Generate SBOM #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM | |
| # This workflow uses cdxgen and publishes an sbom.json artifact. | |
| # It runs on manual trigger or when package files change on main branch, | |
| # and creates a PR with the updated SBOM. | |
| # Internal documentation: go/sbom-scope | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: ['master'] | |
| paths: | |
| - 'pyproject.toml' | |
| - 'requirements.txt' | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| sbom: | |
| name: Generate SBOM and Create PR | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: sbom-${{ github.ref }} | |
| cancel-in-progress: false | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Generate SBOM | |
| run: | | |
| python -m venv .venv | |
| source .venv/bin/activate | |
| pip install -r requirements.txt | |
| pip install . | |
| npx @cyclonedx/cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --no-validate --json-pretty -o sbom.json | |
| env: | |
| FETCH_LICENSE: true | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| if-no-files-found: error | |
| - name: Create Pull Request | |
| uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: 'chore: Update SBOM after dependency changes' | |
| branch: auto-update-sbom-${{ github.run_id }} | |
| delete-branch: true | |
| title: 'chore: Update SBOM' | |
| body: | | |
| ## Automated SBOM Update | |
| This PR was automatically generated because dependency manifest files changed. | |
| ### Changes | |
| - Updated `sbom.json` to reflect current dependencies | |
| ### Verification | |
| The SBOM was generated using cdxgen with the current Python environment. | |
| ### Triggered by | |
| - Commit: ${{ github.sha }} | |
| - Workflow run: ${{ github.run_id }} | |
| --- | |
| _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ | |
| labels: | | |
| sbom | |
| automated | |
| dependencies | |
| - name: Cleanup | |
| if: always() | |
| run: rm -rf .venv |