From e5ddb7096cbf3fd761aca9a592f0c67b09884c01 Mon Sep 17 00:00:00 2001
From: andip1403 <123165724+andip1403@users.noreply.github.com>
Date: Fri, 1 Nov 2024 10:04:12 +0100
Subject: [PATCH] Update checkout version and try to inline config

---
 .github/workflows/createAndScanSBOM.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/createAndScanSBOM.yml b/.github/workflows/createAndScanSBOM.yml
index 8a5ba75..c40b7a7 100644
--- a/.github/workflows/createAndScanSBOM.yml
+++ b/.github/workflows/createAndScanSBOM.yml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Generate SBOM with Syft
         uses: anchore/sbom-action@v0
@@ -18,7 +18,13 @@ jobs:
           path: .
           output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
           format: "cyclonedx-json"
-          config: ".syft/config.yml"
+          config: |
+            # For studio-client plugins you can skip the scanning process
+            # because they are not supposed to introduce new dependencies.
+            # The dependencies in the lockfile are considered runtime dependencies.
+            # The actual version is determined by the studio-client application.
+            exclude:
+              - "./studio-client/**"
 
       - name: Scan SBOM with Grype
         id: scan