From a47f6451770aa2fd0dbb75fc3a0a4f466e38ed12 Mon Sep 17 00:00:00 2001 From: Martina Kraus Date: Tue, 7 Jan 2025 13:10:18 +0100 Subject: [PATCH 1/2] chore: add workflow for dependency-track --- .github/workflows/generate-and-upload-bom.yml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/generate-and-upload-bom.yml diff --git a/.github/workflows/generate-and-upload-bom.yml b/.github/workflows/generate-and-upload-bom.yml new file mode 100644 index 000000000..126f0711f --- /dev/null +++ b/.github/workflows/generate-and-upload-bom.yml @@ -0,0 +1,50 @@ +name: 'This workflow creates bill of material and uploads it to Dependency-Track each night' + +on: + pull_request: + types: ['opened', 'edited', 'reopened', 'synchronize'] + +# on: +# schedule: +# - cron: '0 0 * * *' + +concurrency: + group: ${{ github.workflow}}-${{ github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +jobs: + create-bom: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20.x + + - uses: c-hive/gha-yarn-cache@v1 + - run: yarn install --frozen-lockfile + + - name: Install CycloneDX CLI + run: | + curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i - + sudo mv cyclonedx-linux-x64 /usr/local/bin/ + sudo chmod +x /usr/local/bin/cyclonedx-linux-x64 + - name: Generate BOMs + run: | + npm install -g @cyclonedx/cdxgen + cdxgen -o sbom.json + - name: Upload SBOM to DependencyTrack + env: + DEPENDENCY_TRACK_API: 'https://dt.security.dhis2.org/api/v1/bom' + run: | + curl -X POST "$DEPENDENCY_TRACK_API" \ + --fail-with-body \ + -H "Content-Type: multipart/form-data" \ + -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \ + -F "project=53c6ea2f-413f-45b9-a360-e366f917277d" \ + -F "bom=@sbom.json" From 1d513a021a63c3e3be9f4afbccb8247ec7410a27 Mon Sep 17 00:00:00 2001 From: Martina Kraus Date: Tue, 7 Jan 2025 13:27:31 +0100 Subject: [PATCH 2/2] chore: add workflow for dependency-track --- .github/workflows/generate-and-upload-bom.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/generate-and-upload-bom.yml b/.github/workflows/generate-and-upload-bom.yml index 126f0711f..e739072ec 100644 --- a/.github/workflows/generate-and-upload-bom.yml +++ b/.github/workflows/generate-and-upload-bom.yml @@ -1,12 +1,8 @@ name: 'This workflow creates bill of material and uploads it to Dependency-Track each night' on: - pull_request: - types: ['opened', 'edited', 'reopened', 'synchronize'] - -# on: -# schedule: -# - cron: '0 0 * * *' + schedule: + - cron: '0 0 * * *' concurrency: group: ${{ github.workflow}}-${{ github.ref }} @@ -26,14 +22,9 @@ jobs: with: node-version: 20.x - - uses: c-hive/gha-yarn-cache@v1 - - run: yarn install --frozen-lockfile + - name: Install Dependencies + run: yarn install --frozen-lockfile - - name: Install CycloneDX CLI - run: | - curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i - - sudo mv cyclonedx-linux-x64 /usr/local/bin/ - sudo chmod +x /usr/local/bin/cyclonedx-linux-x64 - name: Generate BOMs run: | npm install -g @cyclonedx/cdxgen