From 00544ba9078e334a8f62e83effde3c611fd8c945 Mon Sep 17 00:00:00 2001 From: Chris Swan <478926+cpswan@users.noreply.github.com> Date: Fri, 15 Nov 2024 14:18:25 +0000 Subject: [PATCH 1/2] ci: Replace Syft with sbomify for Python NoPorts --- .../workflows/python-sshnpd-build-publish.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/python-sshnpd-build-publish.yml b/.github/workflows/python-sshnpd-build-publish.yml index 6e4ae2448..e7bb96b72 100644 --- a/.github/workflows/python-sshnpd-build-publish.yml +++ b/.github/workflows/python-sshnpd-build-publish.yml @@ -125,13 +125,17 @@ jobs: with: name: sshnpd-python-package path: dist/ - - name: Install Syft - uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7 - - name: Generate SBOMs - run: | - syft scan file:./packages/python/sshnpd/requirements.txt \ - -o 'spdx-json=dist/python_sshnpd_sbom.spdx.json' \ - -o 'cyclonedx-json=dist/python_sshnpd_sbom.cyclonedx.json' + - name: Generate SBOM + uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0 + env: + TOKEN: ${{ secrets.SBOMIFY_TOKEN }} + COMPONENT_ID: 'jqh6pn8rti' + LOCK_FILE: './packages/python/sshnpd/requirements.txt' + SBOM_VERSION: ${{github.ref_name}} + OUTPUT_FILE: 'dist/noports_python-${{github.ref_name}}-sbom.cdx.json' + AUGMENT: true + ENRICH: true + UPLOAD: true - name: Generate SHA256 checksums working-directory: dist run: sha256sum * > checksums.txt From 2e496657d389ea6599f17daaba4a08fee10f9bc9 Mon Sep 17 00:00:00 2001 From: Chris Swan <478926+cpswan@users.noreply.github.com> Date: Fri, 15 Nov 2024 14:22:59 +0000 Subject: [PATCH 2/2] ci: Replace Syft with sbomify for Dart NoPorts --- .github/workflows/multibuild.yaml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/multibuild.yaml b/.github/workflows/multibuild.yaml index d4bb14132..97dc9d290 100644 --- a/.github/workflows/multibuild.yaml +++ b/.github/workflows/multibuild.yaml @@ -271,17 +271,21 @@ jobs: with: sparse-checkout: packages/dart/sshnoports/pubspec.lock sparse-checkout-cone-mode: false - - name: Install Syft - uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7 - name: Download all the tarballs uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: tarballs/ - - name: Generate SBOMs - run: | - syft scan file:./packages/dart/sshnoports/pubspec.lock \ - -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ - -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' + - name: Generate SBOM + uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0 + env: + TOKEN: ${{ secrets.SBOMIFY_TOKEN }} + COMPONENT_ID: '-93khk8pUi' + LOCK_FILE: './packages/dart/sshnoports/pubspec.lock' + SBOM_VERSION: ${{github.ref_name}} + OUTPUT_FILE: 'tarballs/noports_dart-${{github.ref_name}}-sbom.cdx.json' + AUGMENT: true + ENRICH: true + UPLOAD: true - name: Move packages for signing run: | cd tarballs @@ -298,7 +302,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} # Upload to GitHub Release using the `gh` CLI. # `tarballs/` contains the built packages, and the - # Syft produced SBOMs + # sbomify produced SBOMs run: >- gh release upload '${{ github.ref_name }}' tarballs/** --repo '${{ github.repository }}'