From 3bfa784a43eb85a096af16dae99fffde30c42204 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Wed, 19 Nov 2025 19:34:43 +0000 Subject: [PATCH 1/9] Add SBOM generation workflow Add GitHub Actions workflow to automatically generate Software Bill of Materials (SBOM) using cdxgen. The workflow: - Triggers on dependency file changes or manual dispatch - Generates SBOM using CycloneDX format - Creates a PR with updated sbom.json --- .github/workflows/sbom.yml | 90 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000000..f0b518d1d2 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,90 @@ +name: Generate SBOM + +# This workflow uses cdxgen and publishes an sbom.json artifact. +# It runs on manual trigger or when package files change on main branch, +# and creates a PR with the updated SBOM. + +on: + workflow_dispatch: {} + push: + branches: ['main', 'sbom'] + paths: + - 'pyproject.toml' + - 'uv.lock' + - 'requirements.txt' + - 'requirements/**/*.txt' + +permissions: + contents: write + pull-requests: write + +jobs: + sbom: + name: Generate SBOM and Create PR + runs-on: ubuntu-latest + concurrency: + group: sbom-${{ github.ref }} + cancel-in-progress: false + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: '3.10' + + - name: Install uv + run: curl -LsSf https://astral.sh/uv/install.sh | sh + + - name: Sync dependencies + run: | + uv venv .venv + uv sync --all-groups + + - name: Generate SBOM + run: npx @cyclonedx/cdxgen -t python --python-path .venv/bin/python -o sbom.json + env: + FETCH_LICENSE: true + + - name: Upload SBOM artifact + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json + if-no-files-found: error + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore: Update SBOM after dependency changes' + branch: auto-update-sbom-${{ github.run_id }} + delete-branch: true + title: 'chore: Update SBOM' + body: | + ## Automated SBOM Update + + This PR was automatically generated because dependency manifest files changed. + + ### Changes + - Updated `sbom.json` to reflect current dependencies + + ### Verification + The SBOM was generated using cdxgen with the current Python environment. + + ### Triggered by + - Commit: ${{ github.sha }} + - Workflow run: ${{ github.run_id }} + + --- + _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ + labels: | + sbom + automated + dependencies + + - name: Cleanup + if: always() + run: rm -rf .venv From 14dd7a84e9205841c0fa444202631437d9e7baf6 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Wed, 19 Nov 2025 19:39:59 +0000 Subject: [PATCH 2/9] Added in trigger for a test branch --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f0b518d1d2..62ceb55c49 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -7,7 +7,7 @@ name: Generate SBOM on: workflow_dispatch: {} push: - branches: ['main', 'sbom'] + branches: ['main', 'sbom-test'] paths: - 'pyproject.toml' - 'uv.lock' From 66ffcb99a316097e6d211000d9d07a7d353209f3 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Wed, 19 Nov 2025 19:43:42 +0000 Subject: [PATCH 3/9] added in json pretty print param --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 62ceb55c49..6acf1e0d81 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -44,7 +44,7 @@ jobs: uv sync --all-groups - name: Generate SBOM - run: npx @cyclonedx/cdxgen -t python --python-path .venv/bin/python -o sbom.json + run: npx @cyclonedx/cdxgen -t python --python-path .venv/bin/python --json-pretty -o sbom.json env: FETCH_LICENSE: true From 6ff8f35010d10845da40872fcb74b042811b98a7 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Wed, 19 Nov 2025 19:56:09 +0000 Subject: [PATCH 4/9] Added in scope doc link & remove test sbom branch for trigger --- .github/workflows/sbom.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 6acf1e0d81..61eb44f663 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -3,11 +3,12 @@ name: Generate SBOM # This workflow uses cdxgen and publishes an sbom.json artifact. # It runs on manual trigger or when package files change on main branch, # and creates a PR with the updated SBOM. +# Internal documentation: go/sbom-scope on: workflow_dispatch: {} push: - branches: ['main', 'sbom-test'] + branches: ['main'] paths: - 'pyproject.toml' - 'uv.lock' From 16ba82a7cf9f4f68118df596746caaced0c9ed33 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Wed, 19 Nov 2025 20:16:33 +0000 Subject: [PATCH 5/9] fix zizmor issues --- .github/workflows/sbom.