|
| 1 | +name: SBOM Export & Centralize |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [ "main" ] |
| 6 | + schedule: |
| 7 | + - cron: '36 8 * * 1' |
| 8 | + |
| 9 | +permissions: |
| 10 | + contents: read |
| 11 | + |
| 12 | +jobs: |
| 13 | + generate-and-upload: |
| 14 | + runs-on: ubuntu-latest |
| 15 | + steps: |
| 16 | + - name: Checkout Source Code |
| 17 | + uses: actions/checkout@v6 |
| 18 | + |
| 19 | + - name: Check for recent changes |
| 20 | + id: check |
| 21 | + run: | |
| 22 | + if [ -z "$(git log --since='7 days ago' --oneline | head -1)" ]; then |
| 23 | + echo "No commits in the last 7 days, skipping SBOM generation." |
| 24 | + echo "skip=true" >> "$GITHUB_OUTPUT" |
| 25 | + fi |
| 26 | +
|
| 27 | + - name: Generate CycloneDX SBOM via cdxgen |
| 28 | + if: steps.check.outputs.skip != 'true' |
| 29 | + env: |
| 30 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 31 | + run: | |
| 32 | + docker run --rm \ |
| 33 | + --user "$(id -u):$(id -g)" \ |
| 34 | + -v /tmp:/tmp \ |
| 35 | + -v "${{ github.workspace }}:/app:rw" \ |
| 36 | + -e FETCH_LICENSE=true \ |
| 37 | + -e GITHUB_TOKEN \ |
| 38 | + ghcr.io/cdxgen/cdxgen:v12.1.1 \ |
| 39 | + -r /app \ |
| 40 | + -o /app/sbom.cdx.json \ |
| 41 | + --no-install-deps \ |
| 42 | + --spec-version 1.6 |
| 43 | +
|
| 44 | + if [ ! -s sbom.cdx.json ]; then |
| 45 | + echo "::error::cdxgen SBOM generation failed or returned empty." |
| 46 | + exit 1 |
| 47 | + fi |
| 48 | +
|
| 49 | + echo "SBOM generated successfully:" |
| 50 | + ls -lh sbom.cdx.json |
| 51 | +
|
| 52 | + - name: Upload SBOM to Dependency Track |
| 53 | + if: steps.check.outputs.skip != 'true' |
| 54 | + env: |
| 55 | + DT_API_KEY: ${{ secrets.DEPENDENCY_TRACK_API_KEY }} |
| 56 | + DT_URL: ${{ secrets.DEPENDENCY_TRACK_URL }} |
| 57 | + run: | |
| 58 | + REPO_NAME=${GITHUB_REPOSITORY##*/} |
| 59 | +
|
| 60 | + curl -sf -X POST "${DT_URL}/api/v1/bom" \ |
| 61 | + -H "X-Api-Key: ${DT_API_KEY}" \ |
| 62 | + -F "autoCreate=true" \ |
| 63 | + -F "projectName=${REPO_NAME}" \ |
| 64 | + -F "projectVersion=${{ github.ref_name }}" \ |
| 65 | + -F "bom=@sbom.cdx.json" |
| 66 | +
|
| 67 | + echo "SBOM uploaded to Dependency Track for ${REPO_NAME}@${{ github.ref_name }}" |
0 commit comments