harshsoni-harsh
diff --git a/‎.github/workflows/publish-ghcr.yml‎
Lines changed: 41 additions & 0 deletions b/‎.github/workflows/publish-ghcr.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/workflows/release-publish-and-update-action.yml‎
Lines changed: 73 additions & 0 deletions b/‎.github/workflows/release-publish-and-update-action.yml‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎.github/workflows/sbom-security.yml‎
Lines changed: 157 additions & 92 deletions b/‎.github/workflows/sbom-security.yml‎
Lines changed: 157 additions & 92 deletions
@@ -0,0 +1,41 @@
+name: Publish SBOM-TM Docker Image
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch: {}
+
+permissions:
+  packages: write
+  contents: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image to GHCR
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/sbom-tm:latest
+            ghcr.io/${{ github.repository_owner }}/sbom-tm:${{ github.ref_name }}
@@ -0,0 +1,73 @@
+name: Release / Publish to GHCR and Update Action
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+              ghcr.io/${{ github.repository_owner }}/sbom-tm:${{ github.ref_name }}
+              ghcr.io/${{ github.repository_owner }}/sbom-tm:latest
+
+      - name: Update `action.yml` to reference GHCR image
+        env:
+          GIT_AUTHOR_NAME: github-actions[bot]
+          GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
+          BRANCH_NAME: release/${{ github.ref_name }}
+          IMAGE_TAG: ghcr.io/${{ github.repository_owner }}/sbom-tm:${{ github.ref_name }}
+          PUSH_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
+        run: |
+          git config --global user.name "$GIT_AUTHOR_NAME"
+          git config --global user.email "$GIT_AUTHOR_EMAIL"
+          git checkout -b "$BRANCH_NAME"
+          if [ -f action.yml ]; then
+            sed -E "s|image: .*|image: '$IMAGE_TAG'|" action.yml > action.yml.tmp || true
+            mv action.yml.tmp action.yml
+          else
+            echo "warning: action.yml not found"
+          fi
+          git add action.yml || true
+          git commit -m "chore(action): point to GHCR image $IMAGE_TAG" || true
+          git push https://${PUSH_TOKEN}@github.com/${{ github.repository }} HEAD:$BRANCH_NAME
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.PERSONAL_TOKEN }}
+          commit-message: "chore(action): point to GHCR image ${{ github.ref_name }}"
+          title: "Release: point action to GHCR image ${{ github.ref_name }}"
+          body: |
+            This PR updates `action.yml` to use the published GHCR image for the action runtime.
+          base: main
+          head: release/${{ github.ref_name }}
@@ -1,92 +1,157 @@
-name: SBOM Security Scan
-
-on:
-  pull_request:
-    paths:
-      - "**/*"
-  push:
-    branches:
-      - main
-
-jobs:
-  sbom_scan:
-    name: Run SBOM + Trivy + RuleEngine Scan
-    runs-on: ubuntu-latest
-
-    steps:
-      # -------------------------------
-      # CHECKOUT SOURCE CODE
-      # -------------------------------
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      # -------------------------------
-      # INSTALL PYTHON
-      # -------------------------------
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
-      # -------------------------------
-      # INSTALL SBTM-TM TOOL
-      # -------------------------------
-      - name: Install SBOM-TM tool
-        run: |
-          pip install -r requirements.txt
-          pip install .
-
-      # -------------------------------
-      # INSTALL SYFT
-      # -------------------------------
-      - name: Install Syft
-        uses: anchore/sbom-action/download-syft@v0.16.0
-
-      # -------------------------------
-      # GENERATE SBOM
-      # -------------------------------
-      - name: Generate SBOM using Syft
-        run: |
-          syft . -o cyclonedx-json > sbom.json
-
-      # -------------------------------
-      # INSTALL TRIVY
-      # -------------------------------
-      - name: Install Trivy
-        uses: aquasecurity/setup-trivy@v0.4.0
-
-      # -------------------------------
-      # RUN SBOM-TM SCAN (Trivy + Rules)
-      # -------------------------------
-      - name: Run SBOM Scan
-        id: sbomtm
-        run: |
-          sbom-tm scan --sbom sbom.json --project "${{ github.event.repository.name }}" --offline
-        continue-on-error: true
-
-      # -------------------------------
-      # UPLOAD REPORTS (HTML + JSON)
-      # -------------------------------
-      - name: Upload security reports
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom-security-reports
-          path: |
-            ~/.cache/sbom-tm/reports/*.html
-            ~/.cache/sbom-tm/reports/*.json
-          if-no-files-found: warn
-
-      # -------------------------------
-      # FAIL PR IF THREATS FOUND
-      # Your tool prints:
-      # "threats=<count>"
-      # -------------------------------
-      - name: Block PR if threats > 0
-        if: steps.sbomtm.outcome == 'failure'
-        run: |
-          echo "❌ Threats detected! Blocking PR."
