Merge pull request #1536 from atsign-foundation/cpswan-sbomify

ci: Replace Syft with sbomify
atsign-foundation · Nov 18, 2024 · d4de5fc · d4de5fc
2 parents ae68b7b + a22cc11
commit d4de5fc
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 15 deletions.
diff --git a/.github/workflows/multibuild.yaml b/.github/workflows/multibuild.yaml
@@ -275,17 +275,21 @@ jobs:
         with:
           sparse-checkout: packages/dart/sshnoports/pubspec.lock
           sparse-checkout-cone-mode: false
-      - name: Install Syft
-        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
       - name: Download all the tarballs
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           path: tarballs/
-      - name: Generate SBOMs
-        run: |
-          syft scan file:./packages/dart/sshnoports/pubspec.lock \
-            -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \
-            -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json'
+      - name: Generate SBOM
+        uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
+        env:
+          TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
+          COMPONENT_ID: '-93khk8pUi'
+          LOCK_FILE: './packages/dart/sshnoports/pubspec.lock'
+          SBOM_VERSION: ${{github.ref_name}}
+          OUTPUT_FILE: 'tarballs/noports_dart-${{github.ref_name}}-sbom.cdx.json'
+          AUGMENT: true
+          ENRICH: true
+          UPLOAD: true
       - name: Move packages for signing
         run: |
           cd tarballs
@@ -302,7 +306,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         # Upload to GitHub Release using the `gh` CLI.
         # `tarballs/` contains the built packages, and the
-        # Syft produced SBOMs
+        # sbomify produced SBOMs
         run: >-
           gh release upload '${{ github.ref_name }}' tarballs/** --repo '${{
           github.repository }}'

diff --git a/.github/workflows/python-sshnpd-build-publish.yml b/.github/workflows/python-sshnpd-build-publish.yml
@@ -125,13 +125,17 @@ jobs:
       with:
         name: sshnpd-python-package
         path: dist/
-    - name: Install Syft
-      uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
-    - name: Generate SBOMs
-      run: |
-        syft scan file:./packages/python/sshnpd/requirements.txt \
-          -o 'spdx-json=dist/python_sshnpd_sbom.spdx.json' \
-          -o 'cyclonedx-json=dist/python_sshnpd_sbom.cyclonedx.json'
+    - name: Generate SBOM
+      uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
+      env:
+        TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
+        COMPONENT_ID: 'jqh6pn8rti'
+        LOCK_FILE: './packages/python/sshnpd/requirements.txt'
+        SBOM_VERSION: ${{github.ref_name}}
+        OUTPUT_FILE: 'dist/noports_python-${{github.ref_name}}-sbom.cdx.json'
+        AUGMENT: true
+        ENRICH: true
+        UPLOAD: true
     - name: Generate SHA256 checksums
       working-directory: dist
       run: sha256sum * > checksums.txt