ci: add gh-aw agentic workflows #58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2026 ResQ Software | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # | |
| # Generate a CycloneDX SBOM (Software Bill of Materials) for the viz repo. | |
| # | |
| # Triggers: | |
| # push to main — refresh the canonical SBOM artifact | |
| # pull_request — verify the SBOM still generates cleanly under change | |
| # release published — attach the SBOM to the GitHub release | |
| # workflow_dispatch — on-demand | |
| # | |
| # Output: CycloneDX 1.5 JSON describing both the .NET (NuGet) and frontend | |
| # (npm) dependency trees via Anchore syft, which auto-detects ecosystem | |
| # manifests across the workspace. | |
| # | |
| # References: | |
| # NTIA SBOM minimum elements https://www.ntia.gov/page/software-bill-materials | |
| # CycloneDX spec https://cyclonedx.org/specification/overview/ | |
| # Anchore sbom-action https://github.com/anchore/sbom-action | |
| name: sbom | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: sbom-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| generate: | |
| name: Generate CycloneDX SBOM | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # required only for release-asset upload | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| submodules: recursive | |
| persist-credentials: false | |
| - name: Generate SBOM (CycloneDX) | |
| uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 | |
| with: | |
| format: cyclonedx-json | |
| artifact-name: viz-sbom.cdx.json | |
| output-file: ./viz-sbom.cdx.json | |
| upload-artifact: true | |
| upload-release-assets: ${{ github.event_name == 'release' }} |