From ad2ce415b54ec6bf4cfb8edb687a744ec1c7fc45 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 02:43:26 +0000 Subject: [PATCH 1/5] Initial plan From b455826880d1268bb31b3b514877b3c3c8df1600 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 02:51:59 +0000 Subject: [PATCH 2/5] Add SBOM generation to CI/CD pipeline and releases Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/security-sbom.yml | 60 +++++++++++++++++++++++++++++ .gitignore | 4 ++ Makefile | 19 +++++++++ SECURITY.md | 37 ++++++++++++++++++ 4 files changed, 120 insertions(+) create mode 100644 .github/workflows/security-sbom.yml diff --git a/.github/workflows/security-sbom.yml b/.github/workflows/security-sbom.yml new file mode 100644 index 0000000000..9bf18dd3d0 --- /dev/null +++ b/.github/workflows/security-sbom.yml @@ -0,0 +1,60 @@ +name: SBOM Generation + +on: + release: + types: [published] + schedule: + # Run weekly on Sundays at 00:00 UTC + - cron: '0 0 * * 0' + workflow_dispatch: + +permissions: + contents: write + +jobs: + generate-sbom: + name: Generate SBOM + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + go-version-file: go.mod + cache: true + + - name: Download Go modules + run: go mod download + + - name: Generate SBOM (SPDX format) + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + with: + artifact-name: sbom.spdx.json + output-file: sbom.spdx.json + format: spdx-json + + - name: Generate SBOM (CycloneDX format) + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + with: + artifact-name: sbom.cdx.json + output-file: sbom.cdx.json + format: cyclonedx-json + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: sbom-artifacts + path: | + sbom.spdx.json + sbom.cdx.json + retention-days: 90 + + - name: Attach SBOM to release + if: github.event_name == 'release' + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 + with: + files: | + sbom.spdx.json + sbom.cdx.json diff --git a/.gitignore b/.gitignore index 196952b6ca..2e4cf4a3b4 100644 --- a/.gitignore +++ b/.gitignore @@ -61,6 +61,10 @@ logs/ # Benchmark results bench_results.txt +# SBOM files (generated by make sbom) +sbom.spdx.json +sbom.cdx.json + node_modules/ gh-aw-test/ diff --git a/Makefile b/Makefile index 1bce63e7ad..34a2fe0ce1 100644 --- a/Makefile +++ b/Makefile @@ -341,6 +341,24 @@ pull-main: release: pull-main build @node scripts/changeset.js release +# Generate Software Bill of Materials (SBOM) +.PHONY: sbom +sbom: + @if ! command -v syft >/dev/null 2>&1; then \ + echo "Error: syft is not installed."; \ + echo ""; \ + echo "Install syft to generate SBOMs:"; \ + echo " curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin"; \ + echo ""; \ + echo "Or visit: https://github.com/anchore/syft#installation"; \ + exit 1; \ + fi + @echo "Generating SBOM in SPDX format..." + syft packages . -o spdx-json=sbom.spdx.json + @echo "Generating SBOM in CycloneDX format..." + syft packages . -o cyclonedx-json=sbom.cdx.json + @echo "✓ SBOM files generated: sbom.spdx.json, sbom.cdx.json" + # Agent should run this task before finishing its turns .PHONY: agent-finish agent-finish: deps-dev fmt lint build test-all recompile dependabot generate-schema-docs generate-labs @@ -387,4 +405,5 @@ help: @echo " agent-finish - Complete validation sequence (build, test, recompile, fmt, lint)" @echo " version - Preview next version from changesets" @echo " release - Create release using changesets (depends on test)" + @echo " sbom - Generate SBOM in SPDX and CycloneDX formats (requires syft)" @echo " help - Show this help message" \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index 77d7986f73..96d78ab707 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -29,3 +29,40 @@ This information will help us triage your report more quickly. ## Policy See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) + +## Software Bill of Materials (SBOM) + +We generate Software Bill of Materials (SBOM) for this project to provide complete visibility into the dependency tree, enabling compliance reporting, vulnerability tracking, and supply chain risk assessment. + +### SBOM Generation + +SBOMs are automatically generated: + +- **On every release**: Attached to GitHub releases as downloadable assets +- **Weekly**: