Fix CI: generate proper SPDX SBOM, opt into Node.js 24

matlimatli · matlimatli · commit ff65435f6396 · 2026-03-22T20:36:02.000+01:00
Replace Anchore/Syft (which can't detect C++ FetchContent deps) with
our own generate-sbom.py that produces a correct SPDX 2.3 JSON with
all four dependencies and their relationships. Set
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 to silence the deprecation warning.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
 jobs:
   build:
     strategy:
@@ -32,16 +35,11 @@ jobs:
   sbom:
     runs-on: ubuntu-latest
     needs: build
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@v4
 
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          format: spdx-json
-          output-file: sbom.spdx.json
+      - name: Generate SPDX SBOM
+        run: python3 scripts/generate-sbom.py > sbom.spdx.json
 
       - name: Upload SBOM
         uses: actions/upload-artifact@v4
diff --git a/README.md b/README.md
@@ -117,7 +117,7 @@ how what time is it in Tokyo        # same result
 
 ## SBOM
 
-Third-party dependencies and their licenses are listed in [SBOM.md](SBOM.md). CI generates a machine-readable SPDX artifact as well.
+Third-party dependencies and their licenses are listed in [SBOM.md](SBOM.md). CI generates a machine-readable SPDX JSON artifact from [scripts/generate-sbom.py](scripts/generate-sbom.py).
 
 ## License
 
diff --git a/scripts/generate-sbom.py b/scripts/generate-sbom.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+"""Generate an SPDX 2.3 SBOM for the how project."""
+
+import json
+import uuid
+from datetime import datetime, timezone
+
+sbom = {
+    "spdxVersion": "SPDX-2.3",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "how",
+    "documentNamespace": f"https://github.com/matlimatli/how/spdx/{uuid.uuid4()}",
+    "creationInfo": {
+        "created": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "creators": ["Tool: scripts/generate-sbom.py"],
+        "licenseListVersion": "3.25",
+    },
+    "packages": [
+        {
+            "SPDXID": "SPDXRef-Package-how",
+            "name": "how",
+            "versionInfo": "1.0.0",
+            "supplier": "Person: Mattias Lindblad",
+            "downloadLocation": "https://github.com/matlimatli/how",
+            "filesAnalyzed": False,
+            "licenseConcluded": "MIT",
+            "licenseDeclared": "MIT",
+            "copyrightText": "Copyright (c) 2026 Mattias Lindblad",
+            "primaryPackagePurpose": "APPLICATION",
+        },
+        {
+            "SPDXID": "SPDXRef-Package-libcurl",
+            "name": "libcurl",
+            "versionInfo": "system",
+            "supplier": "Organization: curl project",
+            "downloadLocation": "https://curl.se/",
+            "filesAnalyzed": False,
+            "licenseConcluded": "curl",
+            "licenseDeclared": "curl",
+            "copyrightText": "Copyright (c) Daniel Stenberg",
+            "externalRefs": [
+                {
+                    "referenceCategory": "PACKAGE-MANAGER",
+                    "referenceType": "purl",
+                    "referenceLocator": "pkg:generic/libcurl",
+                }
+            ],
+        },
+        {
+            "SPDXID": "SPDXRef-Package-nlohmann-json",
+            "name": "nlohmann-json",
+            "versionInfo": "3.12.0",
+            "supplier": "Person: Niels Lohmann",
+            "downloadLocation": "https://github.com/nlohmann/json/archive/refs/tags/v3.12.0.tar.gz",
+            "filesAnalyzed": False,
+            "licenseConcluded": "MIT",
+            "licenseDeclared": "MIT",
+            "copyrightText": "Copyright (c) 2013-2025 Niels Lohmann",
+            "externalRefs": [
+                {
+                    "referenceCategory": "PACKAGE-MANAGER",
+                    "referenceType": "purl",
+                    "referenceLocator": "pkg:github/nlohmann/json@v3.12.0",
+                }
+            ],
+        },
+        {
+            "SPDXID": "SPDXRef-Package-googletest",
+            "name": "googletest",
+            "versionInfo": "1.17.0",
+            "supplier": "Organization: Google LLC",
+            "downloadLocation": "https://github.com/google/googletest/archive/refs/tags/v1.17.0.tar.gz",
+            "filesAnalyzed": False,
+            "licenseConcluded": "BSD-3-Clause",
+            "licenseDeclared": "BSD-3-Clause",
+            "copyrightText": "Copyright 2008 Google Inc.",
+            "comment": "Build-time only dependency (unit tests).",
+            "externalRefs": [
+                {
+                    "referenceCategory": "PACKAGE-MANAGER",
+                    "referenceType": "purl",
+                    "referenceLocator": "pkg:github/google/googletest@v1.17.0",
+                }
+            ],
+        },
+    ],
+    "relationships": [
+        {
+            "spdxElementId": "SPDXRef-DOCUMENT",
+            "relatedSpdxElement": "SPDXRef-Package-how",
+            "relationshipType": "DESCRIBES",
+        },
+        {
+            "spdxElementId": "SPDXRef-Package-how",
+            "relatedSpdxElement": "SPDXRef-Package-libcurl",
+            "relationshipType": "DEPENDS_ON",
+        },
+        {
+            "spdxElementId": "SPDXRef-Package-how",
+            "relatedSpdxElement": "SPDXRef-Package-nlohmann-json",
+            "relationshipType": "DEPENDS_ON",
+        },
+        {
+            "spdxElementId": "SPDXRef-Package-how",
+            "relatedSpdxElement": "SPDXRef-Package-googletest",
+            "relationshipType": "DEV_DEPENDENCY_OF",
+        },
+    ],
+}
+
+print(json.dumps(sbom, indent=2))
