-
Notifications
You must be signed in to change notification settings - Fork 3
107 lines (94 loc) · 3.16 KB
/
Copy pathsbom-node.yml
File metadata and controls
107 lines (94 loc) · 3.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Generate SBOM for Node.js
on:
workflow_call:
secrets:
GH_TOKEN:
required: true
jobs:
generate-sbom:
name: Node.js SBOM Generation
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_VERSION: '20.x' # Standard, kann bei Bedarf überschrieben werden
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js (base)
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
# --- Paketmanager erkennen ---
- name: Detect package manager
id: pm
shell: bash
run: |
if [[ -f yarn.lock ]]; then
echo "manager=yarn" >> "$GITHUB_OUTPUT"
elif [[ -f package-lock.json || -f npm-shrinkwrap.json ]]; then
echo "manager=npm" >> "$GITHUB_OUTPUT"
elif [[ -f package.json ]]; then
echo "manager=npm" >> "$GITHUB_OUTPUT"
else
echo "Kein package.json gefunden – Abbruch"
exit 1
fi
echo "Detected package manager: $(grep manager= $GITHUB_OUTPUT | cut -d= -f2)"
# --- Cache abhängig vom PM ---
- name: Enable cache for npm
if: ${{ steps.pm.outputs.manager == 'npm' }}
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Enable cache for Yarn
if: ${{ steps.pm.outputs.manager == 'yarn' }}
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'yarn'
# --- Dependencies installieren ---
- name: Install dependencies (Yarn)
if: ${{ steps.pm.outputs.manager == 'yarn' }}
shell: bash
run: |
corepack enable
yarn --version
if yarn --version | grep -qE '^1\.'; then
yarn install --frozen-lockfile
else
yarn install --immutable
fi
- name: Install dependencies (npm)
if: ${{ steps.pm.outputs.manager == 'npm' }}
shell: bash
run: |
if [[ -f package-lock.json || -f npm-shrinkwrap.json ]]; then
npm ci
else
npm install
fi
# --- SBOM generieren ---
- name: Generate SBOM (Yarn)
if: ${{ steps.pm.outputs.manager == 'yarn' }}
shell: bash
run: |
set -e
if yarn --version | grep -qE '^1\.'; then
npx --yes @cyclonedx/cyclonedx-npm@latest --output-file sbom.json --output-format json
else
yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --output-file sbom.json --output-format JSON
fi
- name: Generate SBOM (npm)
if: ${{ steps.pm.outputs.manager == 'npm' }}
run: npx --yes @cyclonedx/cyclonedx-npm@latest --output-file sbom.json --output-format json
# --- SBOM veröffentlichen ---
- name: Upload SBOM to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: sbom.json
- name: Upload SBOM as Artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json