Skip to content

CD workflow: generate SBOM artifact with least-privilege permissions#62

Merged
thomasneuberger merged 5 commits into
mainfrom
copilot/extend-cd-workflow-sbom
Mar 22, 2026
Merged

CD workflow: generate SBOM artifact with least-privilege permissions#62
thomasneuberger merged 5 commits into
mainfrom
copilot/extend-cd-workflow-sbom

Conversation

Copilot AI commented Mar 22, 2026

Copy link
Copy Markdown
Contributor

Extends the CD workflow to generate an SBOM from the published container image and attach it as a workflow artifact. Adds only the permissions actually required — dropping the over-broad id-token: write and attestations: write that are only needed for signed supply-chain attestations (e.g. actions/attest-sbom), which this workflow does not create.

Changes

  • .github/workflows/cd.yml
    • Added actions: write permission (required for artifact upload)
    • Added anchore/sbom-action step post-push, producing an SPDX JSON SBOM uploaded as sbom-<image-tag>.spdx.json
    • id-token: write and attestations: write are not included — anchore/sbom-action only needs actions: write to upload the artifact
permissions:
  contents: read
  packages: write
  actions: write   # artifact upload only; no OIDC/attestation needed

- name: Generate SBOM
  uses: anchore/sbom-action@0c39f226e1aa89d60625e475bb6270a458861361
  with:
    image: ${{ env.REGISTRY }}/thomasneuberger/tghomebot-api:${{ steps.imageTag.outputs.tag }}
    artifact-name: sbom-${{ steps.imageTag.outputs.tag }}.spdx.json
    output-file: sbom.spdx.json
    format: spdx-json
Original prompt

This section details on the original issue you should resolve

<issue_title>SBOM</issue_title>
<issue_description>Extend the CD workflow so that it creates an SBOM and ataches it to the run as an artifact</issue_description>

Comments on the Issue (you are @copilot in this section)


📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

Co-authored-by: thomasneuberger <23504477+thomasneuberger@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thomasneuberger/TgHomeBot/sessions/919dae8a-b9a6-479b-8135-ed4e6160e078
Copilot AI changed the title [WIP] Extend CD workflow to create SBOM artifact Add SBOM generation to CD workflow Mar 22, 2026
Copilot AI requested a review from thomasneuberger March 22, 2026 10:17
@thomasneuberger thomasneuberger marked this pull request as ready for review March 22, 2026 10:20
Copilot AI review requested due to automatic review settings March 22, 2026 10:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SBOM generation to the CD workflow so each deployed container image has a downloadable SPDX JSON SBOM attached to the workflow run (supports supply-chain visibility for releases).

Changes:

  • Expanded workflow token permissions to support SBOM generation/attestation.
  • Added an anchore/sbom-action step to generate an SPDX JSON SBOM for the pushed image and upload it as an artifact.

Comment thread .github/workflows/cd.yml
Comment thread .github/workflows/cd.yml Outdated
thomasneuberger and others added 2 commits March 22, 2026 11:42
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
… CD workflow

Co-authored-by: thomasneuberger <23504477+thomasneuberger@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thomasneuberger/TgHomeBot/sessions/520c83c2-8c1a-4670-ac3e-6cc2fd1abb96
Copilot AI changed the title Add SBOM generation to CD workflow CD workflow: generate SBOM artifact with least-privilege permissions Mar 22, 2026
@thomasneuberger thomasneuberger merged commit 20fe716 into main Mar 22, 2026
2 checks passed
@thomasneuberger thomasneuberger deleted the copilot/extend-cd-workflow-sbom branch March 22, 2026 10:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SBOM

3 participants