This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM for Dockerfiles | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| schedule: | ||
| - cron: '0 0 * * *' # Runs every day at midnight | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| generate-sbom: | ||
| permissions: | ||
| contents: write # for Git to git push | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | ||
| with: | ||
| egress-policy: audit | ||
| - name: Checkout repository | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Set up Python environment | ||
| uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | ||
| with: | ||
| python-version: '3.x' | ||
| - name: Install syft | ||
| run: | | ||
| pip install syft | ||
| - name: Generate SBOM for Dockerfile | ||
| run: | | ||
| mkdir -p .github/results | ||
| ls -alg | ||
| echo "Done doing syft version" | ||
| syft scan --help | ||
| echo "Done doing syft help" | ||
| syft docker:clecap:dante-wiki:latest -o json > .github/results/sbom-dante-wiki-docker.json | ||
| echo "Done doing syft docker" | ||
| syft dir:. > .github/results/sbom-dante-wiki-docker-repo.json | ||
| echo "Done doing syft dir" | ||
| # syft scan dante-wiki:latest -o json > .github/results/sbom-dante-wiki.json | ||
| # syft scan dante-wiki:latest -o spdx > .github/results/sbom-dante-wiki.spdx | ||
| # syft scan dante-wiki:latest -o cyclonedx > .github/results/sbom-dante-wiki.xml | ||
| # --output syft-json produced error message | ||
| # --output json produced error message | ||
| # looks like it needs a command first | ||
| - name: Commit SBOM files | ||
| run: | | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
| git add .github/results/sbom-dante-wiki.json | ||
| # git add .github/results/sbom-dante-wiki.spdx | ||
| # git add .github/results/sbom-dante-wiki.xml | ||
| git commit -m "Add auto-generated SBOM files" | ||
| git push origin ${{ github.ref }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
