Generate SBOM #104
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM | |
| on: | |
| pull_request: | |
| branches: | |
| - dev | |
| types: | |
| - opened | |
| schedule: | |
| - cron: '0 0 * * 1' # Every Monday at 00:00 | |
| permissions: | |
| contents: read | |
| jobs: | |
| generate-sbom: | |
| permissions: | |
| actions: write # for anchore/sbom-action to upload workflow artifacts | |
| contents: write # for anchore/sbom-action to upload & delete release assets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2 | |
| with: | |
| node-version: 20 | |
| - name: Install pnpm | |
| run: npm install -g [email protected] | |
| - name: Install dependencies | |
| run: pnpm i --frozen-lockfile | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| file: ./package-lock.json | |
| upload-artifact: true | |
| upload-artifact-retention: 8 | |
| output-file: ./kexa-sbom.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: kexa-sbom.json | |
| path: kexa-sbom.json | |
| commit-sbom: | |
| permissions: | |
| contents: write # for Git to git push | |
| runs-on: ubuntu-latest | |
| needs: generate-sbom | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Download artifact | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kexa-sbom.json | |
| - name: Commit SBOM to repository | |
| run: | | |
| git fetch origin | |
| git checkout dev | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "aesoft" | |
| git add kexa-sbom.json | |
| git commit -m "Add SBOM artifact to dev branch" | |
| git push origin dev |