Merge pull request #26 from shiftleftcyber/feat/SBOMSigningFAQ #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Workflow referenced from: https://gohugo.io/host-and-deploy/host-on-github-pages/ | |
| name: Deploy Hugo site to Pages | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| concurrency: | |
| group: pages | |
| cancel-in-progress: false | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: ./marketing | |
| jobs: | |
| # -------------------------------------------------- | |
| # 1️⃣ Build | |
| # -------------------------------------------------- | |
| build: | |
| runs-on: ubuntu-latest | |
| env: | |
| DART_SASS_VERSION: 1.93.2 | |
| GO_VERSION: 1.25.3 | |
| HUGO_VERSION: 0.152.2 | |
| NODE_VERSION: 22.20.0 | |
| TZ: America/Toronto | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Setup Pages | |
| id: pages | |
| uses: actions/configure-pages@v5 | |
| - name: Create directory for user-specific executable files | |
| run: | | |
| mkdir -p "${HOME}/.local" | |
| - name: Install Dart Sass | |
| run: | | |
| curl -sLJO "https://github.com/sass/dart-sass/releases/download/${DART_SASS_VERSION}/dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz" | |
| tar -C "${HOME}/.local" -xf "dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz" | |
| rm "dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz" | |
| echo "${HOME}/.local/dart-sass" >> "${GITHUB_PATH}" | |
| - name: Install Hugo | |
| run: | | |
| curl -sLJO "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz" | |
| mkdir "${HOME}/.local/hugo" | |
| tar -C "${HOME}/.local/hugo" -xf "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz" | |
| rm "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz" | |
| echo "${HOME}/.local/hugo" >> "${GITHUB_PATH}" | |
| - name: Verify installations | |
| run: | | |
| echo "Dart Sass: $(sass --version)" | |
| echo "Go: $(go version)" | |
| echo "Hugo: $(hugo version)" | |
| echo "Node.js: $(node --version)" | |
| - name: Install Node.js dependencies | |
| run: | | |
| [[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true | |
| - name: Configure Git | |
| run: | | |
| git config core.quotepath false | |
| - name: Cache restore | |
| id: cache-restore | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: ${{ runner.temp }}/hugo_cache | |
| key: hugo-${{ github.run_id }} | |
| restore-keys: | |
| hugo- | |
| - name: Build the site | |
| run: | | |
| hugo \ | |
| --gc \ | |
| --minify \ | |
| --baseURL "${{ steps.pages.outputs.base_url }}/" \ | |
| --cacheDir "${{ runner.temp }}/hugo_cache" | |
| - name: Cache save | |
| id: cache-save | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: ${{ runner.temp }}/hugo_cache | |
| key: ${{ steps.cache-restore.outputs.cache-primary-key }} | |
| - name: Upload artifact | |
| uses: actions/upload-pages-artifact@v4 | |
| with: | |
| path: ./marketing/public | |
| - name: Generate CycloneDX SBOM | |
| run: npx @cyclonedx/cyclonedx-npm --output-format JSON --output-file shiftleftcyber.github.io.cdx.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: generated-sbom | |
| path: ./marketing/shiftleftcyber.github.io.cdx.json | |
| - name: Sign SBOM | |
| uses: shiftleftcyber/secure-sbom-action@v1.3.1 | |
| with: | |
| sbom_file: ./marketing/shiftleftcyber.github.io.cdx.json | |
| secure_sbom_action: sign | |
| api_key: ${{ secrets.SECURE_SBOM_API_KEY }} | |
| key_id: ${{ secrets.SECURE_SBOM_KEYID }} | |
| - name: Upload Signed SBOM | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: signed-sbom | |
| path: ./marketing/shiftleftcyber.github.io.cdx.signed.json | |
| # -------------------------------------------------- | |
| # 2️⃣ Deploy | |
| # -------------------------------------------------- | |
| deploy: | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Deploy to GitHub Pages | |
| id: deployment | |
| uses: actions/deploy-pages@v4 |