Skip to content

Update lucide monorepo to v1.21.0 (#2049) #435

Update lucide monorepo to v1.21.0 (#2049)

Update lucide monorepo to v1.21.0 (#2049) #435

Workflow file for this run

name: SBOM upload
# Generate a CycloneDX SBOM and upload it to an operator-managed
# Dependency-Track instance. The upload step is gated on both
# DT_API_URL and DT_API_KEY being non-empty, so the workflow stays green
# until the operator has stood up Dependency-Track.
#
# See docs/operations/observability.md for the DSN / DT_API_URL flow.
on:
push:
branches: [main]
release:
types: [published]
concurrency:
group: sbom-upload-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
jobs:
upload:
name: Generate and upload SBOM
runs-on: ubuntu-latest
timeout-minutes: 15
env:
DT_API_URL: ${{ vars.DT_API_URL }}
DT_API_KEY: ${{ secrets.DT_API_KEY }}
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.14"
# ``cyclonedx-py environment`` scans the active Python environment.
# Build the SBOM from an isolated venv where only the project and its
# resolved dependencies are installed so the output reflects
# bernstein's dependency graph rather than whatever the runner base
# image happens to carry.
- name: Prepare isolated SBOM environment
run: |
python -m venv .venv-sbom
. .venv-sbom/bin/activate
python -m pip install --upgrade pip "cyclonedx-bom>=4.5"
python -m pip install .
- name: Generate CycloneDX SBOM
run: |
. .venv-sbom/bin/activate
cyclonedx-py environment --output-file bernstein.cyclonedx.json
- name: Check operator endpoint
id: gate
run: |
if [ -z "${DT_API_URL}" ] || [ -z "${DT_API_KEY}" ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "DT_API_URL or DT_API_KEY is empty -- skipping upload."
else
echo "skip=false" >> "$GITHUB_OUTPUT"
fi
- name: Upload SBOM to Dependency-Track
if: steps.gate.outputs.skip == 'false'
env:
GH_REF_NAME: ${{ github.ref_name }}
run: |
# multipart/form-data upload via curl - more reliable than the bundled action
curl -fS --max-time 90 \
-H "X-Api-Key: $DT_API_KEY" \
-F "autoCreate=true" \
-F "projectName=bernstein" \
-F "projectVersion=$GH_REF_NAME" \
-F "bom=@bernstein.cyclonedx.json" \
"$DT_API_URL/api/v1/bom"