diff --git a/.github/workflows/generate_sbom.py b/.github/workflows/generate_sbom.py new file mode 100644 index 00000000000..eae39eb3f9f --- /dev/null +++ b/.github/workflows/generate_sbom.py @@ -0,0 +1,20 @@ +from json import dumps + +from requests import get + +with open("opentelemetry-python.spdx.json", "w") as sbom_file: + sbom_file.write( + dumps( + get( + ( + "https://api.github.com/repos/open-telemetry/" + "opentelemetry-python/dependency-graph/sbom" + ), + headers={ + "Accept": "application/vnd.github+json", + "X-GitHub-Api-Version": "2022-11-28", + }, + ).json(), + indent=4, + ) + ) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000000..ea25292a2e8 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,55 @@ +name: SBOM +on: + release: + types: [published] + +permissions: read-all + +jobs: + generate-sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout core repo + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.10' + architecture: 'x64' + + - name: Install requests + run: pip install requests + + - name: Generate SBOM + run: python3 .github/workflows/generate_sbom.py + + - name: Zip the SBOM file + run: zip sbom.zip opentelemetry-python.spdx.json + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: SBOM.zip + path: ./sbom.zip + + add-release-artifact: + needs: generate-sbom + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Download artifact from generate-sboms + uses: actions/download-artifact@v4 + with: + name: SBOM.zip + + - name: Upload release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./sbom.zip + asset_name: SBOM.zip + asset_content_type: application/zip