Available as workflow artifacts for ongoing monitoring + +Both SPDX and CycloneDX formats are generated to ensure compatibility with different compliance and security tools. + +### Local SBOM Generation + +To generate an SBOM locally, first install [syft](https://github.com/anchore/syft): + +```bash +# Install syft +curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + +# Generate SBOM +make sbom +``` + +This produces two files: +- `sbom.spdx.json` - SBOM in SPDX JSON format +- `sbom.cdx.json` - SBOM in CycloneDX JSON format + +### SBOM Contents + +The generated SBOMs include: +- All direct and transitive Go dependencies +- Package versions and licenses +- Package hashes for integrity verification +- Dependency relationships From 2998b3355f1a46b443203bcdbfb71230c2c47cb5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 06:56:58 +0000 Subject: [PATCH 3/5] Merge SBOM generation into release.md agentic workflow Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/aw/actions-lock.json | 5 ++ .github/workflows/release.lock.yml | 102 ++++++++++++++++++++++++++++ .github/workflows/release.md | 49 +++++++++++++ .github/workflows/security-sbom.yml | 14 +--- pkg/workflow/data/action_pins.json | 5 ++ 5 files changed, 163 insertions(+), 12 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index c184eee006..ccc5e58047 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -65,6 +65,11 @@ "version": "v5", "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4" }, + "anchore/sbom-action@v0.20.10": { + "repo": "anchore/sbom-action", + "version": "v0.20.10", + "sha": "fbfd9c6c189226748411491745178e0c2017392d" + }, "astral-sh/setup-uv@v5": { "repo": "astral-sh/setup-uv", "version": "v5", diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 2d268b7a7a..5ddd759b50 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -83,6 +83,55 @@ # RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId') # echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" # echo "✓ Release ID: $RELEASE_ID" +# generate-sbom: +# needs: ["activation"] +# runs-on: ubuntu-latest +# permissions: +# contents: write +# steps: +# - name: Checkout repository +# uses: actions/checkout@v5 +# +# - name: Set up Go +# uses: actions/setup-go@v5 +# with: +# go-version-file: go.mod +# cache: true +# +# - name: Download Go modules +# run: go mod download +# +# - name: Generate SBOM (SPDX format) +# uses: anchore/sbom-action@v0.20.10 +# with: +# artifact-name: sbom.spdx.json +# output-file: sbom.spdx.json +# format: spdx-json +# +# - name: Generate SBOM (CycloneDX format) +# uses: anchore/sbom-action@v0.20.10 +# with: +# artifact-name: sbom.cdx.json +# output-file: sbom.cdx.json +# format: cyclonedx-json +# +# - name: Upload SBOM artifacts +# uses: actions/upload-artifact@v4 +# with: +# name: sbom-artifacts +# path: | +# sbom.spdx.json +# sbom.cdx.json +# retention-days: 90 +# +# - name: Attach SBOM to release +# env: +# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# RELEASE_TAG="${GITHUB_REF#refs/tags/}" +# echo "Attaching SBOM files to release: $RELEASE_TAG" +# gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber +# echo "✓ SBOM files attached to release" # steps: # - name: Setup environment and fetch release data # env: @@ -159,16 +208,19 @@ # agent["agent"] # conclusion["conclusion"] # detection["detection"] +# generate-sbom["generate-sbom"] # pre_activation["pre_activation"] # release["release"] # update_release["update_release"] # pre_activation --> activation # activation --> agent # release --> agent +# generate-sbom --> agent # agent --> conclusion # activation --> conclusion # update_release --> conclusion # agent --> detection +# activation --> generate-sbom # activation --> release # agent --> update_release # detection --> update_release @@ -311,10 +363,14 @@ # https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # - actions/github-script@v8 (ed597411d8f924073f98dfc5c65a23a2325f34cd) # https://github.com/actions/github-script/commit/ed597411d8f924073f98dfc5c65a23a2325f34cd +# - actions/setup-go@v5 (d35c59abb061a4a6fb18e82ac0862c26744d6ab5) +# https://github.com/actions/setup-go/commit/d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # - actions/setup-node@v6 (395ad3262231945c25e8478fd5baf05154b1d79f) # https://github.com/actions/setup-node/commit/395ad3262231945c25e8478fd5baf05154b1d79f # - actions/upload-artifact@v5 (330a01c490aca151604b8cf639adc76d48f6c5d4) # https://github.com/actions/upload-artifact/commit/330a01c490aca151604b8cf639adc76d48f6c5d4 +# - anchore/sbom-action@v0.20.10 (fbfd9c6c189226748411491745178e0c2017392d) +# https://github.com/anchore/sbom-action/commit/fbfd9c6c189226748411491745178e0c2017392d # - cli/gh-extension-precompile@v2 (9e2237c30f869ad3bcaed6a4be2cd43564dd421b) # https://github.com/cli/gh-extension-precompile/commit/9e2237c30f869ad3bcaed6a4be2cd43564dd421b @@ -438,6 +494,7 @@ jobs: needs: - activation - release + - generate-sbom runs-on: ubuntu-latest permissions: actions: read @@ -5892,6 +5949,51 @@ jobs: path: /tmp/gh-aw/threat-detection/detection.log if-no-files-found: ignore + generate-sbom: + needs: activation + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - name: Set up Go + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + with: + cache: true + go-version-file: go.mod + - name: Download Go modules + run: go mod download + - name: Generate SBOM (SPDX format) + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + with: + artifact-name: sbom.spdx.json + format: spdx-json + output-file: sbom.spdx.json + - name: Generate SBOM (CycloneDX format) + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + with: + artifact-name: sbom.cdx.json + format: cyclonedx-json + output-file: sbom.cdx.json + - name: Upload SBOM artifacts + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: sbom-artifacts + path: | + sbom.spdx.json + sbom.cdx.json + retention-days: 90 + - name: Attach SBOM to release + run: | + RELEASE_TAG="${GITHUB_REF#refs/tags/}" + echo "Attaching SBOM files to release: $RELEASE_TAG" + gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber + echo "✓ SBOM files attached to release" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + pre_activation: runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/release.md b/.github/workflows/release.md index 0717d8283c..a8a68df2a8 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -60,6 +60,55 @@ jobs: RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId') echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" echo "✓ Release ID: $RELEASE_ID" + generate-sbom: + needs: ["activation"] + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Download Go modules + run: go mod download + + - name: Generate SBOM (SPDX format) + uses: anchore/sbom-action@v0.20.10 + with: + artifact-name: sbom.spdx.json + output-file: sbom.spdx.json + format: spdx-json + + - name: Generate SBOM (CycloneDX format) + uses: anchore/sbom-action@v0.20.10 + with: + artifact-name: sbom.cdx.json + output-file: sbom.cdx.json + format: cyclonedx-json + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-artifacts + path: | + sbom.spdx.json + sbom.cdx.json + retention-days: 90 + + - name: Attach SBOM to release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + RELEASE_TAG="${GITHUB_REF#refs/tags/}" + echo "Attaching SBOM files to release: $RELEASE_TAG" + gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber + echo "✓ SBOM files attached to release" steps: - name: Setup environment and fetch release data env: diff --git a/.github/workflows/security-sbom.yml b/.github/workflows/security-sbom.yml index 9bf18dd3d0..80017f64ae 100644 --- a/.github/workflows/security-sbom.yml +++ b/.github/workflows/security-sbom.yml @@ -1,15 +1,13 @@ -name: SBOM Generation +name: Weekly SBOM Generation on: - release: - types: [published] schedule: # Run weekly on Sundays at 00:00 UTC - cron: '0 0 * * 0' workflow_dispatch: permissions: - contents: write + contents: read jobs: generate-sbom: @@ -50,11 +48,3 @@ jobs: sbom.spdx.json sbom.cdx.json retention-days: 90 - - - name: Attach SBOM to release - if: github.event_name == 'release' - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 - with: - files: | - sbom.spdx.json - sbom.cdx.json diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index c184eee006..b23ca0ce8a 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -109,6 +109,11 @@ "repo": "super-linter/super-linter", "version": "v8.2.1", "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2" + }, + "anchore/sbom-action@v0.20.10": { + "repo": "anchore/sbom-action", + "version": "v0.20.10", + "sha": "fbfd9c6c189226748411491745178e0c2017392d" } } } From 629a9e17e9eed50613164189fa563e61792f7fa8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 13:27:26 +0000 Subject: [PATCH 4/5] Address PR feedback: delete security-sbom.yml, add release_tag output, fix job dependencies Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/release.lock.yml | 16 ++++++--- .github/workflows/release.md | 7 ++-- .github/workflows/security-sbom.yml | 50 ----------------------------- SECURITY.md | 5 +-- pkg/workflow/data/action_pins.json | 10 +++--- 5 files changed, 22 insertions(+), 66 deletions(-) delete mode 100644 .github/workflows/security-sbom.yml diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 5ddd759b50..d854ac8f5a 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -60,6 +60,7 @@ # attestations: write # outputs: # release_id: ${{ steps.get_release.outputs.release_id }} +# release_tag: ${{ steps.get_release.outputs.release_tag }} # steps: # - name: Checkout # uses: actions/checkout@v5 @@ -82,9 +83,11 @@ # echo "Getting release ID for tag: $RELEASE_TAG" # RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId') # echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" +# echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT" # echo "✓ Release ID: $RELEASE_ID" +# echo "✓ Release Tag: $RELEASE_TAG" # generate-sbom: -# needs: ["activation"] +# needs: ["release"] # runs-on: ubuntu-latest # permissions: # contents: write @@ -127,8 +130,8 @@ # - name: Attach SBOM to release # env: # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# RELEASE_TAG: ${{ needs.release.outputs.release_tag }} # run: | -# RELEASE_TAG="${GITHUB_REF#refs/tags/}" # echo "Attaching SBOM files to release: $RELEASE_TAG" # gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber # echo "✓ SBOM files attached to release" @@ -220,7 +223,7 @@ # activation --> conclusion # update_release --> conclusion # agent --> detection -# activation --> generate-sbom +# release --> generate-sbom # activation --> release # agent --> update_release # detection --> update_release @@ -5950,7 +5953,7 @@ jobs: if-no-files-found: ignore generate-sbom: - needs: activation + needs: release runs-on: ubuntu-latest permissions: contents: write @@ -5987,12 +5990,12 @@ jobs: retention-days: 90 - name: Attach SBOM to release run: | - RELEASE_TAG="${GITHUB_REF#refs/tags/}" echo "Attaching SBOM files to release: $RELEASE_TAG" gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber echo "✓ SBOM files attached to release" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ needs.release.outputs.release_tag }} pre_activation: runs-on: ubuntu-slim @@ -6098,6 +6101,7 @@ jobs: outputs: release_id: ${{ steps.get_release.outputs.release_id }} + release_tag: ${{ steps.get_release.outputs.release_tag }} steps: - name: Checkout uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 @@ -6116,7 +6120,9 @@ jobs: echo "Getting release ID for tag: $RELEASE_TAG" RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId') echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" + echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT" echo "✓ Release ID: $RELEASE_ID" + echo "✓ Release Tag: $RELEASE_TAG" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.md b/.github/workflows/release.md index a8a68df2a8..e8b48314e9 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -37,6 +37,7 @@ jobs: attestations: write outputs: release_id: ${{ steps.get_release.outputs.release_id }} + release_tag: ${{ steps.get_release.outputs.release_tag }} steps: - name: Checkout uses: actions/checkout@v5 @@ -59,9 +60,11 @@ jobs: echo "Getting release ID for tag: $RELEASE_TAG" RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId') echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT" + echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT" echo "✓ Release ID: $RELEASE_ID" + echo "✓ Release Tag: $RELEASE_TAG" generate-sbom: - needs: ["activation"] + needs: ["release"] runs-on: ubuntu-latest permissions: contents: write @@ -104,8 +107,8 @@ jobs: - name: Attach SBOM to release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ needs.release.outputs.release_tag }} run: | - RELEASE_TAG="${GITHUB_REF#refs/tags/}" echo "Attaching SBOM files to release: $RELEASE_TAG" gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber echo "✓ SBOM files attached to release" diff --git a/.github/workflows/security-sbom.yml b/.github/workflows/security-sbom.yml deleted file mode 100644 index 80017f64ae..0000000000 --- a/.github/workflows/security-sbom.