Elgato_dark/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n synced 2026-04-21 15:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
n8n/.github/workflows/sbom-generation-callable.yml
Declan Carroll e4dbe0db6b
ci: Update GitHub Actions to latest versions for Node.js 24 compatibility (#26949) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 14:01:53 +00:00

88 lines
2.8 KiB
YAML
Raw Permalink Blame History

name: 'Release: Attach SBOM'
on:
workflow_call:
inputs:
n8n_version:
description: 'N8N version to generate SBOM for'
required: true
type: string
release_tag_ref:
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
required: true
type: string
secrets:
SLACK_WEBHOOK_URL:
required: true
workflow_dispatch:
inputs:
n8n_version:
description: 'N8N version to generate SBOM for'
required: true
type: string
release_tag_ref:
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
required: true
type: string
permissions:
contents: write
id-token: write
attestations: write
jobs:
generate-sbom:
name: Generate and Attach SBOM to Release
runs-on: ubuntu-latest
timeout-minutes: 15
continue-on-error: true
steps:
- name: Checkout release tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.release_tag_ref }}
- name: Setup Node.js and install dependencies
uses: ./.github/actions/setup-nodejs
with:
build-command: ''
- name: Generate CycloneDX SBOM for source code
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
with:
path: ./
format: cyclonedx-json
output-file: sbom-source.cdx.json
- name: Attest SBOM for source release
uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0
with:
subject-path: './package.json'
sbom-path: 'sbom-source.cdx.json'
- name: Attach SBOM and VEX files to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Upload SBOM and VEX files to the existing release
gh release upload "${{ inputs.release_tag_ref }}" \
sbom-source.cdx.json \
security/vex.openvex.json \
--clobber
COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
VEX_STATEMENTS=$(jq '.statements | length' security/vex.openvex.json 2>/dev/null || echo "0")
echo "SBOM and VEX attached to release"
echo " - SBOM: $COMPONENT_COUNT components"
echo " - VEX: $VEX_STATEMENTS CVE statements"
- name: Notify Slack on failure
if: failure()
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
with:
status: ${{ job.status }}
channel: '#alerts-build'
webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
message: |
<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ inputs.release_tag_ref }} >
Reference in a new issue View git blame Copy permalink