Skip to content

Add on-demand SBOM generation workflow #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Lukasz-Juranek wants to merge 1 commit into
base: main
Choose a base branch
from
+1,353 −44
Open

Add on-demand SBOM generation workflow #191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions .github/workflows/generate_sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************
# SBOM Generation Workflow
#
# Summary:
# Generates a Software Bill of Materials (SPDX 2.3 + CycloneDX 1.6) for the
# core showcase Bazel targets and stores the results as a GitHub Actions
# artifact. Submits the SPDX snapshot to the GitHub Dependency Submission API
# to enable Dependabot vulnerability alerts.
#
# Triggers:
# - workflow_dispatch (on-demand only)
#
# Outputs:
# - Artifact "sbom-<sha>": reference_integration_sbom.spdx.json +
# reference_integration_sbom.cdx.json (retained 90 days)
# - GitHub Dependency Graph snapshot (enables Dependabot alerts per commit)
#
# Covered targets:
# - //showcases/cli:cli
# - //showcases/orchestration_persistency:orch_per_example
name: Generate SBOM
on:
workflow_dispatch:
jobs:
sbom:
runs-on: ubuntu-latest
permissions:
contents: write # required for GitHub Dependency Submission API
steps:
- name: Clean disk space
uses: eclipse-score/more-disk-space@v1
- name: Checkout repository
uses: actions/checkout@v4.2.2
- name: Setup Bazel
uses: bazel-contrib/setup-bazel@0.18.0
with:
bazelisk-cache: true
disk-cache: ${{ github.workflow }}
repository-cache: true
cache-save: true
- name: Install uv
uses: astral-sh/setup-uv@v7.6.0
- name: Install Java for Rust crate metadata
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends openjdk-11-jre-headless
- name: Build SBOM
run: bazel build --lockfile_mode=error //:reference_integration_sbom
- name: Upload SBOM artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}
path: |
bazel-bin/reference_integration_sbom.spdx.json
bazel-bin/reference_integration_sbom.cdx.json
retention-days: 90
- name: Convert SPDX to GitHub Dependency snapshot
run: |
bazel run @score_sbom//scripts:spdx_to_github_snapshot_bin -- \
--input "$GITHUB_WORKSPACE/bazel-bin/reference_integration_sbom.spdx.json" \
--output "$GITHUB_WORKSPACE/snapshot.json" \
--sha "${{ github.sha }}" \
--ref "${{ github.ref }}" \
--job-correlator "generate-sbom" \
--job-id "${{ github.run_id }}"
- name: Submit to GitHub Dependency Submission API
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const snapshot = JSON.parse(fs.readFileSync(process.env.GITHUB_WORKSPACE + '/snapshot.json', 'utf8'));
await github.rest.dependencyGraph.createRepositorySnapshot({
owner: context.repo.owner,
repo: context.repo.repo,
...snapshot,
});
Copy link
Contributor

@pawelrutkaq pawelrutkaq Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please explain what is happing here and why.

13 changes: 13 additions & 0 deletions BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
# *******************************************************************************

load("@score_docs_as_code//:docs.bzl", "docs")
load("@score_sbom//:defs.bzl", "sbom")
load("@score_tooling//:defs.bzl", "copyright_checker", "setup_starpls", "use_format_targets")

# Docs-as-code
Expand Down Expand Up @@ -69,3 +70,15 @@ exports_files([
"MODULE.bazel",
"pyproject.toml",
])

# SBOM for core showcase targets
sbom(
name = "reference_integration_sbom",
auto_crates_cache = True,
component_name = "score_reference_integration",
module_lockfiles = [":MODULE.bazel.lock"],
targets = [
"//showcases/cli:cli",
"//showcases/orchestration_persistency:orch_per_example",
Copy link
Contributor

@pawelrutkaq pawelrutkaq Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does not sounds like what you mostly want to shall do. Guess we shall check all incoming modules mainaly or ?

],
)
12 changes: 12 additions & 0 deletions MODULE.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,18 @@ git_override(
remote = "https://github.com/bmw-software-engineering/trlc.git",
)

# SBOM generation
bazel_dep(name = "score_sbom")
git_override(
module_name = "score_sbom",
commit = "1adca3f11116f3bfe7c41f7564d011011fba31df",
remote = "https://github.com/eclipse-score/sbom-tool.git",
)

sbom_ext = use_extension("@score_sbom//:extensions.bzl", "sbom_metadata")
sbom_ext.track_module(name = "score_ref_int")
use_repo(sbom_ext, "sbom_metadata")

# Currently required for ifs tooling
bazel_dep(name = "score_toolchains_qnx", version = "0.0.7")

Expand Down
Loading
Loading