-
Notifications
You must be signed in to change notification settings - Fork 2
64 lines (62 loc) · 1.95 KB
/
sbom-upload.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# SPDX-FileCopyrightText: 2023 Mercedes-Benz Tech Innovation GmbH
#
# SPDX-License-Identifier: MIT
name: Upload SBOM
on:
workflow_dispatch:
pull_request:
types:
- closed
branches:
- main
jobs:
if_merged:
if: github.event.pull_request.merged
name: SBOM upload
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
env:
DISCO_API_TOKEN: ${{ secrets.DISCO_TOKEN }}
DISCO_HOST: ${{ secrets.DISCO_HOST }}
DISCO_PROJECT_UUID: ${{ secrets.DISCO_PROJECT_UUID }}
DISCO_PROJECT_VERSION: ${{ secrets.DISCO_PROJECT_VERSION }}
BD_URL: ${{ secrets.BD_URL}}
BD_API_TOKEN: ${{ secrets.BD_API_TOKEN }}
BD_PROJECT_NAME: ${{ secrets.BD_PROJECT_NAME }}
BD_PROJECT_VERSION: ${{ secrets.BD_PROJECT_VERSION }}
CONTAINER_REGISTRY: ${{ secrets.CONTAINER_REGISTRY }}
SBOM: "sbom.json"
steps:
- uses: actions/checkout@master
- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Export spdx SBOM from Black Duck
run: |
docker run --rm \
-v $(pwd):/workdir \
-e huburl="$BD_URL" \
-e projectname="$BD_PROJECT_NAME" \
-e projectversion="$BD_PROJECT_VERSION" \
-e hubtoken="$BD_API_TOKEN" \
-e output="$SBOM" \
-e NO_PROXY="$NO_PROXY" \
-e HTTP_PROXY="$HTTP_PROXY" \
-e HTTPS_PROXY="$HTTPS_PROXY" \
$CONTAINER_REGISTRY
- name: Disco action - upload sbom
id: disco
uses: ./
with:
host: ${{env.DISCO_HOST}}
token: ${{env.DISCO_API_TOKEN}}
project_uuid: ${{env.DISCO_PROJECT_UUID}}
project_version: ${{env.DISCO_PROJECT_VERSION}}
command_type: 'version'
command: 'sbomUpload'
argument_1: ${{env.SBOM}}