feat: modify sbom workflow to push to the repo instead of creating action's artifact

jesmrec · jesmrec · commit 494872bbffad · 2025-07-03T08:56:06.000+02:00
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,21 +1,28 @@
-name: SBOM 
-
-permissions:
-  contents: read
+name: SBOM
 
 on:
   workflow_dispatch:
-  pull_request:
+  push:
+    branches:
+      - feature/*
+      - fix/*
+      - improvement/*
+      - release/*
+      - technical/*
+
+permissions:
+  contents: write
 
 jobs:
   sbom:
     runs-on: ubuntu-latest
-   
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      # Caches Gradle dependencies to avoid downloading them on every run
       - name: Cache Gradle dependencies
         uses: actions/cache@v4
         with:
@@ -33,42 +40,22 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
 
-      - name: Install xsltproc
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y xsltproc
-
-      # Use --no-daemon to prevent Gradle from running in the background
       - name: Generate SBOM (CycloneDX)
         run: ./gradlew --no-daemon cyclonedxBom  
 
-      - name: Convert SBOM to HTML
-        run: xsltproc sbom/cyclonedx-xml-to-html.xslt build/reports/bom.xml > sbom.html
-
-      # Create a specific artifact name using the branch name and timestamp
-      - name: Set artifact name
-        id: vars
-        run: |
-          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-          SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-' | tr '[:upper:]' '[:lower:]')
-          TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")
-          echo "artifact_name=sbom-${SAFE_BRANCH}-${TIMESTAMP}" >> $GITHUB_OUTPUT
-
-      - name: Rename SBOM XML and HTML files to match artifact name
-        run: |
-          mv sbom.html "${{ steps.vars.outputs.artifact_name }}.html"
-          mv  build/reports/bom.xml "${{ steps.vars.outputs.artifact_name }}.xml"
-          mv  build/reports/bom.json "${{ steps.vars.outputs.artifact_name }}.json"
+      - name: Move and rename SBOM to root
+        run: mv build/reports/bom.json ./sbom.json
 
-      - name: ZIP all the files
+      - name: Clean serialNumber and timestamp in SBOM
         run: |
-          zip "${{ steps.vars.outputs.artifact_name }}.zip" \
-              "${{ steps.vars.outputs.artifact_name }}.html" \
-              "${{ steps.vars.outputs.artifact_name }}.xml" \
-              "${{ steps.vars.outputs.artifact_name }}.json"
+          sudo apt-get update && sudo apt-get install -y jq
+          jq 'del(.serialNumber, .timestamp)' sbom.json > sbom_clean.json && mv sbom_clean.json sbom.json
 
-      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
+      - name: Commit files
+        uses: GuillaumeFalourd/git-commit-push@v1.3
         with:
-          name: ${{ steps.vars.outputs.artifact_name }}
-          path: ${{ steps.vars.outputs.artifact_name }}.zip
+          email: devops@owncloud.com
+          name: ownClouders
+          commit_message: "docs: SBOM updated"
+          files: sbom.json
+          access_token: ${{ github.token }}