-          exit 1
-
-      - name: Success message
-        if: steps.sbomtm.outcome == 'success'
-        run: echo "✔ No threats found. Safe to merge!"
+name: SBOM-TM Security Scan
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    name: Run SBOM-TM scan/diff
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Install sbom-tm
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: Run SBOM diff (compare HEAD against merge-base)
+        id: run_diff
+        run: |
+          set -e
+          PROJECT="${{ github.sha }}"
+          sbom-tm diff --git --project "${PROJECT}"
+
+      - name: Locate markdown diff report
+        id: find_report
+        run: |
+          set -e
+          # look for the most recent markdown diff report
+          REPORT="$(ls ~/.cache/sbom-tm/reports/*_sbom_diff.md 2>/dev/null | head -n1 || true)"
+          if [ -z "$REPORT" ]; then
+            echo "No report found"
+            echo "report_path=" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          echo "Found report: $REPORT"
+          echo "report_path=$REPORT" >> $GITHUB_OUTPUT
+
+      - name: Upload report artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-diff-report
+          path: ${{ steps.find_report.outputs.report_path }}
+          if-no-files-found: warn
+
+      - name: Post sticky PR comment (report)
+        if: ${{ steps.find_report.outputs.report_path != '' && github.event_name == 'pull_request' }}
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          path: ${{ steps.find_report.outputs.report_path }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+name: SBOM Security Scan
+
+on:
+  pull_request:
+    paths:
+      - "**/*"
+  push:
+    branches:
+      - main
+
+jobs:
+  sbom_scan:
+    name: Run SBOM + Trivy + RuleEngine Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      # -------------------------------
+      # CHECKOUT SOURCE CODE
+      # -------------------------------
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # -------------------------------
+      # INSTALL PYTHON
+      # -------------------------------
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      # -------------------------------
+      # INSTALL SBTM-TM TOOL
+      # -------------------------------
+      - name: Install SBOM-TM tool
+        run: |
+          pip install -r requirements.txt
+          pip install .
+
+      # -------------------------------
+      # INSTALL SYFT
+      # -------------------------------
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0.16.0
+
+      # -------------------------------
+      # GENERATE SBOM
+      # -------------------------------
+      - name: Generate SBOM using Syft
+        run: |
+          syft . -o cyclonedx-json > sbom.json
+
+      # -------------------------------
+      # INSTALL TRIVY
+      # -------------------------------
+      - name: Install Trivy
+        uses: aquasecurity/setup-trivy@v0.4.0
+
+      # -------------------------------
+      # RUN SBOM-TM SCAN (Trivy + Rules)
+      # -------------------------------
+      - name: Run SBOM Scan
+        id: sbomtm
+        run: |
+          sbom-tm scan --sbom sbom.json --project "${{ github.event.repository.name }}" --offline
+        continue-on-error: true
+
+      # -------------------------------
+      # UPLOAD REPORTS (HTML + JSON)
+      # -------------------------------
+      - name: Upload security reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-security-reports
+          path: |
+            ~/.cache/sbom-tm/reports/*.html
+            ~/.cache/sbom-tm/reports/*.json
+          if-no-files-found: warn
+
+      # -------------------------------
+      # FAIL PR IF THREATS FOUND
+      # Your tool prints:
+      # "threats=<count>"
+      # -------------------------------
+      - name: Block PR if threats > 0
+        if: steps.sbomtm.outcome == 'failure'
+        run: |
+          echo "❌ Threats detected! Blocking PR."
+          exit 1
+
+      - name: Success message
+        if: steps.sbomtm.outcome == 'success'
+        run: echo "✔ No threats found. Safe to merge!"