md
	echo "## Available Formats" >> SBOM_REPORT.md
	echo "" >> SBOM_REPORT.md
	echo "- CycloneDX: sbom-cyclonedx.json" >> SBOM_REPORT.md
	echo "- SPDX: sbom-spdx.json" >> SBOM_REPORT.md
	echo "- simdutf provenance (JSON): build/sbom-provenance/dependency-provenance/simdutf-provenance.json" >> SBOM_REPORT.md
	echo "- simdutf provenance (Markdown): build/sbom-provenance/dependency-provenance/simdutf-provenance.md" >> SBOM_REPORT.md
	echo "" >> SBOM_REPORT.md
	cat vcpkg-dependencies.md >> SBOM_REPORT.md
	if [ -f "build/sbom-provenance/dependency-provenance/simdutf-provenance.md" ]; then
	echo "" >> SBOM_REPORT.md
	cat build/sbom-provenance/dependency-provenance/simdutf-provenance.md >> SBOM_REPORT.md
	fi

	- name: Upload SBOM artifacts
	uses: actions/upload-artifact@v7
	with:
	name: sbom-${{ github.sha }}
	path: \|
	sbom-cyclonedx.json
	sbom-spdx.json
	vcpkg-dependencies.md
	SBOM_REPORT.md
	build/sbom-provenance/dependency-provenance/simdutf-provenance.json
	build/sbom-provenance/dependency-provenance/simdutf-provenance.md
	retention-days: 90

	- name: Upload SBOM to release
	if: github.event_name == 'release'
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	sbom-cyclonedx.json
	sbom-spdx.json
	SBOM_REPORT.md
	build/sbom-provenance/dependency-provenance/simdutf-provenance.json
	build/sbom-provenance/dependency-provenance/simdutf-provenance.md
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Submit SBOM to Dependency Graph
	uses: advanced-security/spdx-dependency-submission-action@v0.2.0
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	continue-on-error: true
	with:
	filePath: sbom-spdx.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor(api): replace throw statements with Result<T> in public head… #596

Workflow file

refactor(api): replace throw statements with Result<T> in public head… #596

Uh oh!

Workflow file for this run