-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (121 loc) · 3.91 KB
/
sbom.yaml
File metadata and controls
131 lines (121 loc) · 3.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Build Hugo Site And Generate SBOM
on:
push:
branches: [main, add-sbom-workflow]
workflow_dispatch:
env:
COMPONENT_NAME: shiftleftcyber.github.io
COMPONENT_VERSION: ${{ github.sha }}
# Latest versions as of 2025-10-14
GO_VERSION: 1.25.3
HUGO_VERSION: 0.151.0
NODE_VERSION: 24.10.0
TZ: America/Toronto
permissions:
contents: read
pages: write
id-token: write
concurrency:
group: "pages"
cancel-in-progress: false
defaults:
run:
shell: bash
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
with:
submodules: recursive
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Setup Pages
id: pages
uses: actions/configure-pages@v5
- name: Create directory for user-specific executable files
run: |
mkdir -p "${HOME}/.local"
- name: Install Hugo
run: |
curl -sLJO "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
mkdir "${HOME}/.local/hugo"
tar -C "${HOME}/.local/hugo" -xf "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
rm "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
echo "${HOME}/.local/hugo" >> "${GITHUB_PATH}"
- name: Verify installations
run: |
echo "Go: $(go version)"
echo "Hugo: $(hugo version)"
echo "Node.js: $(node --version)"
- name: Install Node.js dependencies
run: |
[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true
- name: Configure Git
run: |
git config core.quotepath false
- name: Cache restore
id: cache-restore
uses: actions/cache/restore@v4
with:
path: ${{ runner.temp }}/hugo_cache
key: hugo-${{ github.run_id }}
restore-keys:
hugo-
- name: Build the site
run: |
cd marketing
hugo \
--gc \
--minify \
--baseURL "${{ steps.pages.outputs.base_url }}/" \
--cacheDir "${{ runner.temp }}/hugo_cache"
- name: Cache save
id: cache-save
uses: actions/cache/save@v4
with:
path: ${{ runner.temp }}/hugo_cache
key: ${{ steps.cache-restore.outputs.cache-primary-key }}
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: ./public
# SBOM Generation job
generate-sbom:
runs-on: ubuntu-latest
needs: build
steps:
- name: Generate SBOM with Syft
uses: anchore/sbom-action@v0.20.6
with:
path: ./marketing/
format: cyclonedx-json
artifact-name: ${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
- name: Archive
uses: actions/upload-artifact@v4
with:
name: secure-sbom-api-sbom
path: ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
retention-days: 5
- name: Sign SBOM
uses: shiftleftcyber/secure-sbom-action@v1.3.1
with:
sbom_file: ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
secure_sbom_action: sign
api_key: ${{ secrets.SBOM_API_KEY }}
key_id: ${{ secrets.SECURE_SBOM_KEYID }}
- name: Archive (Signed SBOM)
uses: actions/upload-artifact@v4
with:
name: secure-sbom-api-signed-sbom
path: ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.signed.json
retention-days: 5