@@ -23,50 +23,42 @@ jobs:
2323 # - name: Save Docker image
2424 # run: docker save my-image:tag -o image.tar
2525
26- sbom :
27- name : Generate merged SBOM
28- if : github.event_name == 'release' || (github.ref_name == 'main' && github.event_name != 'pull_request')
29- runs-on : ubuntu-latest
30- needs : build_java_and_docker
31- steps :
32- - uses : actions/checkout@v6
33-
34- - name : Create SBOM for Jars
35- run : |
36- mvn -T 1C org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
26+ - name : Create SBOM for Jars
27+ run : |
28+ mvn -T 1C org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
3729
38- # - name: Build an image from Dockerfile
39- # run: docker build -t docker.io/adito/flowable:${{ github.ref_name }} .
40- - name : Run Trivy vulnerability scanner
41- uses : aquasecurity/trivy-action@0.35.0
42- with :
43- image-ref : ' flowable:${{ github.ref_name }}'
44- format : ' cyclonedx'
45- output : ' target/trivy.json'
30+ # - name: Build an image from Dockerfile
31+ # run: docker build -t docker.io/adito/flowable:${{ github.ref_name }} .
32+ - name : Run Trivy vulnerability scanner
33+ uses : aquasecurity/trivy-action@0.35.0
34+ with :
35+ image-ref : ' adito/ flowable:${{ github.ref_name }}'
36+ format : ' cyclonedx'
37+ output : ' target/trivy.json'
4638
47- - name : Merge + validate (CycloneDX CLI via Docker)
48- run : |
49- docker run --rm \
50- -v "${GITHUB_WORKSPACE}:/work" \
51- -w /work \
52- cyclonedx/cyclonedx-cli \
53- merge --input-files target/bom.json target/trivy.json --output-file target/combined-sbom.json
39+ - name : Merge + validate (CycloneDX CLI via Docker)
40+ run : |
41+ docker run --rm \
42+ -v "${GITHUB_WORKSPACE}:/work" \
43+ -w /work \
44+ cyclonedx/cyclonedx-cli \
45+ merge --input-files target/bom.json target/trivy.json --output-file target/combined-sbom.json
5446
55- - name : Convert combined SBOM to CycloneDX 1.6
56- run : |
57- docker run --rm \
58- -v "${GITHUB_WORKSPACE}:/work" \
59- -w /work \
60- cyclonedx/cyclonedx-cli \
61- convert --input-file target/combined-sbom.json --output-file target/combined-sbom-1.6.json --output-version v1_6 --output-format json
47+ - name : Convert combined SBOM to CycloneDX 1.6
48+ run : |
49+ docker run --rm \
50+ -v "${GITHUB_WORKSPACE}:/work" \
51+ -w /work \
52+ cyclonedx/cyclonedx-cli \
53+ convert --input-file target/combined-sbom.json --output-file target/combined-sbom-1.6.json --output-version v1_6 --output-format json
6254
63- - name : Upload SBOM to Dependency-Track
64- uses : DependencyTrack/gh-upload-sbom@48feab3080ff9e8f51f4d21861d9fc914eb744f5
65- with :
66- serverHostname : ${{ secrets.DEPENDENCYTRACK_HOSTNAME }}
67- apiKey : ${{ secrets.DEPENDENCYTRACK_APIKEY }}
68- projectName : ${{ github.event.repository.name }}
69- projectVersion : ${{ github.ref_name }}
70- projectTags : ' flowable-modeler,${{ github.event.repository.name }}'
71- bomFilename : " target/combined-sbom-1.6.json"
72- autoCreate : true
55+ - name : Upload SBOM to Dependency-Track
56+ uses : DependencyTrack/gh-upload-sbom@48feab3080ff9e8f51f4d21861d9fc914eb744f5
57+ with :
58+ serverHostname : ${{ secrets.DEPENDENCYTRACK_HOSTNAME }}
59+ apiKey : ${{ secrets.DEPENDENCYTRACK_APIKEY }}
60+ projectName : ${{ github.event.repository.name }}
61+ projectVersion : ${{ github.ref_name }}
62+ projectTags : ' flowable-modeler,${{ github.event.repository.name }}'
63+ bomFilename : " target/combined-sbom-1.6.json"
64+ autoCreate : true
0 commit comments