Update lucide monorepo to v1.21.0 (#2049) #435
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SBOM upload | |
| # Generate a CycloneDX SBOM and upload it to an operator-managed | |
| # Dependency-Track instance. The upload step is gated on both | |
| # DT_API_URL and DT_API_KEY being non-empty, so the workflow stays green | |
| # until the operator has stood up Dependency-Track. | |
| # | |
| # See docs/operations/observability.md for the DSN / DT_API_URL flow. | |
| on: | |
| push: | |
| branches: [main] | |
| release: | |
| types: [published] | |
| concurrency: | |
| group: sbom-upload-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| upload: | |
| name: Generate and upload SBOM | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| env: | |
| DT_API_URL: ${{ vars.DT_API_URL }} | |
| DT_API_KEY: ${{ secrets.DT_API_KEY }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.14" | |
| # ``cyclonedx-py environment`` scans the active Python environment. | |
| # Build the SBOM from an isolated venv where only the project and its | |
| # resolved dependencies are installed so the output reflects | |
| # bernstein's dependency graph rather than whatever the runner base | |
| # image happens to carry. | |
| - name: Prepare isolated SBOM environment | |
| run: | | |
| python -m venv .venv-sbom | |
| . .venv-sbom/bin/activate | |
| python -m pip install --upgrade pip "cyclonedx-bom>=4.5" | |
| python -m pip install . | |
| - name: Generate CycloneDX SBOM | |
| run: | | |
| . .venv-sbom/bin/activate | |
| cyclonedx-py environment --output-file bernstein.cyclonedx.json | |
| - name: Check operator endpoint | |
| id: gate | |
| run: | | |
| if [ -z "${DT_API_URL}" ] || [ -z "${DT_API_KEY}" ]; then | |
| echo "skip=true" >> "$GITHUB_OUTPUT" | |
| echo "DT_API_URL or DT_API_KEY is empty -- skipping upload." | |
| else | |
| echo "skip=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Upload SBOM to Dependency-Track | |
| if: steps.gate.outputs.skip == 'false' | |
| env: | |
| GH_REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| # multipart/form-data upload via curl - more reliable than the bundled action | |
| curl -fS --max-time 90 \ | |
| -H "X-Api-Key: $DT_API_KEY" \ | |
| -F "autoCreate=true" \ | |
| -F "projectName=bernstein" \ | |
| -F "projectVersion=$GH_REF_NAME" \ | |
| -F "bom=@bernstein.cyclonedx.json" \ | |
| "$DT_API_URL/api/v1/bom" |