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Weekly SBOM Generation - -on: - schedule: - # Run weekly on Sundays at 00:00 UTC - - cron: '0 0 * * 0' - workflow_dispatch: - -permissions: - contents: read - -jobs: - generate-sbom: - name: Generate SBOM - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - - name: Set up Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 - with: - go-version-file: go.mod - cache: true - - - name: Download Go modules - run: go mod download - - - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 - with: - artifact-name: sbom.spdx.json - output-file: sbom.spdx.json - format: spdx-json - - - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 - with: - artifact-name: sbom.cdx.json - output-file: sbom.cdx.json - format: cyclonedx-json - - - name: Upload SBOM artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: - name: sbom-artifacts - path: | - sbom.spdx.json - sbom.cdx.json - retention-days: 90 diff --git a/SECURITY.md b/SECURITY.md index 96d78ab707..f5cf4bfea6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -36,10 +36,7 @@ We generate Software Bill of Materials (SBOM) for this project to provide comple ### SBOM Generation -SBOMs are automatically generated: - -- **On every release**: Attached to GitHub releases as downloadable assets -- **Weekly**: Available as workflow artifacts for ongoing monitoring +SBOMs are automatically generated on every release and attached to GitHub releases as downloadable assets. Both SPDX and CycloneDX formats are generated to ensure compatibility with different compliance and security tools. diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index b23ca0ce8a..ccc5e58047 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -65,6 +65,11 @@ "version": "v5", "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4" }, + "anchore/sbom-action@v0.20.10": { + "repo": "anchore/sbom-action", + "version": "v0.20.10", + "sha": "fbfd9c6c189226748411491745178e0c2017392d" + }, "astral-sh/setup-uv@v5": { "repo": "astral-sh/setup-uv", "version": "v5", @@ -109,11 +114,6 @@ "repo": "super-linter/super-linter", "version": "v8.2.1", "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2" - }, - "anchore/sbom-action@v0.20.10": { - "repo": "anchore/sbom-action", - "version": "v0.20.10", - "sha": "fbfd9c6c189226748411491745178e0c2017392d" } } } From 254ba4b16d76714f32c43e32005954b566aebe19 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 14:24:20 +0000 Subject: [PATCH 5/5] Update action versions to use latest major versions Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/release.lock.yml | 4 ++-- .github/workflows/release.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index d854ac8f5a..cdbb51626f 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -105,14 +105,14 @@ # run: go mod download # # - name: Generate SBOM (SPDX format) -# uses: anchore/sbom-action@v0.20.10 +# uses: anchore/sbom-action@v0 # with: # artifact-name: sbom.spdx.json # output-file: sbom.spdx.json # format: spdx-json # # - name: Generate SBOM (CycloneDX format) -# uses: anchore/sbom-action@v0.20.10 +# uses: anchore/sbom-action@v0 # with: # artifact-name: sbom.cdx.json # output-file: sbom.cdx.json diff --git a/.github/workflows/release.md b/.github/workflows/release.md index e8b48314e9..520342671f 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -82,14 +82,14 @@ jobs: run: go mod download - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@v0.20.10 + uses: anchore/sbom-action@v0 with: artifact-name: sbom.spdx.json output-file: sbom.spdx.json format: spdx-json - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@v0.20.10 + uses: anchore/sbom-action@v0 with: artifact-name: sbom.cdx.json output-file: sbom.cdx.json