ci: update gh workflow

Signed-off-by: Sonu Saha <[email protected]>
ahasunos · Jan 29, 2025 · e72a6fe · e72a6fe
1 parent 8818fa9
commit e72a6fe
Showing 1 changed file with 61 additions and 36 deletions.
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,48 +1,73 @@
-name: Generate GitHub SBOM and Upload as Artifact
-
-# NOTE: We would probably want to run this workflow on every push to main and not on pull requests
+name: Download SBOM from Insights and Convert to CSV
 
 # on:
-#   push:
-#     branches:
-#       - main
+#   workflow_dispatch:
+
+
+# # NOTE: We would probably want to run this workflow on every push to main and not on pull requests
+# # on:
+# #   push:
+# #     branches:
+# #       - main
 
 on:
   pull_request:
     branches:
       - main
 
 jobs:
-  generate-sbom:
+  convert-sbom:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      security-events: read
-
     steps:
-      # Step 1: Checkout the repository
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      # Step 2: Generate GitHub SBOM (Dependency Snapshot)
-      - name: Generate GitHub SBOM
-        id: sbom
-        uses: actions/dependency-review-action@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          output: sbom.json  # Save as JSON file
-
-      # Step 3: Convert SBOM to CSV
-      - name: Convert SBOM to CSV
-        run: |
-          jq -r '.dependencies[] | [.package.name, .package.version, .relationship] | @csv' sbom.json > sbom.csv
-
-      # Step 4: Upload SBOM as GitHub Artifact
-      - name: Upload SBOM and CSV as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: sbom-files
-          path: |
-            sbom.json
-            sbom.csv
+    - name: Checkout Code
+      uses: actions/checkout@v3
+
+    - name: Set Timestamp and Unique Filename
+      run: |
+        FILE_PREFIX=$(echo "${{ github.repository }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
+        echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
+
+    - name: Download SBOM
+      run: |
+        curl -L \
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          https://api.github.com/repos/${{ github.repository }}/dependency-graph/sbom \
+          -o "${FILE_PREFIX}-sbom.json"
+
+    - name: Verify SBOM JSON File
+      run: |
+        ls -l "${FILE_PREFIX}-sbom.json"
+
+    - name: Preview SBOM JSON Content
+      run: |
+        head -n 20 "${FILE_PREFIX}-sbom.json"
+
+    - name: Convert SBOM to CSV using jq
+      run: |
+        jq -r '
+          .sbom.packages[] | [
+            .name,
+            .SPDXID,
+            .versionInfo,
+            .downloadLocation,
+            ( .externalRefs[]? | .referenceLocator )
+          ] | @csv' "${FILE_PREFIX}-sbom.json" > "${FILE_PREFIX}-sbom.csv"
+
+    - name: Verify SBOM CSV File
+      run: |
+        ls -l "${FILE_PREFIX}-sbom.csv"
+
+    - name: Upload SBOM JSON as Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: sbom-json
+        path: ${{ env.FILE_PREFIX }}-sbom.json
+
+    - name: Upload SBOM CSV as Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: sbom-csv
+        path: ${{ env.FILE_PREFIX }}-sbom.csv