Merge pull request #2151 from atsign-foundation/cpswan-sbomify

ci: Use sbomify to generate SBOMs
atsign-foundation · Nov 19, 2024 · a691bce · a691bce
2 parents 20a876a + 5ddb1ad
commit a691bce
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 12 deletions.
diff --git a/.github/workflows/at_server.yaml b/.github/workflows/at_server.yaml
@@ -117,18 +117,40 @@ jobs:
       # Generating SBOMs also needs pubspec.lock
       # Only run on stable channel
       - if: ${{ matrix.dart-channel == 'stable' }}
-        name: Install Syft
-        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        name: Create sbom folder
+        run: mkdir sboms        
       - if: ${{ matrix.dart-channel == 'stable' }}
-        name: Generate SBOMs
+        name: Generate atDirectory SBOM
+        uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
+        env:
+          TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
+          COMPONENT_ID: '3hQHrn8mwK'
+          LOCK_FILE: ${{ env.root-working-directory }}/pubspec.lock
+          SBOM_VERSION: ${{github.ref_name}}
+          OUTPUT_FILE: 'sboms/atdirectory-gha${{github.run_number}}-sbom.cdx.json'
+          AUGMENT: true
+          ENRICH: true
+          UPLOAD: true
+      - if: ${{ matrix.dart-channel == 'stable' }}
+        name: Generate atServer SBOM
+        uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
+        env:
+          TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
+          COMPONENT_ID: 'wF66pn8rHZ'
+          LOCK_FILE: ${{ env.secondary-working-directory }}/pubspec.lock
+          SBOM_VERSION: ${{github.ref_name}}
+          OUTPUT_FILE: 'sboms/atserver-gha${{github.run_number}}-sbom.cdx.json'
+          AUGMENT: true
+          ENRICH: true
+          UPLOAD: true
+      - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }}
+        name: Rename SBOMs to use release tag
         run: |
-          mkdir sboms
-          syft scan file:${{ env.root-working-directory }}/pubspec.lock \
-            -o 'spdx-json=sboms/atdirectory_sbom.spdx.json' \
-            -o 'cyclonedx-json=sboms/atdirectory_sbom.cyclonedx.json'
-          syft scan file:${{ env.secondary-working-directory }}/pubspec.lock \
-            -o 'spdx-json=sboms/atserver_sbom.spdx.json' \
-            -o 'cyclonedx-json=sboms/atserver_sbom.cyclonedx.json'
+          cd sboms
+          mv atdirectory-gha${{github.run_number}}-sbom.cdx.json \
+            atdirectory-${{github.ref_name}}-sbom.cdx.json
+          mv atserver-gha${{github.run_number}}-sbom.cdx.json \
+            atserver-${{github.ref_name}}-sbom.cdx.json
       - if: ${{ matrix.dart-channel == 'stable' }}
         name: Generate SHA256 checksums
         working-directory: sboms

diff --git a/.github/workflows/promote_canary.yaml b/.github/workflows/promote_canary.yaml
@@ -148,8 +148,8 @@ jobs:
           echo ${CANARY}
           mkdir sboms
           cd sboms
-          wget https://github.com/atsign-foundation/at_server/releases/download/${CANARY}/atserver_sbom.spdx.json
-          wget https://github.com/atsign-foundation/at_server/releases/download/${CANARY}/atserver_sbom.cyclonedx.json
+          wget https://github.com/atsign-foundation/at_server/releases/download/${CANARY}/atserver-${CANARY}-sbom.cdx.json
+          mv atserver-${CANARY}-sbom.cdx.json atserver-${{github.ref_name}}-sbom.cdx.json
           sha256sum * > checksums.txt
       - name: Upload artifacts to GitHub Release
         env: