File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 5252 draft : true
5353 generate_release_notes : true
5454
55+ create-sbom :
56+ needs : [create-release, build-docker-release]
57+ uses : ./.github/workflows/sbom.yml
58+ with :
59+ upload_url : ${{ needs.create-release.outputs.upload_url }}
60+
5561 build-binaries :
5662 needs : [create-release]
5763 runs-on :
Original file line number Diff line number Diff line change 1+ name : Create SBOM files
2+
3+ on :
4+ workflow_call :
5+ inputs :
6+ upload_url :
7+ description : " Release assets upload URL"
8+ required : true
9+ type : string
10+
11+ jobs :
12+ create-sbom :
13+ runs-on : self-hosted
14+
15+ steps :
16+ - name : Checkout
17+ uses : actions/checkout@v4
18+ with :
19+ submodules : recursive
20+
21+ # Store the version, stripping any v-prefix
22+ - name : Write release version
23+ run : |
24+ VERSION=${GITHUB_REF_NAME#v}
25+ echo Version: $VERSION
26+ echo "VERSION=$VERSION" >> $GITHUB_ENV
27+
28+ name : Create SBOM with Trivy
29+ uses : aquasecurity/trivy-action@0.33.1
30+ with :
31+ scan-type : ' fs'
32+ format : ' spdx-json'
33+ output : " defguard-proxy-${{ env.VERSION }}.sbom.json"
34+ scan-ref : ' .'
35+ severity : " CRITICAL,HIGH,MEDIUM"
36+
37+ - name : Create docker image SBOM with Trivy
38+ uses : aquasecurity/trivy-action@0.33.1
39+ with :
40+ image-ref : " ghcr.io/defguard/defguard-proxy:${{ env.VERSION }}"
41+ scan-type : ' image'
42+ format : ' spdx-json'
43+ output : " defguard-proxy-${{ env.VERSION }}-docker.sbom.json"
44+ severity : " CRITICAL,HIGH,MEDIUM"
45+ scanners : " vuln"
46+
47+ - name : Upload SBOM
48+ uses : shogo82148/actions-upload-release-asset@v1
49+ env :
50+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
51+ with :
52+ upload_url : ${{ inputs.upload_url }}
53+ asset_path : " defguard-*.sbom.json"
54+ asset_content_type : application/octet-stream
You can’t perform that action at this time.
0 commit comments