Merge pull request #98 from viveksahu26/sboms_generation_using_sbom-tool

sbom generation using sbom-tool
interlynk-io · Sep 10, 2024 · a398030 · a398030
2 parents 692861d + d86c894
commit a398030
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 10 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,19 @@ on:
       - 'v*'
   workflow_dispatch:
 
+env:
+  TOOL_NAME: ${{ github.repository }}
+  LATEST_TAG: v0.0.1
+  SUPPLIER_NAME: Interlynk
+  SUPPLIER_URL: https://interlynk.io
+  PYLYNK_TEMP_DIR: $RUNNER_TEMP/pylynk
+  SBOM_TEMP_DIR: $RUNNER_TEMP/sbom
+  SBOM_ENV: development
+  SBOM_FILE_PATH: $RUNNER_TEMP/sbom/_manifest/spdx_2.2/manifest.spdx.json
+  MS_SBOM_TOOL_URL: https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+  MS_SBOM_TOOL_EXCLUDE_DIRS: "**/samples/**"
+
+
 jobs:
   releaser:
     runs-on: ubuntu-latest
@@ -22,17 +35,41 @@ jobs:
           go-version: '>=1.20'
           check-latest: true
           cache: true
-      - name: Download syft binary
-        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
-      - name: Run syft
-        run: syft version
+
+      - name: Get Tag
+        id: get_tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo 'v0.0.1')" >> $GITHUB_ENV
+
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:
-          install-only: true 
+          install-only: true
+
       - run: go version
       - run: goreleaser -v 
+
       - name: Releaser
         run: make release 
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          cd ${{ github.workspace }}
+          mkdir -p ${{ env.SBOM_TEMP_DIR}}
+          curl -Lo $RUNNER_TEMP/sbom-tool ${{ env.MS_SBOM_TOOL_URL }}
+          chmod +x $RUNNER_TEMP/sbom-tool
+          SANITIZED_REF=$(echo "${{ github.ref_name}}" | sed -e 's/[^a-zA-Z0-9.-]/-/g' -e 's/^[^a-zA-Z0-9]*//g')
+          VERSION= ${{ env.LATEST_TAG }}-$SANITIZED_REF          
+          $RUNNER_TEMP/sbom-tool generate -b ${{ env.SBOM_TEMP_DIR }} -bc . -pn ${{ env.TOOL_NAME }} -pv $VERSION -ps ${{ env.SUPPLIER_NAME}} -nsb ${{ env.SUPPLIER_URL }} -cd "--DirectoryExclusionList ${{ env.MS_SBOM_TOOL_EXCLUDE_DIRS }}"
+      
+      - name: Upload SBOM as Release Asset
+        uses: actions/upload-release-asset@v1
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ${{ env.SBOM_FILE_PATH }}
+          asset_name: sbomasm-${{ env.LATEST_TAG }}.sbom.spdx.json
+          asset_content_type: application/json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,5 +1,7 @@
 project_name: sbomasm
 
+version: 2
+
 env:
   - GO111MODULE=on
 
@@ -63,8 +65,3 @@ release:
   prerelease: allow 
   draft: true 
 
-sboms:
-  -
-    artifacts: binary
-    documents:
-      - "${artifact}.spdx.sbom"