Update checkout version and try to inline config

aprantl · Nov 1, 2024 · e5ddb70 · e5ddb70
1 parent 858dc4d
commit e5ddb70
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/.github/workflows/createAndScanSBOM.yml b/.github/workflows/createAndScanSBOM.yml
@@ -10,15 +10,21 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate SBOM with Syft
         uses: anchore/sbom-action@v0
         with:
           path: .
           output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
           format: "cyclonedx-json"
-          config: ".syft/config.yml"
+          config: |
+            # For studio-client plugins you can skip the scanning process
+            # because they are not supposed to introduce new dependencies.
+            # The dependencies in the lockfile are considered runtime dependencies.
+            # The actual version is determined by the studio-client application.
+            exclude:
+              - "./studio-client/**"
 
       - name: Scan SBOM with Grype
         id: scan