Skip to content

Commit

Permalink
Adds new SBOM structure (#211)
Browse files Browse the repository at this point in the history 
Adds new SBOM build and upload flow.
  • Loading branch information
@vpetersson
vpetersson authored Aug 21, 2024
1 parent 40d2faa commit fa25650
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 19 deletions.
56 changes: 37 additions & 19 deletions .github/workflows/sbom.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,39 +3,57 @@ name: Generate SBOMs

on:
push:
branches:
- master
paths:
- 'Cargo.lock'
tags:
- 'v*'

jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- uses: actions/setup-python@v5
with:
python-version: '3.10'
cache: 'pip'
- name: Install cyclonedx-rust-cargo
run: |
cargo install cargo-cyclonedx
- name: Install sbom4rust
- name: Generate SBOM
run: |
pip install git+https://github.com/anthonyharrison/sbom4rust.git
cargo cyclonedx \
--spec-version 1.5 \
-f json
- name: Run sbom4rust
- name: Enrich and clean up SBOM
run: |
sbom4rust -a screenly-cli --sbom spdx --format json -o sbom.spdx.json
sbom4rust -a screenly-cli --sbom cyclonedx --format json -o sbom.cyclonedx.json
- name: Upload SPDX SBOM
uses: actions/upload-artifact@v3
with:
name: cli-SPDX
path: sbom.spdx.json
# Grab the version
export VERSION_TAG="${GITHUB_REF#refs/*/}"
export VERION=$(echo $VERSION_TAG | sed 's/^v//g')
# Delete unnecessary metadata.component.components and
# set GITHUB_RUN_NUMBER as the version of the SBOM
jq 'del(.metadata.component.components) | .version = (env.GITHUB_RUN_NUMBER | tonumber)' \
screenly.cdx.json \
> screenly.cdx.json.tmp
mv screenly.cdx.json.tmp screenly.cdx.json
# Render SBOM metadata template
cat sbom/metadata.cdx.json.tmpl | jq | \
envsubst > metadata.cdx.json
# Merge in CycloneDX Metadata
jq --slurp '.[0] * .[1]' \
screenly.cdx.json \
metadata.cdx.json \
> screenly-cli.cdx.json
- name: Upload CycloneDX SBOM
uses: actions/upload-artifact@v3
with:
name: cli-CycloneDX
path: sbom.cyclonedx.json
path: screenly-cli.cdx.json

- name: Upload SBOM
uses: sbomify/github-action@master
with:
token: ${{ secrets.SBOMIFY_TOKEN }}
sbom-file: 'screenly-cli.cdx.json'
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
[![sbomified](https://sbomify.com/assets/images/logo/badge.svg)](https://app.sbomify.com/sboms/component/3/screenly-cli)


# Screenly Command Line Interface (CLI)

The Screenly CLI simplifies interactions with Screenly through your terminal, designed for both manual use and task automation.
Expand Down
50 changes: 50 additions & 0 deletions sbom/metadata.cdx.json.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"metadata": {
"manufacture": {
"name": "Screenly, Inc",
"url": [
"https://www.screenly.io"
]
},
"copyright": "Screenly, Inc",
"description": "Screenly CLI is a command line interface for inteacting with Screenly's API and building Edge Apps.",
"externalReferences": [
{
"type": "documentation",
"url": "https://developer.screenly.io/"
},
{
"type": "vcs",
"url": "https://github.com/${GITHUB_REPOSITORY}.git"
},
{
"type": "support",
"url": "https://support.screenly.io"
}
],
"lifecycles": [
{
"phase": "build"
}
],
"supplier": {
"name": "Screenly, Inc",
"url": ["https://www.screenly.io/developers/cli/"]
},
"licenses": [
{
"license": {
"id": "MIT",
"name": "MIT License",
"url": "https://raw.githubusercontent.com/${GITHUB_REPOSITORY}/master/LICENSE"
}
}
],
"component": {
"name": "screenly-cli",
"bom-ref": "screenly-cli-${VERSION}",
"purl": "pkg:github/${GITHUB_REPOSITORY}@${VERSION_TAG}",
"version": "${VERSION}"
}
}
}

0 comments on commit fa25650

Please sign in to comment.