Skip to content

Add improved SBOM reports #1324

Add improved SBOM reports

Add improved SBOM reports #1324

Workflow file for this run

name: CI
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
env:
DOCKER_IMAGE: ghcr.io/nordeck/matrix-poll-widget
outputs:
docker-tag: ${{ steps.meta.outputs.version }}
steps:
- uses: actions/checkout@v4
with:
# required for changesets
fetch-depth: '0'
# don't persist the credentials so the changesets action doesn't use the
# github actions token but the git token provided via environment variable
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: 'package.json'
cache: 'yarn'
- name: Install NPM packages
run: yarn install --frozen-lockfile
- name: prettier:check
run: yarn prettier:check
- name: depcheck
run: yarn depcheck
- name: Check Linting Rules
run: yarn lint
- name: type checking and declarations
run: yarn tsc
- name: check translations
run: yarn translate --fail-on-update
- name: test
run: yarn test:all
- name: build
run: yarn build
- name: generate disclaimer
run: yarn generate-disclaimer
- name: Login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Generate Docker metadata
id: meta
uses: docker/metadata-action@v5
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: ${{ env.DOCKER_IMAGE }}
labels: |
org.opencontainers.image.title=Matrix Poll Widget
org.opencontainers.image.description=A poll widget for Matrix
org.opencontainers.image.vendor=Nordeck IT + Consulting GmbH
tags: |
type=sha,prefix=
- name: Build and push
id: build_and_push
uses: docker/build-push-action@v6
env:
DOCKER_IMAGE: ghcr.io/nordeck/matrix-poll-widget
with:
push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64,linux/s390x
- name: Run Trivy to get an SBOM report of the container
env:
IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }}
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
scanners: 'license'
format: 'spdx-json'
output: 'sbom.spdx.json'
image-ref: ${{ env.IMAGE_REF }}
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SBOM report as a build artifcat
uses: actions/upload-artifact@v4
with:
name: sbom-spdx-report
path: 'sbom.spdx.json'
retention-days: 30
- name: Generate GitHub token
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: generate_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # @v2.1.0
with:
app_id: ${{ secrets.GH_APP_OS_APP_ID }}
private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }}
- name: Create Release Pull Request or Publish Packages
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # @v1.4.9
with:
publish: yarn changeset tag
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
deploy:
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
name: Deploy to Dev
runs-on: ubuntu-latest
timeout-minutes: 5
needs: build
steps:
- name: Generate GitHub token
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: generate_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # @v2.1.0
with:
app_id: ${{ secrets.GH_APP_OS_APP_ID }}
private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }}
- name: Trigger Workflow
uses: actions/github-script@v7
with:
github-token: ${{ steps.generate_token.outputs.token }}
script: |
github.rest.actions.createWorkflowDispatch({
owner: 'nordeck',
repo: '${{ secrets.GITOPS_DEPLOY_REPOSITORY }}',
workflow_id: 'deployment.yml',
ref: 'main',
inputs: {
environment: '${{ secrets.GITOPS_DEPLOY_ENVIRONMENT}}',
application: 'matrix-poll',
tag: '${{ github.sha }}'
}
})
# TODO: E2E Tests?