[WIP] workflow: pass bom.xmls between jobs

thlehmann-ionos · thlehmann-ionos · commit 886977792536 · 2024-11-04T16:44:27.000+01:00
diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
@@ -56,19 +56,41 @@ jobs:
         with:
           output: './bom.npm.xml'
 
+      # Pass BOMs to next Job
+      # https://github.com/actions/upload-artifact
+      - name: Store partial BOMs
+        uses: actions/upload-artifact@v4
+        with:
+          name: bom-partials
+          path: bom.*.xml
+
   merge-sboms:
     needs: generate-sbom
     runs-on: ubuntu-latest
 
     # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
     container:
       image: cyclonedx/cyclonedx-cli:0.27.1
+
     steps:
+      - name: Download partial BOMs
+        uses: actions/download-artifact@v4
+        with:
+          name: bom-partials
+
       - name: Merge SBOMs
         # https://github.com/CycloneDX/cyclonedx-cli#merge-command
         run: |
           cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml
 
+      # Pass merged BOM to next Job
+      # https://github.com/actions/upload-artifact
+      - name: Store merged BOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-bom
+          path: bom.xml
+
   upload-sboms:
     needs: merge-sboms
     runs-on: ubuntu-latest
