Update workflow

j28smith · j28smith · commit f77aad435f35 · 2025-11-04T12:54:07.000-05:00
- Update actions to latest versions
- Move signing to build step (comparing timing
   to see how much faster this is to do during build step)
diff --git a/.github/workflows/hugo.yaml b/.github/workflows/hugo.yaml
@@ -42,12 +42,12 @@ jobs:
           submodules: recursive
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: false
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Setup Pages
@@ -114,6 +114,18 @@ jobs:
         with:
           name: generated-sbom
           path: ./marketing/shiftleftcyber.github.io.cdx.json
+      - name: Sign SBOM
+        uses: shiftleftcyber/secure-sbom-action@v1.3.1
+        with:
+          sbom_file: shiftleftcyber.github.io.cdx.json
+          secure_sbom_action: sign
+          api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
+          key_id: ${{ secrets.SECURE_SBOM_KEYID }}
+      - name: Upload Signed SBOM
+        uses: actions/upload-artifact@v5
+        with:
+          name: signed-sbom
+          path: ./marketing/shiftleftcyber.github.io.cdx.signed.json
   # --------------------------------------------------
   # 2️⃣ Deploy
   # --------------------------------------------------
@@ -127,34 +139,3 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4
-
-  # --------------------------------------------------
-  # 3️⃣ Sign SBOM
-  # --------------------------------------------------
-  sign-sbom:
-    name: 🔏 Sign SBOM
-    runs-on: ubuntu-latest
-    needs: build
-
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v5
-
-      - name: Download Generated SBOM
-        uses: actions/download-artifact@v6
-        with:
-          name: generated-sbom
-
-      - name: Sign SBOM
-        uses: shiftleftcyber/secure-sbom-action@v1.3.1
-        with:
-          sbom_file: shiftleftcyber.github.io.cdx.json
-          secure_sbom_action: sign
-          api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
-          key_id: ${{ secrets.SECURE_SBOM_KEYID }}
-
-      - name: Upload Signed SBOM
-        uses: actions/upload-artifact@v5
-        with:
-          name: signed-sbom
-          path: ./marketing/shiftleftcyber.github.io.cdx.signed.json
