Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/run-sbom.yml | |
| name: Generate SBOM and Build Wheel | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| generate-sbom: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install cdxgen | |
| run: npm install -g @cyclonedx/cdxgen | |
| - name: Install depscan | |
| run: pip install owasp-depscan | |
| - name: Generate SBOM | |
| run: cdxgen -t python . | |
| # Generated files: bom.json | |
| - name: Generate Vulnerability Data Report | |
| run: depscan --bom bom.json | |
| # Generated files: bom.vdr.json (if VDR is generated) and | |
| # depscan-bom.json and depscan.html under ./reports/) | |
| - name: Collect SBOM Artifact | |
| run: | | |
| # mkdir -p ./bom_reports | |
| # cp ./bom.* ./bom_reports/ | |
| # cp ./reports/* ./bom_reports/ | |
| TIMEOUT=10 | |
| while [ $TIMEOUT -gt 0 ]; do | |
| if [ -f "./bom.vdr.json" ]; then | |
| # cp ./bom.vdr.json ./reports/bom.vdr.json | |
| mkdir -p ./bom_reports | |
| cp ./bom.* ./bom_reports/ | |
| cp ./reports/* ./bom_reports/ | |
| echo "VDR file generated and moved to bom_reports/ directory." | |
| break | |
| fi | |
| echo "Waiting for bom.vdr.json..." | |
| sleep 1 | |
| TIMEOUT=$((TIMEOUT-1)) | |
| done | |
| if [ $TIMEOUT -eq 0 ]; then | |
| echo "Timeout reached. No VDR file generated." | |
| fi | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| export PATH="$HOME/.local/bin:$PATH" | |
| - name: Install Dependencies | |
| run: | | |
| poetry install --no-interaction --no-ansi | |
| - name: Build Wheel | |
| run: poetry build -vvv | |
| - name: Upload SBOM and VDR Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bom-artifacts | |
| path: ./bom_reports/ | |
| - name: Upload dist Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: ./dist/ | |