You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 lines
1.6 KiB
55 lines
1.6 KiB
name: Upload SBOM |
|
|
|
# Generates a CycloneDX SBOM with Syft (auto-detects both the Ruby gems in |
|
# Gemfile.lock and the Node packages in yarn.lock) and uploads it to |
|
# Dependency-Track. Called from the staging and production pipelines after a |
|
# successful deploy. |
|
|
|
on: |
|
workflow_call: |
|
inputs: |
|
projectversion: |
|
required: true |
|
type: string |
|
secrets: |
|
DTRACK_API_KEY: |
|
required: true |
|
|
|
permissions: |
|
contents: read |
|
|
|
jobs: |
|
sbom: |
|
name: Generate and upload SBOM |
|
runs-on: ubuntu-latest |
|
steps: |
|
- uses: actions/checkout@v4 |
|
|
|
- run: | |
|
echo "SYFT_VERSION=v1.45.0" >> "$GITHUB_ENV" |
|
echo "SYFT_SCRIPT_SHA=9673f867e50398b5d25ec97ff051a451c46d262c" >> "$GITHUB_ENV" |
|
|
|
- uses: actions/cache@v4 |
|
with: |
|
path: /usr/local/bin/syft |
|
key: syft-${{ env.SYFT_VERSION }} |
|
|
|
- name: Install Syft |
|
run: | |
|
[ -f /usr/local/bin/syft ] || \ |
|
curl -sSfL "https://raw.githubusercontent.com/anchore/syft/${SYFT_SCRIPT_SHA}/install.sh" | sh -s -- -b /usr/local/bin "$SYFT_VERSION" |
|
|
|
- run: syft . -o cyclonedx-xml=bom.xml |
|
|
|
- name: Upload SBOM to Dependency-Track |
|
env: |
|
DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }} |
|
SBOM_VERSION: ${{ inputs.projectversion }} |
|
run: | |
|
curl -sSf -X POST "https://api-deps.softwire.com/api/v1/bom" \ |
|
-H "X-Api-Key: $DTRACK_API_KEY" \ |
|
-F "autoCreate=true" \ |
|
-F "projectName=CORE" \ |
|
-F "projectVersion=$SBOM_VERSION" \ |
|
-F "parentName=Support" \ |
|
-F "bom=@bom.xml"
|
|
|