-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
66 lines (64 loc) · 2.44 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: "CycloneDX SBOM action"
description: "Generate CycloneDX SBOM with Syft"
inputs:
image:
required: true
description: "The Docker image to scan."
# description: "Newline-delimited list of Docker images to scan"
default: "example/image_name:tag"
filename:
required: true
description: "The generated SBOM file name"
# description: "Newline-delimited list of generated SBOM file names"
default: "bom.json"
upload-artifact:
required: false
description: "Attach the SBOM to the workflow"
default: true
upload-release-assets:
required: false
description: "Attach the SBOM to the release"
default: true
syft-version:
required: false
description: "Syft version"
default: v0.45.1
runs:
using: 'composite'
steps:
- uses: anchore/sbom-action@b7e8507c6a3c89b7099a0198366d862c8f3ad8f1 # tag=v0.13.0
with:
image: ${{ inputs.image }}
artifact-name: ${{ inputs.filename }}
output-file: ${{ inputs.filename }}
format: cyclonedx-json
syft-version: ${{ inputs.syft-version }}
upload-artifact: ${{ inputs.upload-artifact }}
upload-release-assets: ${{ inputs.upload-release-assets }}
env:
SYFT_QUIET: true
- name: Sign CycloneDX SBOM
if: inputs.upload-artifact == 'true' && env.GPG_PRIVATE_KEY_PASSPHRASE && env.GPG_PRIVATE_KEY_BASE64
shell: bash
run: |
export GNUPGHOMEDIR=gnupg/
mkdir --parent "${GNUPGHOMEDIR}"
echo "${GPG_PRIVATE_KEY_PASSPHRASE}" | gpg --batch --pinentry-mode loopback --passphrase-fd 0 --quiet --import <(echo "${GPG_PRIVATE_KEY_BASE64}")
echo "${GPG_PRIVATE_KEY_PASSPHRASE}" | gpg --batch --pinentry-mode loopback --passphrase-fd 0 --quiet --detach-sign --armor "${{ inputs.filename }}"
rm -rf "${GNUPGHOMEDIR}"
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: inputs.upload-artifact == 'true'
with:
name: "${{ inputs.filename }}"
path: |
${{ inputs.filename }}
${{ inputs.filename }}.asc
- name: Upload binaries to release
if: inputs.upload-release-assets == 'true' && startsWith(github.ref, 'refs/tags/')
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
with:
repo_token: ${{ github.token }}
file_glob: true
file: "${{ inputs.filename }}?(.asc)"
tag: ${{ github.ref }}
overwrite: true