From b5d8a97f314923dff4c31f0dff4200a7bede0279 Mon Sep 17 00:00:00 2001 From: Viktor Petersson Date: Thu, 15 Aug 2024 18:09:06 +0100 Subject: [PATCH] Twaks workflow --- .github/workflows/phase_1_python.yml | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/.github/workflows/phase_1_python.yml b/.github/workflows/phase_1_python.yml index fc1c571..247f01c 100644 --- a/.github/workflows/phase_1_python.yml +++ b/.github/workflows/phase_1_python.yml @@ -102,6 +102,11 @@ jobs: runs-on: ubuntu-latest needs: [Container, Application] steps: + + # To marge both a container and application SBOM, we + # need to use hierarchy structure. The tooling isn't there yet. + # We are exploring `sbomasm` and `bomctl` for this step. + - uses: actions/checkout@v4 - name: Install sbomasm @@ -110,24 +115,12 @@ jobs: "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64" chmod +x /tmp/sbomasm - # Should probably pin this dependency - - name: "Install sbommerge" + - name: "Merge Debugging" run: | - python -m pip install sbommerge + echo "Output file: /tmp/flattened-cyclonedx.json + echo "Input files: container-sbom-cyclonedx/container-sbom_cyclonedx.json application-sbom-cyclonedx/application-sbom_cyclonedx.json" - - name: Download all workflow run artifacts - uses: actions/download-artifact@v4 - - # We need `continue-on-error: true` here as we sometimes get a non-exit 0 - - name: "CycloneDX: Generate Merged SBOM" - continue-on-error: true - run: | - sbommerge \ - --format json \ - --sbom cyclonedx \ - --output-file /tmp/flattened-cyclonedx.json \ - container-sbom-cyclonedx/container-sbom_cyclonedx.json \ - application-sbom-cyclonedx/application-sbom_cyclonedx.json + touch /tmp/flattened-cyclonedx.json - name: Upload Combined CycloneDX SBOM uses: actions/upload-artifact@v4