android/.github/workflows/sbom.yml at master · owncloud/android

137 lines (118 loc) · 5.03 KB
  workflow_dispatch:
    inputs:
      target_branch:
        type: string
        required: false
        default: master
    branches:
     - master
concurrency:
  group: sbom-update
  cancel-in-progress: false
permissions:
  contents: write
    runs-on: ubuntu-latest
      SOURCE_BRANCH: chore/sbom-update
      TARGET_BRANCH: ${{ github.event.inputs.target_branch || 'master' }}
      # Checkout the repository
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      # Cache Gradle dependencies to speed up future builds
      - name: Cache Gradle dependencies
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
            ~/.gradle/wrapper/dists/
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-
      # Set up Java 17 (required by Gradle and CycloneDX plugin)
      - name: Set up JDK 17
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
        with:
          java-version: '17'
          distribution: 'temurin'
      # Generate the Software Bill of Materials (SBOM) using CycloneDX Gradle plugin
      - name: Generate SBOM (CycloneDX)
        run: ./gradlew --no-daemon cyclonedxBom
      # Move the generated SBOM to the root and rename it
      - name: Move and rename SBOM to root
        run: mv build/reports/bom.json ./sbom.json
      # Install jq (JSON processor) for JSON manipulations
      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y jq
      # Creates script to normalize SBOM files to compare
      - name: Normalization script
        run: |
          cat <<'EOF' > normalize-sbom.sh
          #!/bin/bash
          jq -S '
            del(.serialNumber, .timestamp, .metadata.timestamp)
            | .components |= (if type=="array" then sort_by(.["bom-ref"] // "") else . end)
            | .dependencies |= (if type=="array" then sort_by(.ref // "") else . end)
          ' "$1" > "$2"
          EOF
          chmod +x normalize-sbom.sh
      # Compare with the SBOM update branch, or master as fallback
      - name: Compare with previous SBOM in branch or master as fallback
        id: compare
        run: |
          # Branch to compare with in case the source branch does not exist
          FALLBACK_BRANCH="master"
          echo "Checking whether branch $SOURCE_BRANCH exists in origin..."
          # If source branch exists, fetch it and set as previous sbom
          if git ls-remote --exit-code --heads origin "$SOURCE_BRANCH"; then
            echo "Remote branch found: $SOURCE_BRANCH"
            git fetch origin "refs/heads/$SOURCE_BRANCH:refs/remotes/origin/$SOURCE_BRANCH" --depth=1
            PREVIOUS_SBOM_REF="origin/$SOURCE_BRANCH"
            echo "Using sbom.json from $PREVIOUS_SBOM_REF"
          # Use the fallback branch
          else
            echo "Remote branch not found: $SOURCE_BRANCH"
            PREVIOUS_SBOM_REF="origin/$FALLBACK_BRANCH"
            echo "Using sbom.json from fallback branch: $PREVIOUS_SBOM_REF"
          git show "$PREVIOUS_SBOM_REF:sbom.json" > sbom_prev.json
          ./normalize-sbom.sh sbom_prev.json sbom_prev_normalized.json
          ./normalize-sbom.sh sbom.json sbom_current_normalized.json
          if diff -q sbom_prev_normalized.json sbom_current_normalized.json; then
            echo "changes=false" >> $GITHUB_OUTPUT
            echo "No changes in SBOM"
          else
            echo "changes=true" >> $GITHUB_OUTPUT
            echo "Differences in SBOM"
            diff sbom_prev_normalized.json sbom_current_normalized.json || true
      # Generate a token to perform the commit in the next step 
      - name: Generate GitHub App token
        if: steps.compare.outputs.changes == 'true'
        id: app-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.SBOM_APP_ID }}
          private-key: ${{ secrets.SBOM_APP_PRIVATE_KEY }}
      # Create a branch with latest SBOM changes only if there are changes
      - name: Create or update SBOM PR
        if: steps.compare.outputs.changes == 'true'
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          add-paths: sbom.json
          token: ${{ steps.app-token.outputs.token }}
          branch: ${{ env.SOURCE_BRANCH }}
          base: ${{ env.TARGET_BRANCH }}
          commit-message: "chore: update SBOM"
          title: "chore: update sbom.json"
          body: "Automated SBOM update. This pull request is updated on each push to `master` or manual dispatch — merging it will close it and a fresh one will be opened on the next change."
          delete-branch: true
          sign-commits: true
Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FilesExpand file tree

sbom.yml

Latest commit

History

sbom.yml

File metadata and controls
