@@ -115,6 +115,11 @@ jobs:
115115 with :
116116 ref : ${{ github.event.inputs.tag }}
117117
118+ - name : Setup Golang
119+ uses : actions/setup-go@v2
120+ with :
121+ go-version : 1.17.6
122+
118123 - name : Generate release artifacts
119124 run : |
120125 make release-plugins
@@ -123,21 +128,33 @@ jobs:
123128name : Generate SBOM (spdx)
124129 id : spdx-builder
125130 env :
126- # defines the https://github.com/opensbom-generator/spdx-sbom-generator
127- # to use.
131+ # defines the spdx/spdx-sbom-generator version to use.
128132 SPDX_GEN_VERSION : v0.0.13
133+ # defines the sigs.k8s.io/bom version to use.
134+ SIGS_BOM_VERSION : v0.2.1
129135 # comma delimited list of project relative folders to inspect for package
130136 # managers (gomod, yarn, npm).
131137 PROJECT_FOLDERS : " .,./ui"
138+ # full qualified name of the docker image to be inspected
139+ DOCKER_IMAGE : quay.io/argoproj/argo-rollouts:v${{ github.event.inputs.tag }}
140+
132141 run : |
133142 yarn install --cwd ./ui
134- wget -q https://github.com/opensbom-generator/spdx-sbom-generator/releases/download/$SPDX_GEN_VERSION/spdx-sbom-generator-$SPDX_GEN_VERSION-linux-386.tar.gz -O generator.tar.gz
135- tar -zxf generator.tar.gz
143+ go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
144+ go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
145+
146+ # Generate SPDX for project dependencies analyzing package managers
136147 for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
137148 do
138- ./spdx-sbom- generator -p $folder -o /tmp
149+ generator -p $folder -o /tmp
139150 done
140- tar -zcf /tmp/sbom.tar.gz /tmp/*.spdx
151+
152+ # Generate SPDX for binaries analyzing the docker image
153+ if [[ ! -z $DOCKER_IMAGE ]]; then
154+ bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
155+ fi
156+
157+ cd /tmp && tar -zcf sbom.tar.gz *.spdx
141158
142159name : Draft release
143160 uses : softprops/action-gh-release@v1
0 commit comments