-
Notifications
You must be signed in to change notification settings - Fork 306
98 lines (84 loc) · 3.61 KB
/
Generate-Sbom.yml
File metadata and controls
98 lines (84 loc) · 3.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Generates and uploads SBOMs for a specific EPPlus version without running the full build pipeline.
# Useful for backfilling SBOMs for older releases.
# Triggered manually via workflow_dispatch with a version input.
name: Generate SBOM
on:
workflow_dispatch:
inputs:
version:
description: 'EPPlus version to generate SBOMs for (e.g. 8.4.1)'
required: true
type: string
jobs:
sbom:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
# Check out the release branch so that the csproj reflects the correct
# version and dependencies for the requested version
ref: release/epplus${{ github.event.inputs.version }}
- name: Fetch sbom-metadata-template.xml from develop8
run: |
git fetch origin develop8
git checkout origin/develop8 -- src/EPPlus/sbom-metadata-template.xml
shell: pwsh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: |
9.0.x
10.0.x
- name: Read target frameworks from csproj
run: |
$xml = [xml](Get-Content ./src/EPPlus/EPPlus.csproj)
$tfms = $xml.Project.PropertyGroup.TargetFrameworks | Where-Object { $_ } | Select-Object -First 1
echo "VERSION=${{ github.event.inputs.version }}" >> $env:GITHUB_ENV
echo "TFMS=$tfms" >> $env:GITHUB_ENV
shell: pwsh
- name: Restore dependencies
run: dotnet restore ./src/EPPlus.sln
- name: Install CycloneDX
run: dotnet tool install --global CycloneDX
- name: Generate combined SBOM
run: dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn epplus-${{ env.VERSION }}.sbom.json -imp ./src/EPPlus/sbom-metadata-template.xml --spec-version 1.6
- name: Generate per-TFM SBOMs
run: |
$tfms = "${{ env.TFMS }}" -split ";"
foreach ($tfm in $tfms) {
$tfm = $tfm.Trim()
if ([string]::IsNullOrEmpty($tfm)) { continue }
Write-Host "Generating SBOM for $tfm"
dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn "epplus-${{ env.VERSION }}.$tfm.sbom.json" -imp ./src/EPPlus/sbom-metadata-template.xml --framework $tfm --spec-version 1.6
}
shell: pwsh
- name: Generate SHA-256 checksums for all SBOMs
run: |
Get-ChildItem -Path "./sbom" -Filter "*.sbom.json" | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash.ToLower()
"$hash $($_.Name)" | Out-File -FilePath "$($_.FullName).sha256" -Encoding utf8NoBOM
Write-Host "Checksum generated for $($_.Name): $hash"
}
shell: pwsh
- name: Authenticate to Azure
uses: Azure/login@v2
with:
creds: '{"clientId":"${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }}","clientSecret":"${{ secrets.EPPLUS_CODE_SIGNING_SECRET }}","subscriptionId":"${{ secrets.EPPLUS_CODE_SIGNING_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }}"}'
- name: Upload all SBOMs to Azure Blob Storage
run: |
Get-ChildItem -Path "./sbom" | ForEach-Object {
Write-Host "Uploading $($_.Name)"
az storage blob upload `
--account-name eppluswebprod `
--container-name sbom `
--name $_.Name `
--file $_.FullName `
--auth-mode login `
--overwrite
}
shell: pwsh
- name: Upload all SBOMs as artifact
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.event.inputs.version }}
path: ./sbom/