From 3bdcf771852407ea461359333eac5c947171b2e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Kj=C3=A6r=20Henneberg?= Date: Fri, 15 Mar 2024 04:22:24 +1300 Subject: [PATCH] ci: Generate SBOM (#245) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## This PR Generates Software Bill of Materials (SBOM) as described in #159. Once https://github.com/NuGet/Home/issues/12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release. ### Known issue The SBOM file lists the dependences for all target frameworks combined. Once the above [NuGet ](https://github.com/NuGet/Home/issues/12497)issue is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included. ### Related Issues Fixes #159 ### How to test Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way: - Create new fork of this repo - Merge this branch to main in the new repo - Create a release in the new repo Signed-off-by: Jens Henneberg Co-authored-by: André Silva <2493377+askpt@users.noreply.github.com> --- .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 859a9078..899c3049 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: - main jobs: - release-package: + release-please: runs-on: ubuntu-latest steps: @@ -16,14 +16,21 @@ jobs: command: manifest token: ${{secrets.GITHUB_TOKEN}} default-branch: main + outputs: + release_created: ${{ steps.release.outputs.release_created }} + release_tag_name: ${{ steps.release.outputs.tag_name }} + release: + runs-on: ubuntu-latest + needs: release-please + if: ${{ needs.release-please.outputs.release_created }} + + steps: - uses: actions/checkout@v4 - if: ${{ steps.release.outputs.releases_created }} with: fetch-depth: 0 - name: Setup .NET SDK - if: ${{ steps.release.outputs.releases_created }} uses: actions/setup-dotnet@v4 env: NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -34,13 +41,33 @@ jobs: source-url: https://nuget.pkg.github.com/open-feature/index.json - name: Install dependencies - if: ${{ steps.release.outputs.releases_created }} run: dotnet restore - name: Pack - if: ${{ steps.release.outputs.releases_created }} run: dotnet pack --no-restore - name: Publish to Nuget - if: ${{ steps.release.outputs.releases_created }} run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ secrets.NUGET_TOKEN }}" --source https://api.nuget.org/v3/index.json + + sbom: + runs-on: ubuntu-latest + needs: release-please + continue-on-error: true + if: ${{ needs.release-please.outputs.release_created }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install CycloneDX.NET + run: dotnet tool install CycloneDX + + - name: Generate .NET BOM + run: dotnet CycloneDX --json --exclude-dev -sv "${{ needs.release-please.outputs.release_tag_name }}" ./src/OpenFeature/OpenFeature.csproj + + - name: Attach SBOM to artifact + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: + gh release upload ${{ needs.release-please.outputs.release_tag_name }} bom.json