test ci: add gh workflows to generate sbom #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate GitHub SBOM and Upload as Artifact | |
| # NOTE: We would probably want to run this workflow on every push to main and not on pull requests | |
| # on: | |
| # push: | |
| # branches: | |
| # - main | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| generate-sbom: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: read | |
| steps: | |
| # Step 1: Checkout the repository | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Step 2: Generate GitHub SBOM (Dependency Snapshot) | |
| - name: Generate GitHub SBOM | |
| id: sbom | |
| uses: actions/dependency-review-action@v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| output: sbom.json # Save as JSON file | |
| # Step 3: Convert SBOM to CSV | |
| - name: Convert SBOM to CSV | |
| run: | | |
| jq -r '.dependencies[] | [.package.name, .package.version, .relationship] | @csv' sbom.json > sbom.csv | |
| # Step 4: Upload SBOM as GitHub Artifact | |
| - name: Upload SBOM and CSV as Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sbom-files | |
| path: | | |
| sbom.json | |
| sbom.csv |