action-sbom/action.yml at main · coderpatros/action-sbom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: 'Generate Actions SBOM'
description: 'Generates a CycloneDX SBOM of all GitHub Actions used in the current workflow, with refs resolved to commit SHAs.'

inputs:
  output-file:
    description: 'Path to write the SBOM JSON output file'
    required: false
    default: 'actions-sbom.json'
  github-token:
    description: 'GitHub token used to resolve action refs to commit SHAs via the API'
    required: false
    default: ${{ github.token }}
  workflow-file:
    description: 'Explicit path to the workflow file to scan (relative to repo root). Auto-detected from GITHUB_WORKFLOW_REF when omitted.'
    required: false
    default: ''

outputs:
  sbom-path:
    description: 'Absolute path to the generated SBOM file'
    value: ${{ steps.generate.outputs.sbom-path }}
  component-count:
    description: 'Number of action components included in the SBOM'
    value: ${{ steps.generate.outputs.component-count }}

runs:
  using: composite
  steps:
    - name: Check Python availability
      shell: bash
      run: |
        if ! command -v python3 &>/dev/null; then
          echo "::error::python3 is required but not available on this runner"
          exit 1
        fi
        python3 -c "import yaml" 2>/dev/null || pip3 install pyyaml --quiet

    - name: Generate SBOM
      id: generate
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.github-token }}
        SBOM_OUTPUT_FILE: ${{ inputs.output-file }}
        SBOM_WORKFLOW_FILE: ${{ inputs.workflow-file }}
      run: python3 "${{ github.action_path }}/scripts/generate_sbom.py"