Merge branch 'open-telemetry:main' into clintonb/synchronous-gauge

clintonb · web-flow · commit cbdeadf05aea · 2024-03-20T21:40:20.000-07:00
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,79 @@
+name: SBOM
+on:
+  release:
+    types: [published]
+          
+permissions: read-all
+
+jobs:
+  generate-sboms:
+    runs-on: ubuntu-latest
+    env:
+      NPM_CONFIG_UNSAFE_PERM: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - run: npm install -g npm@latest
+
+      - name: Bootstrap
+        run: npm ci
+
+      - name: Generate SBOM for core packages
+        if: ${{ ! startsWith(github.ref, 'refs/tags/experimental') && ! startsWith(github.ref, 'refs/tags/api') }}
+        run: |
+          for dir in $(find packages -mindepth 1 -maxdepth 1 -type d)
+          do
+            dir_name=$(basename "$dir")
+            echo "Generating SBOM for $dir_name"
+            npm sbom --sbom-format=spdx --legacy-peer-deps --workspace ${dir} > "opentelemetry-js_${dir_name}.spdx.json"
+          done
+        
+      - name: Generate SBOM for the API package
+        if: startsWith(github.ref, 'refs/tags/api/')
+        run: |
+          npm sbom --sbom-format=spdx --legacy-peer-deps --workspace api > opentelemetry-js_api.spdx.json
+
+      - name: Generate SBOMs for experimental packages 
+        if: startsWith(github.ref, 'refs/tags/experimental/')
+        run: |
+          for dir in $(find experimental/packages -mindepth 1 -maxdepth 1 -type d)
+          do
+            dir_name=$(basename "$dir")
+            echo "Generating SBOM for $dir_name"
+            npm sbom --sbom-format=spdx --legacy-peer-deps --workspace ${dir} > "opentelemetry-js_${dir_name}.spdx.json"
+          done
+
+      - name: Zip all SBOM files
+        run: |
+          zip sbom.zip *.spdx.json
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: SBOM.zip
+          path: ./sbom.zip
+
+  add-release-artifact:
+    needs: generate-sboms
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Download artifact from generate-sboms
+        uses: actions/download-artifact@v4
+        with:
+          name: SBOM.zip
+      - name: Upload release asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./sbom.zip
+          asset_name: SBOM.zip
+          asset_content_type: application/zip
