Weekly SBOM Update #50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Weekly SBOM Update | |
| on: | |
| schedule: | |
| - cron: '30 18 * * 6' # Runs every Sunday at midnight IST (18:30 UTC on Saturdays) | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pages: write | |
| jobs: | |
| fetch-sbom: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Get latest release versions for care and care_fe | |
| id: versions | |
| run: | | |
| CARE_BE_VERSION=$(curl -s https://api.github.com/repos/ohcnetwork/care/releases/latest | jq -r .tag_name) | |
| CARE_FE_VERSION=$(curl -s https://raw.githubusercontent.com/ohcnetwork/care_fe/develop/package.json | jq -r .version) | |
| echo "CARE_BE_VERSION=$CARE_BE_VERSION" >> $GITHUB_ENV | |
| echo "CARE_FE_VERSION=$CARE_FE_VERSION" >> $GITHUB_ENV | |
| - name: Create directories for SBOM data | |
| run: | | |
| mkdir -p care | |
| mkdir -p care_fe | |
| - name: Fetch SBOM data for care and care_fe | |
| run: | | |
| FILTER_CICD="^actions/|codecov/|getsentry/|reproducible-containers/|^docker/" | |
| FILTER_AWS="^aws-actions/|boto3|botocore|types-awscrt|mypy-boto3-s3" | |
| FILTER_REGEX="($FILTER_CICD|$FILTER_AWS|${{ vars.EXTRA_FILTERS }})" | |
| # For care: unversioned approach | |
| curl -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| https://api.github.com/repos/ohcnetwork/care/dependency-graph/sbom | \ | |
| jq --arg regex "$FILTER_REGEX" 'del(.sbom.packages[] | select(.name | test($regex)))' \ | |
| > care/sbom.json | |
| # For care_fe: unversioned approach | |
| curl -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| https://api.github.com/repos/ohcnetwork/care_fe/dependency-graph/sbom | \ | |
| jq --arg regex "$FILTER_REGEX" 'del(.sbom.packages[] | select(.name | test($regex)))' \ | |
| > care_fe/sbom.json | |
| - name: Commit and push changes | |
| run: | | |
| git config user.name "GitHub Actions Bot" | |
| git config user.email "actions@github.com" | |
| git add . | |
| git commit -m "Update SBOM data for care_be ${{ env.CARE_BE_VERSION }} and care_fe ${{ env.CARE_FE_VERSION }}" || exit 0 | |
| git push || exit 0 | |
| deploy-sbom: | |
| runs-on: ubuntu-latest | |
| needs: fetch-sbom | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Deploy to GitHub Pages | |
| uses: peaceiris/actions-gh-pages@v4 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./ | |
| publish_branch: gh-pages |