Add CycloneDX BOM generation and upload to Dependency-Track

TheMeinerLP · TheMeinerLP · commit 82c05ca9fe51 · 2025-11-05T16:10:16.000+01:00
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -29,3 +29,22 @@ jobs:
         env:
           ONELITEFEATHER_MAVEN_USERNAME: ${{ secrets.ONELITEFEATHER_MAVEN_USERNAME }}
           ONELITEFEATHER_MAVEN_PASSWORD: ${{ secrets.ONELITEFEATHER_MAVEN_PASSWORD }}
+      - name: Generate CycloneDX BOM
+        run: ./gradlew cyclonedxBom
+      - name: Strip leading v from tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_ENV"
+      - run: | 
+          echo "Version: $VERSION"
+        name: Display Version
+      - name: Upload BOM to Dependency-Track
+        uses: DependencyTrack/gh-upload-sbom@v3
+        with:
+          serverhostname: ${{ secrets.DEPENDENCYTRACK_HOSTNAME }}
+          apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
+          projectname: "Mycelium-Bom"
+          projectversion: ${{ env.VERSION }}
+          projecttags: 'bom,minestom'
+          bomfilename: "build/reports/cyclonedx/bom.xml"
+          autocreate: true
+          parent: '9a10b066-ecf1-4b38-b670-a197dcd5556a'
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,6 +1,7 @@
 plugins {
     `maven-publish`
     `java-platform`
+    alias(libs.plugins.cyclonedx)
 }
 
 group = "net.onelitefeather"
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -26,6 +26,7 @@ dependencyResolutionManagement {
             version("junit.bom", "6.0.1")
             version("mockito", "5.20.0")
             version("cyano", "0.4.1")
+            version("cyclonedx", "3.0.1")
 
             library("minestom","net.minestom", "minestom").versionRef("minestom")
             library("cyano", "net.onelitefeather", "cyano").versionRef("cyano")
@@ -37,6 +38,8 @@ dependencyResolutionManagement {
             // Mock libraries
             library("mockito-core", "org.mockito", "mockito-core").versionRef("mockito")
             library("mockito-junit-jupiter", "org.mockito", "mockito-junit-jupiter").versionRef("mockito")
+
+            plugin("cyclonedx", "org.cyclonedx.bom").versionRef("cyclonedx")
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`plugins {`
`2`	`2`	`maven-publish`
`3`	`3`	`java-platform`
	`4`	`+ alias(libs.plugins.cyclonedx)`
`4`	`5`	`}`
`5`	`6`
`6`	`7`	`group = "net.onelitefeather"`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ dependencyResolutionManagement {`
`26`	`26`	`version("junit.bom", "6.0.1")`
`27`	`27`	`version("mockito", "5.20.0")`
`28`	`28`	`version("cyano", "0.4.1")`
	`29`	`+ version("cyclonedx", "3.0.1")`
`29`	`30`
`30`	`31`	`library("minestom","net.minestom", "minestom").versionRef("minestom")`
`31`	`32`	`library("cyano", "net.onelitefeather", "cyano").versionRef("cyano")`
`@@ -37,6 +38,8 @@ dependencyResolutionManagement {`
`37`	`38`	`// Mock libraries`
`38`	`39`	`library("mockito-core", "org.mockito", "mockito-core").versionRef("mockito")`
`39`	`40`	`library("mockito-junit-jupiter", "org.mockito", "mockito-junit-jupiter").versionRef("mockito")`
	`41`	`+`
	`42`	`+ plugin("cyclonedx", "org.cyclonedx.bom").versionRef("cyclonedx")`
`40`	`43`	`}`
`41`	`44`	`}`
`42`	`45`	`}`