Skip to content

Commit 408d974

Browse files
jesmrecjesmrec
committed
feat: modify sbom workflow to push to the repo instead of creating action's artifact
1 parent 210997d commit 408d974

1 file changed

Lines changed: 27 additions & 37 deletions

File tree

.github/workflows/sbom.yml

Lines changed: 27 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,24 @@
1-
name: SBOM
2-
3-
permissions:
4-
contents: read
1+
name: SBOM
52

63
on:
74
workflow_dispatch:
8-
pull_request:
5+
push:
6+
branches:
7+
- fix/*
8+
9+
permissions:
10+
contents: read
911

1012
jobs:
1113
sbom:
1214
runs-on: ubuntu-latest
13-
15+
1416
steps:
1517
- name: Checkout repository
1618
uses: actions/checkout@v4
19+
with:
20+
persist-credentials: false
1721

18-
# Caches Gradle dependencies to avoid downloading them on every run
1922
- name: Cache Gradle dependencies
2023
uses: actions/cache@v4
2124
with:
@@ -33,42 +36,29 @@ jobs:
3336
java-version: '17'
3437
distribution: 'temurin'
3538

36-
- name: Install xsltproc
39+
- name: Check if last commit was by SBOM bot
3740
run: |
38-
sudo apt-get update
39-
sudo apt-get install -y xsltproc
41+
AUTHOR_EMAIL=$(git log -1 --pretty=format:'%ae')
42+
echo "Last commit author: $AUTHOR_EMAIL"
43+
if [ "$AUTHOR_EMAIL" = "devops@owncloud.com" ]; then
44+
exit 78
45+
fi
4046
41-
# Use --no-daemon to prevent Gradle from running in the background
4247
- name: Generate SBOM (CycloneDX)
4348
run: ./gradlew --no-daemon cyclonedxBom
4449

45-
- name: Convert SBOM to HTML
46-
run: xsltproc sbom/cyclonedx-xml-to-html.xslt build/reports/bom.xml > sbom.html
47-
48-
# Create a specific artifact name using the branch name and timestamp
49-
- name: Set artifact name
50-
id: vars
51-
run: |
52-
BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
53-
SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-' | tr '[:upper:]' '[:lower:]')
54-
TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")
55-
echo "artifact_name=sbom-${SAFE_BRANCH}-${TIMESTAMP}" >> $GITHUB_OUTPUT
56-
57-
- name: Rename SBOM XML and HTML files to match artifact name
58-
run: |
59-
mv sbom.html "${{ steps.vars.outputs.artifact_name }}.html"
60-
mv build/reports/bom.xml "${{ steps.vars.outputs.artifact_name }}.xml"
61-
mv build/reports/bom.json "${{ steps.vars.outputs.artifact_name }}.json"
50+
- name: Move and rename SBOM to root
51+
run: mv build/reports/bom.json ./sbom.json
6252

63-
- name: ZIP all the files
53+
- name: Clean serialNumber and timestamp in SBOM
6454
run: |
65-
zip "${{ steps.vars.outputs.artifact_name }}.zip" \
66-
"${{ steps.vars.outputs.artifact_name }}.html" \
67-
"${{ steps.vars.outputs.artifact_name }}.xml" \
68-
"${{ steps.vars.outputs.artifact_name }}.json"
55+
sudo apt-get update && sudo apt-get install -y jq
56+
jq 'del(.serialNumber, .timestamp)' sbom.json > sbom_clean.json && mv sbom_clean.json sbom.json
6957
70-
- name: Upload SBOM artifact
71-
uses: actions/upload-artifact@v4
58+
- name: Commit SBOM to PR branch
59+
uses: GuillaumeFalourd/git-commit-push@v1.3
7260
with:
73-
name: ${{ steps.vars.outputs.artifact_name }}
74-
path: ${{ steps.vars.outputs.artifact_name }}.zip
61+
email: devops@owncloud.com
62+
name: ownClouders
63+
commit_message: "docs: SBOM updated"
64+
access_token: ${{ secrets.GH_PAT }}

0 commit comments

Comments
 (0)