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 61eb44f663..c6c71eb877 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3.10 uses: actions/setup-python@v5 @@ -57,7 +59,7 @@ jobs: if-no-files-found: error - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: 'chore: Update SBOM after dependency changes' From 475e1c18e1391bc06a1bb7a26c17af14fa570f0d Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Thu, 20 Nov 2025 00:09:16 +0000 Subject: [PATCH 6/9] Updated uv install and fix branch name --- .github/workflows/sbom.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c6c71eb877..c5da5e9c59 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -8,7 +8,7 @@ name: Generate SBOM on: workflow_dispatch: {} push: - branches: ['main'] + branches: ['master'] paths: - 'pyproject.toml' - 'uv.lock' @@ -33,13 +33,11 @@ jobs: with: persist-credentials: false - - name: Set up Python 3.10 - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install uv - run: curl -LsSf https://astral.sh/uv/install.sh | sh + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7 + with: + enable-cache: true + python-version: "3.10" - name: Sync dependencies run: | From 16a8a24e88ac510f017ad48f33a51da180c9682b Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Thu, 20 Nov 2025 20:08:39 +0000 Subject: [PATCH 7/9] Generate sbom only on requirements.txt & updated path for trigger --- .github/workflows/sbom.yml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c5da5e9c59..42107c8a05 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -11,9 +11,7 @@ on: branches: ['master'] paths: - 'pyproject.toml' - - 'uv.lock' - 'requirements.txt' - - 'requirements/**/*.txt' permissions: contents: write @@ -33,19 +31,18 @@ jobs: with: persist-credentials: false - - name: Install uv - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7 + - name: Set up Python + uses: actions/setup-python@v5 with: - enable-cache: true python-version: "3.10" - - name: Sync dependencies - run: | - uv venv .venv - uv sync --all-groups - - name: Generate SBOM - run: npx @cyclonedx/cdxgen -t python --python-path .venv/bin/python --json-pretty -o sbom.json + run: | + python -m venv .venv + source .venv/bin/activate + pip install -r requirements.txt + pip install . + npx cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --json-pretty -o sbom.json env: FETCH_LICENSE: true From de9194052f797849aaa1a86a28360d86a1074ce2 Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Thu, 20 Nov 2025 20:17:19 +0000 Subject: [PATCH 8/9] fix cdxgen command --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 42107c8a05..486a01ffb4 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -42,7 +42,7 @@ jobs: source .venv/bin/activate pip install -r requirements.txt pip install . - npx cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --json-pretty -o sbom.json + npx @cyclonedx/cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --no-validate --json-pretty -o sbom.json env: FETCH_LICENSE: true From 36a3d6c439520b3ea3c70a84f1dcb312a124efbb Mon Sep 17 00:00:00 2001 From: Thanh Nguyen Date: Thu, 20 Nov 2025 20:41:33 +0000 Subject: [PATCH 9/9] Fix whitespace for linter --- .github/workflows/sbom.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 486a01ffb4..fcf39902da 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,7 +24,7 @@ jobs: concurrency: group: sbom-${{ github.ref }} cancel-in-progress: false - + steps: - name: Checkout repository uses: actions/checkout@v4 @@ -63,19 +63,19 @@ jobs: title: 'chore: Update SBOM' body: | ## Automated SBOM Update - + This PR was automatically generated because dependency manifest files changed. - + ### Changes - Updated `sbom.json` to reflect current dependencies - + ### Verification The SBOM was generated using cdxgen with the current Python environment. - + ### Triggered by - Commit: ${{ github.sha }} - Workflow run: ${{ github.run_id }} - + --- _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ labels: |