forked from mongodb/mongo-ruby-driver
-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (110 loc) · 3.83 KB
/
sbom.yml
File metadata and controls
130 lines (110 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Generate SBOM
# This workflow uses cyclonedx/cdxgen and publishes an sbom.json artifact.
# It runs on manual trigger or when package files change on master branch,
# and creates a PR with the updated SBOM.
# Internal documentation: go/sbom-scope
on:
workflow_dispatch: {}
push:
branches: ['master']
paths:
- 'Gemfile'
- 'Gemfile.lock'
- 'mongo.gemspec'
permissions:
contents: write
pull-requests: write
jobs:
sbom:
name: Generate SBOM and Create PR
runs-on: ubuntu-latest
concurrency:
group: sbom-${{ github.ref }}
cancel-in-progress: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.2"
- name: Install dependencies
run: bundle install --standalone
- name: Generate SBOM
run: |
# Generate SBOM with license fetching and required-only flag
FETCH_LICENSE=true npx -y -p "@cyclonedx/cdxgen@11.0.0" \
cdxgen \
--type ruby \
--spec-version 1.5 \
--required-only \
--output sbom.json
# Post-process SBOM: remove incompatible fields and fix licenses
jq '
# Remove incompatible fields for silkbomb compatibility
del(.metadata.lifecycles) |
walk(if type == "object" then del(.evidence) else . end) |
# Fix missing licenses
.components |= map(
if .name == "yard-solargraph" and
(.licenses == null or .licenses == []) then
. + {licenses: [{license: {
id: "MIT",
url: "https://opensource.org/licenses/MIT"
}}]}
else
.
end
)
' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json
- name: Download CycloneDX CLI
run: |
curl -L -s -o /tmp/cyclonedx \
"https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
chmod +x /tmp/cyclonedx
- name: Validate SBOM
run: |
/tmp/cyclonedx validate --input-file sbom.json \
--fail-on-errors
- name: Cleanup vendor directory
if: always()
run: |
# Remove vendor directory if it was created during bundle install
rm -rf vendor/
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
if-no-files-found: error
- name: Create Pull Request
# peter-evans/create-pull-request v7.0.6
uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore: Update SBOM after dependency changes'
branch: auto-update-sbom-${{ github.run_id }}
delete-branch: true
title: 'chore: Update SBOM'
add-paths: |
sbom.json
body: |
## Automated SBOM Update
This PR was automatically generated because dependency
manifest files changed.
### Changes
- Updated `sbom.json` to reflect current dependencies
### Verification
The SBOM was generated using @cyclonedx/cdxgen v11.0.0 with
the ruby type.
### Triggered by
- Commit: ${{ github.sha }}
- Workflow run: ${{ github.run_id }}
---
_This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_
labels: |
sbom
automated
dependencies