44 workflow_dispatch :
55 push :
66 branches :
7- - feature/*
8- - fix/*
9- - improvement/*
10- - release/*
11- - technical/*
12- - ' dependabot/**'
7+ - master
138
149# Cancels other executions in the same branch
1510concurrency :
@@ -21,9 +16,9 @@ permissions:
2116
2217jobs :
2318 sbom :
24- # Skip if the job was triggered by the SBOM commit or a merge commit in the latest push.
25- if : " !contains(github.event.head_commit.message, 'Merge pull request') && !contains(github.event.head_commit.message, 'SBOM updated')"
2619 runs-on : ubuntu-latest
20+ env :
21+ SOURCE_BRANCH : chore/sbom-update
2722
2823 steps :
2924 # Checkout the repository
3429 fetch-depth : 2
3530 persist-credentials : false
3631
37-
3832 # Cache Gradle dependencies to speed up future builds
3933 - name : Cache Gradle dependencies
4034 uses : actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
@@ -79,12 +73,26 @@ jobs:
7973 EOF
8074 chmod +x normalize-sbom.sh
8175
82- # Compares with the HEAD to check if there are changes
83- - name : Compare with previous SBOM
76+ # Compare with the SBOM update branch, or master as fallback
77+ - name : Compare with previous SBOM in branch or master as fallback
8478 id : compare
8579 run : |
86- # Try HEAD first to compare with previous commit's sbom (HEAD~1)
87- git show HEAD~1:sbom.json > sbom_prev.json 2>/dev/null || echo '{}' > sbom_prev.json
80+ FALLBACK_BRANCH="master"
81+
82+ echo "Looking for previous SBOM..."
83+
84+ # Make sure remote references are available
85+ git fetch origin "$SOURCE_BRANCH" "$FALLBACK_BRANCH" --depth=1 || true
86+
87+ if git ls-remote --exit-code --heads origin "$SOURCE_BRANCH" > /dev/null 2>&1; then
88+ PREVIOUS_SBOM_REF="origin/$SOURCE_BRANCH"
89+ echo "Branch $SOURCE_BRANCH exists. Using sbom.json from $PREVIOUS_SBOM_REF"
90+ else
91+ PREVIOUS_SBOM_REF="origin/$FALLBACK_BRANCH"
92+ echo "Branch $SOURCE_BRANCH does not exist. Using sbom.json from $PREVIOUS_SBOM_REF"
93+ fi
94+
95+ git show "$PREVIOUS_SBOM_REF:sbom.json" > sbom_prev.json
8896
8997 ./normalize-sbom.sh sbom_prev.json sbom_prev_normalized.json
9098 ./normalize-sbom.sh sbom.json sbom_current_normalized.json
@@ -100,19 +108,24 @@ jobs:
100108
101109# Generate a token to perform the commit in the next step
102110 - name : Generate GitHub App token
111+ if : steps.compare.outputs.no_changes == 'false'
103112 id : app-token
104113 uses : actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
105114 with :
106115 app-id : ${{ secrets.SBOM_APP_ID }}
107116 private-key : ${{ secrets.SBOM_APP_PRIVATE_KEY }}
108117
109- # Commit the SBOM file only if it differs from master to avoid unnecessary commits
110- - name : Commit and push updated SBOM
118+ # Create a branch with latest SBOM changes only if there are changes
119+ - name : Create or update SBOM PR
111120 if : steps.compare.outputs.no_changes == 'false'
112- uses : GuillaumeFalourd/git-commit-push@205c043bca2f932f7a48a28a8d619ba30eb84baf # v1.3
121+ uses : peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
113122 with :
114- commit_message : " docs: SBOM updated"
115- files : sbom.json
116- email : devops@owncloud.com
117- name : ownClouders
118- access_token : ${{ steps.app-token.outputs.token }}
123+ add-paths : sbom.json
124+ token : ${{ steps.app-token.outputs.token }}
125+ branch : ${{ env.SOURCE_BRANCH }}
126+ base : master
127+ commit-message : " chore: update SBOM"
128+ title : " chore: update sbom.json"
129+ body : " Automated SBOM update. This pull request is updated on each push to `master` or manual dispatch — merging it will close it and a fresh one will be opened on the next change."
130+ delete-branch : true
131+ sign-commits : true
0 commit comments