1+ name : Generate SPDX SBOM
2+
3+ on :
4+ push :
5+ tags :
6+ - ' v*'
7+
8+ permissions :
9+ contents : read
10+
11+ concurrency :
12+ group : ${{ github.workflow }}-${{ github.ref }}
13+ cancel-in-progress : true
14+
15+ jobs :
16+ generate-sbom :
17+ name : Generate SPDX SBOM with Trivy
18+ runs-on : ubuntu-latest
19+ container : alpine:latest
20+ environment :
21+ name : sbom-ipfs
22+
23+ steps :
24+ - name : Install dependencies
25+ run : |
26+ apk add --no-cache curl wget git
27+
28+ - name : Checkout repository
29+ uses : actions/checkout@v5
30+ with :
31+ fetch-depth : 0
32+
33+ - name : Install Trivy
34+ run : |
35+ wget -qO - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
36+
37+ - name : Generate SBOMs
38+ run : |
39+ trivy fs --format spdx-json --output sbom.spdx.json .
40+ trivy fs --format cyclonedx --output sbom.cyclonedx.json .
41+
42+ - name : Upload SBOMs as artifact
43+ uses : actions/upload-artifact@v5
44+ with :
45+ name : sbom-${{ github.ref_name }}
46+ path : |
47+ sbom.spdx.json
48+ sbom.cyclonedx.json
49+ retention-days : 90
50+
51+ - name : Create SBOM directory for IPFS upload
52+ run : |
53+ mkdir -p sbom-release
54+ cp sbom.spdx.json sbom-release/
55+ cp sbom.cyclonedx.json sbom-release/
56+
57+ # - name: Upload SBOMs to IPFS
58+ # uses: storacha/add-to-web3@892505d8e70c79336721485e5500155c17a728e0
59+ # id: storacha
60+ # with:
61+ # path_to_add: "sbom-release"
62+ # secret_key: ${{ secrets.STORACHA_PRINCIPAL }}
63+ # proof: ${{ secrets.STORACHA_PROOF }}
64+
65+ - name : Job summary
66+ run : |
67+ echo "### SBOMs uploaded to IPFS! :rocket:" >> $GITHUB_STEP_SUMMARY
68+ echo "" >> $GITHUB_STEP_SUMMARY
69+ echo "- Release: ${{ github.ref_name }}" >> "$GITHUB_STEP_SUMMARY"
70+ echo "- CID: ${{ steps.storacha.outputs.cid }}" >> "$GITHUB_STEP_SUMMARY"
71+ echo "- URL: ${{ steps.storacha.outputs.url }}" >> "$GITHUB_STEP_SUMMARY"
72+ echo "- Formats: SPDX JSON, CycloneDX JSON" >> "$GITHUB_STEP_SUMMARY"
0 commit comments