From 09d874a9d9415afca61a192467a59ba56e558c56 Mon Sep 17 00:00:00 2001 From: rolljee Date: Tue, 16 Dec 2025 16:35:01 +0100 Subject: [PATCH 1/3] feat: publish sbom to dtrack --- .github/actions/install-packages/action.yml | 8 ++++ .github/workflows/dtrack-sbom.workflow.yaml | 45 +++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 .github/actions/install-packages/action.yml create mode 100644 .github/workflows/dtrack-sbom.workflow.yaml diff --git a/.github/actions/install-packages/action.yml b/.github/actions/install-packages/action.yml new file mode 100644 index 00000000..61b4ca0f --- /dev/null +++ b/.github/actions/install-packages/action.yml @@ -0,0 +1,8 @@ +name: Install Packages +description: Install necessary packages inside the CI + +runs: + using: "composite" + steps: + - run: sudo apt update && sudo apt install libunwind-dev libunwind8 -y + shell: bash diff --git a/.github/workflows/dtrack-sbom.workflow.yaml b/.github/workflows/dtrack-sbom.workflow.yaml new file mode 100644 index 00000000..b8fc4c59 --- /dev/null +++ b/.github/workflows/dtrack-sbom.workflow.yaml @@ -0,0 +1,45 @@ +name: Dtrack SBOM publish + +env: + NODE_VERSION: "24" + +on: + release: + types: + - released + - prereleased + +jobs: + publish-sbom-to-dtrack: + name: Publish SBOM to Dependency-Track + runs-on: ubuntu-24.04 + steps: + - name: Checkout project + uses: actions/checkout@v4 + + - name: Install additional libraries + uses: ./.github/actions/install-packages + + - name: Node version ${{ env.NODE_VERSION }} + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm install + - name: Create SBOM with CycloneDX + run: npx @cyclonedx/cyclonedx-npm -o bom.xml --of=XML + + - name: Get the current project version from package.json + id: get-version + run: | + echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT + + - name: Publish SBOM to Dependency-Track + uses: DependencyTrack/gh-upload-sbom@v3 + with: + serverhostname: ${{ secrets.DEPENDENCYTRACK_HOSTNAME }} + apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }} + projectname: 'Kuzzle SDK JavaScript' + projectversion: '${{ steps.get-version.outputs.version }}' + bomfilename: "./bom.xml" + autocreate: true \ No newline at end of file From 5bcd8a5d3919000575fb7ae4c7d6aacde0e0629c Mon Sep 17 00:00:00 2001 From: Ricky Date: Tue, 16 Dec 2025 16:47:56 +0100 Subject: [PATCH 2/3] Update .github/workflows/dtrack-sbom.workflow.yaml Co-authored-by: Alexandre Bouthinon --- .github/workflows/dtrack-sbom.workflow.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dtrack-sbom.workflow.yaml b/.github/workflows/dtrack-sbom.workflow.yaml index b8fc4c59..7d220f00 100644 --- a/.github/workflows/dtrack-sbom.workflow.yaml +++ b/.github/workflows/dtrack-sbom.workflow.yaml @@ -21,7 +21,7 @@ jobs: uses: ./.github/actions/install-packages - name: Node version ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} From 76654ad6ac173b95029b729b0784d9c17887ed3f Mon Sep 17 00:00:00 2001 From: Ricky Date: Tue, 16 Dec 2025 16:48:03 +0100 Subject: [PATCH 3/3] Update .github/workflows/dtrack-sbom.workflow.yaml Co-authored-by: Alexandre Bouthinon --- .github/workflows/dtrack-sbom.workflow.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dtrack-sbom.workflow.yaml b/.github/workflows/dtrack-sbom.workflow.yaml index 7d220f00..7a3e8f55 100644 --- a/.github/workflows/dtrack-sbom.workflow.yaml +++ b/.github/workflows/dtrack-sbom.workflow.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout project - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install additional libraries uses: ./.github/actions/install-packages