chore: add workflow for dependency-track (#1654)

dhis2 · Feb 3, 2025 · e7b3eb0 · e7b3eb0
1 parent f688868
commit e7b3eb0
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/.github/workflows/generate-and-upload-bom.yml b/.github/workflows/generate-and-upload-bom.yml
@@ -0,0 +1,41 @@
+name: 'This workflow creates bill of material and uploads it to Dependency-Track each night'
+
+on:
+    schedule:
+        - cron: '0 0 * * *'
+
+concurrency:
+    group: ${{ github.workflow}}-${{ github.ref }}
+    cancel-in-progress: true
+
+defaults:
+    run:
+        shell: bash
+
+jobs:
+    create-bom:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-node@v4
+              with:
+                  node-version: 20.x
+
+            - name: Install Dependencies
+              run: yarn install --frozen-lockfile
+
+            - name: Generate BOMs
+              run: |
+                  npm install -g @cyclonedx/cdxgen
+                  cdxgen -o sbom.json
+            - name: Upload SBOM to DependencyTrack
+              env:
+                  DEPENDENCY_TRACK_API: 'https://dt.security.dhis2.org/api/v1/bom'
+              run: |
+                  curl -X POST "$DEPENDENCY_TRACK_API" \
+                      --fail-with-body \
+                      -H "Content-Type: multipart/form-data" \
+                      -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
+                      -F "project=53c6ea2f-413f-45b9-a360-e366f917277d" \
+                      -F "bom=@sbom.json"