|
| 1 | +name: Generate SBOM from Source Code |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + - cron: '0 2 * * *' # Runs daily at 2:00 AM UTC |
| 6 | + workflow_dispatch: |
| 7 | + inputs: |
| 8 | + branch: |
| 9 | + type: string |
| 10 | + required: false |
| 11 | + default: main |
| 12 | + |
| 13 | +permissions: |
| 14 | + contents: read |
| 15 | + |
| 16 | +jobs: |
| 17 | + generate-sbom: |
| 18 | + name: Create SBOM document from source code |
| 19 | + runs-on: ubuntu-22.04 |
| 20 | + permissions: |
| 21 | + id-token: write # for OIDC authentication |
| 22 | + contents: read # Needed to download artifacts |
| 23 | + if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-')}} |
| 24 | + steps: |
| 25 | + - name: Checkout repository |
| 26 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 27 | + with: |
| 28 | + fetch-tags: 'true' |
| 29 | + |
| 30 | + - name: Get Secrets from Azure Key Vault |
| 31 | + uses: ./.github/actions/az-sync |
| 32 | + with: |
| 33 | + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} |
| 34 | + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} |
| 35 | + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} |
| 36 | + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} |
| 37 | + secrets-filter: 'artifactory' |
| 38 | + |
| 39 | + - name: Generate SBOM Document |
| 40 | + id: sbom-src |
| 41 | + uses: nginxinc/compliance-rules/.github/actions/sbom-source@main |
| 42 | + with: |
| 43 | + product-name: ${{ github.event.repository.name }} |
| 44 | + release-version: ${{ github.ref_name }} |
| 45 | + artifact-name: nginx-agent |
| 46 | + artifactory-user: ${{ env.artifactory-user }} |
| 47 | + artifactory-api-token: ${{ env.artifactory-token }} |
| 48 | + az-vault-client-id: ${{ secrets.AZ_VAULT_SEC_CLIENT_ID }} |
| 49 | + az-vault-tenant-id: ${{ secrets.AZ_VAULT_SEC_TENANT_ID }} |
| 50 | + az-vault-subscription-id: ${{ secrets.AZ_VAULT_SEC_SUBSCRIPTION_ID }} |
0 commit comments