ci: Attest SBOM

kitten-science · May 29, 2024 · e002a01 · e002a01
1 parent 0743582
commit e002a01
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/.github/workflows/userscript-nightly.yml b/.github/workflows/userscript-nightly.yml
@@ -55,13 +55,28 @@ jobs:
           export KS_VERSION=$(yarn kitten-scientists:version)
           echo "KS_VERSION=$KS_VERSION" >> $GITHUB_ENV
       - run: yarn kitten-scientists:release
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v1
+        with:
+          subject-path: packages/kitten-scientists/output/*
+          sbom-path: sbom.spdx.json
+
       - name: Generate GitHub release
         uses: oliversalzburg/action-automatic-semantic-releases@bc429dc1af8c036b5f8c11fef7bcb0becfd5064d # v0.0.13
         with:
           automatic_release_tag: nightly
           draft: false
           files: |
             packages/kitten-scientists/output/*
+            sbom.spdx.json
           prerelease: true
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           title: Nightly Build v${{ env.KS_VERSION }}
diff --git a/.github/workflows/userscript-publish.yml b/.github/workflows/userscript-publish.yml
@@ -56,13 +56,28 @@ jobs:
         with:
           subject-path: packages/kitten-scientists/output/*
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v1
+        with:
+          subject-path: packages/kitten-scientists/output/*
+          sbom-path: sbom.spdx.json
+
       - name: Generate GitHub release
         uses: oliversalzburg/action-automatic-semantic-releases@bc429dc1af8c036b5f8c11fef7bcb0becfd5064d # v0.0.13
         with:
           automatic_release_tag: next
           draft: false
           files: |
             packages/kitten-scientists/output/*
+            sbom.spdx.json
           prerelease: true
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           title: Development Build v${{ env.KS_VERSION }}

diff --git a/.github/workflows/userscript-tagged-release.yml b/.github/workflows/userscript-tagged-release.yml
@@ -32,13 +32,28 @@ jobs:
 
       - run: yarn kitten-scientists:release
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v1
+        with:
+          subject-path: packages/kitten-scientists/output/*
+          sbom-path: sbom.spdx.json
+
       - name: Generate GitHub release
         uses: oliversalzburg/action-automatic-semantic-releases@bc429dc1af8c036b5f8c11fef7bcb0becfd5064d # v0.0.13
         with:
           # Create only as draft, so we can add a description on the web UI.
           draft: true
           files: |
             packages/kitten-scientists/output/*
+            sbom.spdx.json
           prerelease: false
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           title: ${{ github.ref_name }}