-
-
Notifications
You must be signed in to change notification settings - Fork 353
72 lines (69 loc) · 2.62 KB
/
sbom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Workflow for generating a software bill of materials (SBOM).
#
# Currently, this uses the slsa-framework/github-actions-demo action to
# generate an in-toto attestation. This is the pushed to a remote repository
# for storage.
name: sbom
on:
push:
branches:
- master
env:
JAVA_DISTRIBUTION: temurin
jobs:
sbom:
runs-on: ubuntu-latest
environment: SBOM-store
env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
name: Generate and store SBOM
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
java-version: 17
distribution: ${{ env.JAVA_DISTRIBUTION }}
- name: Get date for cache # see https://github.com/actions/cache README
id: get-date
run: echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
shell: bash
- name: Use Maven dependency cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ~/.m2/repository
key: ${{ runner.os }}-${{ steps.get-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-maven-
- name: Build project
run: |
mvn -B test-compile
- name: Generate provenance
# Note that this action is a demo, meaning that it works fine now, but
# there are no guarantees of future support and development.
uses: slsa-framework/github-actions-demo@9474e92bbf825d5b4b46810fc9367dfc73429a2a # tag=v0.1
with:
artifact_path: .
output_path: provenance.json
- name: Add deployment SSH private key to agent
run: |
ssh-agent -a ${{ env.SSH_AUTH_SOCK }} > /dev/null
ssh-add - <<< "${{ secrets.SBOM_DEPLOY_SSH }}"
echo ${{ env.SSH_AUTH_SOCK }}
- name: Push provenance to remote
env:
# Target repo to upload provenance file
REMOTE_REPO_URL: [email protected]:chains-project/sbom-files.git
GIT_USER: provenance-bot
GIT_EMAIL: [email protected]
run: |
git config --global user.name "${{ env.GIT_USER }}"
git config --global user.email "${{ env.GIT_EMAIL }}"
git clone $REMOTE_REPO_URL
mkdir -p sbom-files/spoon/slsa
cp provenance.json sbom-files/spoon/slsa/$(date +%s)-${{ github.sha }}.sbom.json
cd sbom-files
git add .
git commit -m "Spoon: ${{ github.sha }}"
git push