owncloud · jesmrec · Jul 8, 2025 · Jul 8, 2025 · Jul 8, 2025 · Jul 8, 2025
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -4,13 +4,14 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - master_fake
+      - fix/*
 
 permissions:
   contents: write
 
 jobs:
   sbom:
+    # Skip if the job was triggered by the SBOM commit
     if: "!contains(github.event.head_commit.message, 'SBOM updated')"
     runs-on: ubuntu-latest
 
@@ -19,26 +20,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ssh-key: ${{ secrets.DEPLOYMENT_SSH_KEY_TEST }}
           persist-credentials: false
 
-      # Start SSH agent and add the SSH key to authenticate Git operations
-      - name: Start SSH agent and add key
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.DEPLOYMENT_SSH_KEY_TEST }}" > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          eval "$(ssh-agent -s)"
-          ssh-add ~/.ssh/id_rsa
-          ssh-keyscan github.com >> ~/.ssh/known_hosts
-          ssh -o StrictHostKeyChecking=no -T git@github.com || true
-
-      # Dry-run push to confirm SSH authentication is working
-      - name: Check SSH push permissions (dry-run)
-        run: |
-          git remote set-url origin git@github.com:${{ github.repository }}.git
-          git push --dry-run origin HEAD
-
       # Cache Gradle dependencies to speed up future builds
       - name: Cache Gradle dependencies
         uses: actions/cache@v4
@@ -77,6 +60,7 @@ jobs:
       # Prepare common JQ filter in a script
       - name: Prepare normalize script
         run: |
+          # Normalize SBOM JSON by removing non-essential fields and sorting arrays for consistent diff
           cat <<'EOF' > normalize-sbom.sh
           #!/bin/bash
 
@@ -117,3 +101,4 @@ jobs:
           name: ownClouders
           commit_message: "docs: SBOM updated"
           files: sbom.json
+          access_token: ${{ secrets.GH_PAT }}
diff --git a/check_code_script.sh b/check_code_script.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-1
+
 check_license_in_file() {
     if ! head -n 20 $FILE | grep -q "This program is free software: you can redistribute it and/or modify"
     then

diff --git a/sbom.json b/sbom.json
@@ -1,10 +1,10 @@
 {
   "bomFormat" : "CycloneDX",
   "specVersion" : "1.6",
-  "serialNumber" : "urn:uuid:30d88330-038b-4ca7-9a02-40d2e66ea86f",
+  "serialNumber" : "urn:uuid:f8033cdc-c1c4-4f6b-995c-abef32c345eb",
   "version" : 1,
   "metadata" : {
-    "timestamp" : "2025-07-08T09:31:03Z",
+    "timestamp" : "2025-07-08T12:22:13Z",
     "tools" : {
       "components" : [
         {
@@ -27,7 +27,7 @@
       "externalReferences" : [
         {
           "type" : "vcs",
-          "url" : "ssh://git@github.com:owncloud/android.git"
+          "url" : "https://github.com/owncloud/android"
         }
       ]
     },
@@ -13463,7 +13463,6 @@
       "group" : "com.github.tmurakami",
       "name" : "dexopener",
       "version" : "2.0.5",
-      "description" : "An Android library that provides the ability to mock your final classes on Android devices.",
       "hashes" : [
         {
           "alg" : "MD5",