44 push :
55 branches :
66 - main
7- tags :
8- - ' v* '
7+ release :
8+ types : [published]
99
1010permissions :
1111 actions : read
@@ -17,39 +17,48 @@ jobs:
1717 sbom :
1818 name : SBOM
1919 runs-on : ubuntu-22.04
20+ if : github.event_name == 'push' || github.event_name == 'release'
2021 steps :
2122 - uses : actions/checkout@v4
22- - name : Generate
23+
24+ - name : Generate Trivy GitHub report
25+ if : github.event_name == 'push'
2326 uses :
aquasecurity/[email protected] 2427 with :
2528 scan-type : ' fs'
2629 scan-ref : ' .'
2730 format : ' github'
2831 output : ' dependency-results.sbom.json'
2932 github-pat : ${{ secrets.GITHUB_TOKEN }}
30- - name : Scan
33+
34+ - name : Generate Trivy SARIF report
35+ if : github.event_name == 'push'
3136 uses :
aquasecurity/[email protected] 3237 with :
3338 scan-type : ' fs'
3439 scan-ref : ' .'
3540 format : ' sarif'
3641 output : ' trivy-results.sarif'
3742 github-pat : ${{ secrets.GITHUB_TOKEN }}
38- - name : Upload
43+
44+ - name : Upload SARIF
45+ if : github.event_name == 'push'
3946 uses : github/codeql-action/upload-sarif@v3
4047 with :
4148 sarif_file : ' trivy-results.sarif'
42- - name : Generate SBOM
43- if : startsWith(github.ref, 'refs/tags/')
49+
50+ - name : Generate SBOM (CycloneDX)
51+ if : github.event_name == 'release'
4452 uses :
aquasecurity/[email protected] 4553 with :
4654 scan-type : ' fs'
4755 scan-ref : ' .'
4856 format : cyclonedx
4957 output : sbom.cdx.json
50- - name : Attach SBOM
51- if : startsWith(github.ref, 'refs/tags/')
58+
59+ - name : Attach SBOM to release
60+ if : github.event_name == 'release'
5261 env :
53- GH_TOKEN : ${{ github.token }}
62+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
5463 run : |
55- gh release upload ${{ github.ref_name }} sbom.cdx.json
64+ gh release upload " ${{ github.event.release.tag_name }}" sbom.cdx.json --clobber
0 commit comments