-
Notifications
You must be signed in to change notification settings - Fork 16
50 lines (42 loc) · 1.67 KB
/
generate-and-upload-bom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: 'This workflow creates bill of material and uploads it to Dependency-Track each night'
on:
pull_request:
types: ['opened', 'edited', 'reopened', 'synchronize']
# on:
# schedule:
# - cron: '0 0 * * *'
concurrency:
group: ${{ github.workflow}}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
jobs:
create-bom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20.x
- uses: c-hive/gha-yarn-cache@v1
- run: yarn install --frozen-lockfile
- name: Install CycloneDX CLI
run: |
curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i -
sudo mv cyclonedx-linux-x64 /usr/local/bin/
sudo chmod +x /usr/local/bin/cyclonedx-linux-x64
- name: Generate BOMs
run: |
npm install -g @cyclonedx/cdxgen
cdxgen -o sbom.json
- name: Upload SBOM to DependencyTrack
env:
DEPENDENCY_TRACK_API: 'https://dt.security.dhis2.org/api/v1/bom'
run: |
curl -X POST "$DEPENDENCY_TRACK_API" \
--fail-with-body \
-H "Content-Type: multipart/form-data" \
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
-F "project=53c6ea2f-413f-45b9-a360-e366f917277d" \
-F "[email protected]"