|
1 | 1 | name: SBOM generation |
2 | 2 |
|
3 | 3 | on: |
| 4 | + workflow_dispatch: |
4 | 5 | schedule: |
5 | 6 | # Runs at 02:00 UTC every Monday |
6 | 7 | - cron: '2 0 * * 1' |
|
9 | 10 | sbom_gen: |
10 | 11 | name: Generate SBOM |
11 | 12 | runs-on: ubuntu-latest |
12 | | - timeout-minutes: 10 |
13 | | - continue-on-error: true |
| 13 | + strategy: |
| 14 | + matrix: |
| 15 | + python: ['3.7', '3.8', '3.9', '3.10', '3.11'] |
14 | 16 | steps: |
15 | 17 | - uses: actions/checkout@v3 |
16 | 18 | - uses: actions/setup-python@v4 |
17 | 19 | with: |
18 | | - python-version: '3.x' |
| 20 | + python-version: ${{ matrix.python }} |
19 | 21 | cache: 'pip' |
20 | 22 | cache-dependency-path: '**/requirements.txt' |
21 | | - - name: Get date |
22 | | - id: get-date |
23 | | - run: | |
24 | | - echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT |
25 | | - - name: Get cached database |
26 | | - uses: actions/cache@v3 |
27 | | - with: |
28 | | - path: ~/.cache/cve-bin-tool |
29 | | - key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.date }} |
30 | 23 | - name: Install dependencies and cve-bin-tool |
31 | 24 | run: | |
32 | 25 | python -m pip install --upgrade pip |
33 | 26 | python -m pip install --upgrade setuptools |
34 | 27 | python -m pip install --upgrade wheel |
35 | | - python -m pip install --upgrade pytest |
36 | 28 | python -m pip install --upgrade sbom4python |
37 | | - pip install . -r doc/requirements.txt |
| 29 | + pip install . --upgrade --upgrade-strategy=eager |
38 | 30 | - name: Generate SBOM for cve-bin-tool |
39 | 31 | run: | |
40 | | - sbom4python --module cve-bin-tool --output sbom/cve-bin-tool.spdx |
41 | | - sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output sbom/cve-bin-tool.json |
42 | | -# - name: Compare SBOM for cve-bin-tool |
43 | | -# # This would fail due to time/date of SBOM generation in SBOM header |
44 | | -# # Therefore ignore first 10 lines of file in comparison which is SBOM header |
45 | | -# run: | |
46 | | -# /bin/tail -n +10 sbom/cve-bin-tool.spdx > orig |
47 | | -# /bin/tail -n +10 cve-bin-tool.spdx > new |
48 | | -# /bin/diff -b orig new |
49 | | -# - name: Display generated SBOM if difference detected |
50 | | -# if: ${{ failure() }} |
51 | | -# run: | |
52 | | -# /bin/cat cve-bin-tool.spdx |
53 | | - |
| 32 | + sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx |
| 33 | + sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json |
| 34 | + - name: Compare SBOM for cve-bin-tool |
| 35 | + id: diff-sbom |
| 36 | + # This would fail due to time/date of SBOM generation in SBOM header |
| 37 | + # Therefore ignore first 10 lines of file in comparison which is SBOM header |
| 38 | + run: | |
| 39 | + /bin/tail -n +10 sbom/cve-bin-tool-py${{ matrix.python }}.spdx > orig |
| 40 | + /bin/tail -n +10 cve-bin-tool-py${{ matrix.python }}.spdx > new |
| 41 | + echo "changed=$(/bin/diff -q orig new)" >> $GITHUB_OUTPUT |
| 42 | + - name: Display generated SBOM if difference detected |
| 43 | + if: ${{ steps.diff-sbom.outputs.changed }} |
| 44 | + run: | |
| 45 | + /bin/cat cve-bin-tool-py${{ matrix.python }}.spdx |
| 46 | + - name: Update existing SBOM if difference detected |
| 47 | + if: ${{ steps.diff-sbom.outputs.changed }} |
| 48 | + run: | |
| 49 | + cp cve-bin-tool-py${{ matrix.python }}.spdx sbom/cve-bin-tool-py${{ matrix.python }}.spdx |
| 50 | + cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json |
| 51 | + - name: Create Pull Request |
| 52 | + if: ${{ steps.diff-sbom.outputs.changed }} |
| 53 | + uses: peter-evans/create-pull-request@v4 |
| 54 | + with: |
| 55 | + commit-message: "chore: update SBOM for Python ${{ matrix.python }}" |
| 56 | + title: "chore: update SBOM for Python ${{ matrix.python }}" |
| 57 | + branch: chore-sbom-py${{ matrix.python }} |
| 58 | + delete-branch: true |
| 59 | + author: GitHub <[email protected]> |
| 60 | + add-paths: sbom |
0 commit comments