name: Create SBOM for the release # Inherited variables: # github.event.client_payload.agentSpec - Current YAML Label # github.event.client_payload.ReleaseID - Current release ID # github.event.client_payload.imageVersion - AzDO image version "major.minor" # github.event.client_payload.ReleaseBranchName - Necessary to identify workflow run # # Current SYFT tool issues: # macOS (major): prompt privilegies that blocking process indefinetely (https://github.com/anchore/syft/issues/1367) run-name: Collecting SBOM for ${{ github.event.client_payload.ReleaseBranchName || 'unknown release' }} on: repository_dispatch: types: [generate-sbom] defaults: run: shell: pwsh jobs: #Checking current release for SBOM sbom-check: outputs: check_status: ${{ steps.check.outputs.status }} runs-on: ubuntu-latest steps: - name: Check release for ${{ github.event.client_payload.ReleaseBranchName }} id: check shell: pwsh run: | $apiUrl = "https://api.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}" $response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck if ($response.message -ilike "Not Found") { echo "status=release_not_found" >> $env:GITHUB_OUTPUT Write-Error "Release ${{ github.event.client_payload.ReleaseID }} wasn't found" exit 1 } foreach ($asset in $response.assets) { if ($asset.name -like '*sbom*') { echo "status=sbom_exists" >> $env:GITHUB_OUTPUT return "Release ${{ github.event.client_payload.ReleaseID }} already contains a SBOM" } } Write-Host "Release has been found, SBOM is not attached, starting generation." echo "status=okay" >> $env:GITHUB_OUTPUT #Generating SBOM building-sbom: needs: sbom-check if: ${{ needs.sbom-check.outputs.check_status == 'okay' }} runs-on: ${{ github.event.client_payload.agentSpec }} steps: - name: Available image version check for ${{ github.event.client_payload.ReleaseBranchName }} run: | $imageVersionComponents = $env:ImageVersion.Split('.') $imageMajorVersion = $imageVersionComponents[0] $imageMinorVersion = $imageVersionComponents[1] if ("$imageMajorVersion.$imageMinorVersion" -ne '${{ github.event.client_payload.imageVersion }}') { throw "Current runner $imageMajorVersion.$imageMinorVersion image version doesn't match ${{ github.event.client_payload.imageVersion }}." } - name: Install SYFT tool on Windows if: ${{ runner.os == 'Windows' }} run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b D:/syft - name: Install SYFT tool on Ubuntu if: ${{ runner.os == 'Linux' }} run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - name: Install SYFT v1.24.0 on macOS if: ${{ runner.os == 'macOS' }} run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.24.0 #Running section. - name: Run SYFT on Windows if: ${{ runner.os == 'Windows' }} run: D:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json - name: Run SYFT on Ubuntu if: ${{ runner.os == 'Linux' }} run: syft dir:/ -vv -o spdx-json=sbom.json - name: Run SYFT on macOS if: ${{ runner.os == 'macOS' }} run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private shell: bash #Preparing artifact (raw SBOM.json is too big) - name: Compress SBOM file run: Compress-Archive sbom.json sbom.json.zip #Upload artifact action - uses: actions/upload-artifact@v4 with: name: sbom-${{ github.event.client_payload.agentSpec }}-${{ github.event.client_payload.imageVersion }} path: sbom.json.zip if-no-files-found: warn #Upload release asset action #Might be changed to softprops/action-gh-release after additional check - name: Upload release asset uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ github.event.client_payload.ReleaseID }}/assets{?name,label}" asset_path: ./sbom.json.zip asset_name: sbom.${{ github.event.client_payload.agentSpec }}.json.zip asset_content_type: application/zip