SBOM generation #107
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SBOM generation | |
on: | |
workflow_dispatch: | |
schedule: | |
# Runs at 02:00 UTC every Monday | |
- cron: '2 0 * * 1' | |
permissions: | |
contents: read | |
jobs: | |
sbom_gen: | |
permissions: | |
contents: write # for peter-evans/create-pull-request to create branch | |
pull-requests: write # for peter-evans/create-pull-request to create a PR | |
name: Generate SBOM | |
if: github.repository == 'intel/cve-bin-tool' # for SBOM generation on forks | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
python: ['3.8', '3.9', '3.10', '3.11', '3.12'] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | |
with: | |
python-version: ${{ matrix.python }} | |
cache: 'pip' | |
cache-dependency-path: '**/requirements.txt' | |
- name: Install dependencies and cve-bin-tool | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade setuptools | |
python -m pip install --upgrade wheel | |
python -m pip install --upgrade sbom4python | |
pip install . --upgrade --upgrade-strategy=eager | |
- name: Generate SBOM for cve-bin-tool | |
run: | | |
sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx | |
sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json | |
- name: Compare SBOM for cve-bin-tool | |
id: diff-sbom | |
# This would fail due to time/date of SBOM generation in SBOM header | |
# Therefore ignore first 10 lines of file in comparison which is SBOM header | |
run: | | |
/bin/tail -n +10 sbom/cve-bin-tool-py${{ matrix.python }}.spdx > orig | |
/bin/tail -n +10 cve-bin-tool-py${{ matrix.python }}.spdx > new | |
echo "changed=$(/bin/diff -q orig new)" >> $GITHUB_OUTPUT | |
- name: Display generated SBOM if difference detected | |
if: ${{ steps.diff-sbom.outputs.changed }} | |
run: | | |
/bin/cat cve-bin-tool-py${{ matrix.python }}.spdx | |
- name: Update existing SBOM if difference detected | |
if: ${{ steps.diff-sbom.outputs.changed }} | |
run: | | |
cp cve-bin-tool-py${{ matrix.python }}.spdx sbom/cve-bin-tool-py${{ matrix.python }}.spdx | |
cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json | |
- name: Create Pull Request | |
if: ${{ steps.diff-sbom.outputs.changed }} | |
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 | |
with: | |
commit-message: "chore: update SBOM for Python ${{ matrix.python }}" | |
title: "chore: update SBOM for Python ${{ matrix.python }}" | |
branch: chore-sbom-py${{ matrix.python }} | |
delete-branch: true | |
author: GitHub <[email protected]> | |
add-paths: sbom |