Skip to content

Commit 4fcab4a

Browse files
authored
[codex] Add checked-in GitHub Actions consumer workflow example
Add checked-in consumer workflow example under tools/sbom-diff-and-risk/examples, with docs links. Example-only; no repository workflows, runtime behavior, CLI, schema, tests, package metadata, release tag, or publishing status changes.
1 parent 61f79ac commit 4fcab4a

3 files changed

Lines changed: 89 additions & 0 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,6 +276,7 @@ The [examples/](examples/) directory includes:
276276
- a Scorecard-aware policy example at `examples/policy-scorecard-minimal.yml`
277277
- a sample pass JSON report at [sample-report.json](examples/sample-report.json)
278278
- a sample summary-only JSON artifact at [sample-summary.json](examples/sample-summary.json)
279+
- a consumer GitHub Actions workflow example at [github-actions-consumer.yml](examples/github-actions-consumer.yml)
279280
- a sample pass Markdown report at [sample-report.md](examples/sample-report.md)
280281
- sample policy-warn reports at [sample-policy-warn-report.json](examples/sample-policy-warn-report.json) and [sample-policy-warn-report.md](examples/sample-policy-warn-report.md)
281282
- sample policy-fail reports at [sample-policy-fail-report.json](examples/sample-policy-fail-report.json) and [sample-policy-fail-report.md](examples/sample-policy-fail-report.md)

tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ an explicit local threshold to `summary.json`, and uploads the outputs as CI
1818
artifacts.
1919

2020
Replace the placeholder input paths with files from the consumer repository.
21+
The same workflow is also checked in as
22+
[../examples/github-actions-consumer.yml](../examples/github-actions-consumer.yml)
23+
for copying into consumer repositories.
2124

2225
```yaml
2326
name: Dependency diff review
Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
# Example only.
2+
# Copy this file into a consumer repository under .github/workflows/ if useful.
3+
# This repository does not run this file as a workflow.
4+
# Production PyPI publishing for sbom-diff-and-risk is intentionally deferred;
5+
# install from a GitHub Release asset or local checkout instead.
6+
7+
name: Dependency diff review
8+
9+
on:
10+
pull_request:
11+
workflow_dispatch:
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
dependency-diff:
18+
runs-on: ubuntu-latest
19+
20+
steps:
21+
- name: Check out consumer repository
22+
uses: actions/checkout@v6
23+
24+
- name: Set up Python
25+
uses: actions/setup-python@v6
26+
with:
27+
python-version: "3.x"
28+
29+
- name: Download sbom-diff-and-risk release wheel
30+
env:
31+
GH_TOKEN: ${{ github.token }}
32+
run: |
33+
mkdir -p .tooling/sbom-diff-risk
34+
gh release download v0.6.0 \
35+
--repo stacknil/scientific-computing-toolkit \
36+
--pattern "sbom_diff_and_risk-0.6.0-py3-none-any.whl" \
37+
--dir .tooling/sbom-diff-risk
38+
39+
- name: Install sbom-diff-risk
40+
run: |
41+
python -m pip install \
42+
.tooling/sbom-diff-risk/sbom_diff_and_risk-0.6.0-py3-none-any.whl
43+
44+
- name: Compare dependency evidence
45+
run: |
46+
mkdir -p outputs
47+
sbom-diff-risk compare \
48+
--before path/to/before-sbom.json \
49+
--after path/to/after-sbom.json \
50+
--format auto \
51+
--out-json outputs/report.json \
52+
--out-md outputs/report.md \
53+
--summary-json outputs/summary.json \
54+
--out-sarif outputs/report.sarif
55+
56+
- name: Apply local summary threshold
57+
run: |
58+
python - <<'PY'
59+
import json
60+
from pathlib import Path
61+
62+
summary = json.loads(
63+
Path("outputs/summary.json").read_text(encoding="utf-8")
64+
)
65+
risk_counts = summary["risk_counts"]
66+
67+
max_new_packages = 2
68+
new_package_count = risk_counts.get("new_package", 0)
69+
print(f"new_package={new_package_count}")
70+
71+
if new_package_count > max_new_packages:
72+
raise SystemExit(
73+
f"new_package count exceeds local threshold: {max_new_packages}"
74+
)
75+
PY
76+
77+
- name: Upload dependency diff outputs
78+
uses: actions/upload-artifact@v7
79+
with:
80+
name: dependency-diff-outputs
81+
path: |
82+
outputs/report.json
83+
outputs/report.md
84+
outputs/summary.json
85+
outputs/report.sarif

0 commit comments

Comments
 (0)