From 0f8e800e1c48b937f634a41a91f2a0b3fe62583b Mon Sep 17 00:00:00 2001 From: EdgeBit Date: Wed, 6 Dec 2023 00:07:23 +0000 Subject: [PATCH] github: add EdgeBit workflow --- .github/edgebit/source-syft.yaml | 27 ++++++++++++++++++++++++ .github/workflows/sbom-upload.yaml | 34 ++++++++++++++++++++++++++++++ .github/workflows/sbom.yaml | 32 ++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 .github/edgebit/source-syft.yaml create mode 100644 .github/workflows/sbom-upload.yaml create mode 100644 .github/workflows/sbom.yaml diff --git a/.github/edgebit/source-syft.yaml b/.github/edgebit/source-syft.yaml new file mode 100644 index 0000000..b7ae52f --- /dev/null +++ b/.github/edgebit/source-syft.yaml @@ -0,0 +1,27 @@ +output: syft + +check-for-app-update: false + +catalogers: + - binary + - cocoapods + - conan + - dartlang-lock + - dotnet-deps + - elixir-mix-lock + - erlang-rebar-lock + - go-mod-file + - go-module-binary + - graalvm-native-image + - haskell + - java + - java-gradle-lockfile + - java-pom + - javascript-lock + - php-composer-lock + - python-index + - python-package + - ruby-gemfile + - rust-cargo-lock + - sbom + - swift-package-manager diff --git a/.github/workflows/sbom-upload.yaml b/.github/workflows/sbom-upload.yaml new file mode 100644 index 0000000..b2b6141 --- /dev/null +++ b/.github/workflows/sbom-upload.yaml @@ -0,0 +1,34 @@ +name: Upload SBOM to EdgeBit +on: + workflow_run: + workflows: ["Generate an SBOM from source code"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + + steps: + - name: Download metadata + id: metadata + uses: dawidd6/action-download-artifact@v2.28.0 + with: + run_id: ${{ github.event.workflow_run.id }} + name: metadata.json + + - name: Download SBOM + id: sbom + uses: dawidd6/action-download-artifact@v2.28.0 + with: + run_id: ${{ github.event.workflow_run.id }} + name: sbom.spdx.json + + - name: Upload SBOM to EdgeBit + uses: edgebitio/edgebit-build@v1 + with: + edgebit-url: "https://edgebit.edgebit.io" + token: ${{ secrets.EDGEBIT_TOKEN }} + component: marker + sbom-file: ./sbom.spdx.json + args-file: ./metadata.json diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml new file mode 100644 index 0000000..aa598b7 --- /dev/null +++ b/.github/workflows/sbom.yaml @@ -0,0 +1,32 @@ +name: Generate an SBOM from source code +on: + pull_request: + push: + branches: + - 'master' +jobs: + generate-sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Generate SBOM from source code + uses: anchore/sbom-action@a4126e6810341af80d172ee5ebf8ff419a2e8b21 + with: + artifact-name: sbom.spdx.json + upload-artifact: true + config: .github/edgebit/source-syft.yaml + + - name: Save metadata to an artifact + run: | + cat > /tmp/metadata.json <