mirror of
https://github.com/n8n-io/n8n
synced 2026-04-21 15:47:20 +00:00
88 lines
2.8 KiB
YAML
88 lines
2.8 KiB
YAML
name: 'Release: Attach SBOM'
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
n8n_version:
|
|
description: 'N8N version to generate SBOM for'
|
|
required: true
|
|
type: string
|
|
release_tag_ref:
|
|
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
SLACK_WEBHOOK_URL:
|
|
required: true
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
n8n_version:
|
|
description: 'N8N version to generate SBOM for'
|
|
required: true
|
|
type: string
|
|
release_tag_ref:
|
|
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
|
|
jobs:
|
|
generate-sbom:
|
|
name: Generate and Attach SBOM to Release
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
continue-on-error: true
|
|
steps:
|
|
- name: Checkout release tag
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ inputs.release_tag_ref }}
|
|
|
|
- name: Setup Node.js and install dependencies
|
|
uses: ./.github/actions/setup-nodejs
|
|
with:
|
|
build-command: ''
|
|
|
|
- name: Generate CycloneDX SBOM for source code
|
|
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
|
|
with:
|
|
path: ./
|
|
format: cyclonedx-json
|
|
output-file: sbom-source.cdx.json
|
|
|
|
- name: Attest SBOM for source release
|
|
uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0
|
|
with:
|
|
subject-path: './package.json'
|
|
sbom-path: 'sbom-source.cdx.json'
|
|
|
|
- name: Attach SBOM and VEX files to release
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
# Upload SBOM and VEX files to the existing release
|
|
gh release upload "${{ inputs.release_tag_ref }}" \
|
|
sbom-source.cdx.json \
|
|
security/vex.openvex.json \
|
|
--clobber
|
|
|
|
COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
|
|
VEX_STATEMENTS=$(jq '.statements | length' security/vex.openvex.json 2>/dev/null || echo "0")
|
|
echo "SBOM and VEX attached to release"
|
|
echo " - SBOM: $COMPONENT_COUNT components"
|
|
echo " - VEX: $VEX_STATEMENTS CVE statements"
|
|
|
|
- name: Notify Slack on failure
|
|
if: failure()
|
|
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
|
|
with:
|
|
status: ${{ job.status }}
|
|
channel: '#alerts-build'
|
|
webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
message: |
|
|
<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ inputs.release_tag_ref }} >
|