feat: modify sbom workflow to push to the repo instead of creating action's artifact

jesmrec · jesmrec · commit db63655d3db5 · 2025-07-04T10:14:54.000+02:00
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,21 +1,28 @@
-name: SBOM 
-
-permissions:
-  contents: read
+name: SBOM
 
 on:
   workflow_dispatch:
-  pull_request:
+  push:
+    branches:
+      - master
+      - main
+
+permissions:
+  contents: write
 
 jobs:
   sbom:
     runs-on: ubuntu-latest
-   
+
     steps:
+      # Checkout the full repository history (required to access origin/master)
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
 
-      # Caches Gradle dependencies to avoid downloading them on every run
+      # Cache Gradle dependencies for faster builds
       - name: Cache Gradle dependencies
         uses: actions/cache@v4
         with:
@@ -27,48 +34,55 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gradle-
 
+      # Set up Java 17 for the Gradle build
       - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
 
-      - name: Install xsltproc
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y xsltproc
-
-      # Use --no-daemon to prevent Gradle from running in the background
+      # Generate the SBOM file using the CycloneDX plugin
       - name: Generate SBOM (CycloneDX)
         run: ./gradlew --no-daemon cyclonedxBom  
 
-      - name: Convert SBOM to HTML
-        run: xsltproc sbom/cyclonedx-xml-to-html.xslt build/reports/bom.xml > sbom.html
+      # Move the generated SBOM to the repository root and rename it
+      - name: Move and rename SBOM to root
+        run: mv build/reports/bom.json ./sbom.json
 
-      # Create a specific artifact name using the branch name and timestamp
-      - name: Set artifact name
-        id: vars
+      # Remove non-deterministic fields to ensure meaningful diffs
+      - name: Clean serialNumber and timestamp in SBOM
         run: |
-          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-          SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-' | tr '[:upper:]' '[:lower:]')
-          TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")
-          echo "artifact_name=sbom-${SAFE_BRANCH}-${TIMESTAMP}" >> $GITHUB_OUTPUT
+          sudo apt-get update && sudo apt-get install -y jq
+          jq 'del(.serialNumber, .timestamp)' sbom.json > sbom_clean.json && mv sbom_clean.json sbom.json
+
+      # Fetch the latest state of the master branch for comparison
+      - name: Fetch origin/master
+        run: git fetch origin master
 
-      - name: Rename SBOM XML and HTML files to match artifact name
+      # Extract and clean the SBOM from origin/master for comparison
+      - name: Extract clean SBOM from origin/master
         run: |
-          mv sbom.html "${{ steps.vars.outputs.artifact_name }}.html"
-          mv  build/reports/bom.xml "${{ steps.vars.outputs.artifact_name }}.xml"
-          mv  build/reports/bom.json "${{ steps.vars.outputs.artifact_name }}.json"
+          # If sbom.json does not exist on master, create an empty JSON to prevent failure
+          git show origin/master:sbom.json > sbom_master.json || echo '{}' > sbom_master.json
+          jq 'del(.serialNumber, .timestamp)' sbom_master.json > sbom_master_clean.json
 
-      - name: ZIP all the files
+      # Compare the current SBOM with the cleaned version from master
+      - name: Compare current SBOM with master
+        id: diff
         run: |
-          zip "${{ steps.vars.outputs.artifact_name }}.zip" \
-              "${{ steps.vars.outputs.artifact_name }}.html" \
-              "${{ steps.vars.outputs.artifact_name }}.xml" \
-              "${{ steps.vars.outputs.artifact_name }}.json"
+          if diff -q sbom.json sbom_master_clean.json; then
+            echo "no_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "no_changes=false" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
+      # Commit and push the new SBOM only if it differs from master
+      - name: Commit files
+        if: steps.diff.outputs.no_changes == 'false'
+        uses: GuillaumeFalourd/git-commit-push@v1.3
         with:
-          name: ${{ steps.vars.outputs.artifact_name }}
-          path: ${{ steps.vars.outputs.artifact_name }}.zip
+          email: devops@owncloud.com
+          name: ownClouders
+          commit_message: "docs: SBOM updated [skip ci]"
+          files: sbom.json
+          access_token: ${{ github.token }}
