Skip to content

Add SBOM (Software Bill of Materials) to releases #579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add SBOM (Software Bill of Materials) to releases #579

wants to merge 2 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jun 30, 2025
edited
Loading

This PR implements SBOM generation for releases as requested in the issue. Each release will now include a complete Software Bill of Materials alongside the compiled action.

Changes Made

🔧 Enhanced Release Workflow

  • Added SBOM generation step to .github/workflows/publishing.yml
  • Uses GitHub's dependency graph API (gh api repos/{repo}/dependency-graph/sbom) to fetch comprehensive dependency information
  • Generates SBOM in industry-standard SPDX format as sbom.spdx.json
  • Includes validation to ensure SBOM generation succeeds before proceeding with release
  • Modified release step to include SBOM as an additional release asset
  • Enhanced release notes to describe both the compiled action and SBOM

📚 Documentation Update

  • Added Security section to README.md explaining SBOM inclusion
  • Documents SBOM format (SPDX) and data source (GitHub dependency graph)

🧪 Testing

  • Added comprehensive workflow validation test (__tests__/workflow.test.ts)
  • Ensures SBOM generation step exists and is properly configured
  • Validates release step includes SBOM file in assets
  • Added @types/js-yaml dev dependency for TypeScript support

Implementation Details

The implementation follows the original request to use dependency information from the main branch by leveraging GitHub's dependency graph API - the same data source that powers Dependabot. This ensures the SBOM contains accurate, up-to-date dependency information.

Each future release will include:

  • main.js - The compiled GitHub Action
  • sbom.spdx.json - Complete Software Bill of Materials in SPDX format

The SBOM provides transparency about all dependencies used in the action, supporting security auditing and compliance requirements.

Fixes #3.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/devops-actions/load-REDACTED-info/dependency-graph/sbom
    • Triggering command: curl -s REDACTED -H Accept: application/vnd.github.v3+json (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI changed the title [WIP] Add SBOM information to the release Add SBOM (Software Bill of Materials) to releases Jun 30, 2025
@Copilot Copilot AI requested a review from rajbos June 30, 2025 06:49
Copilot finished work on behalf of rajbos June 30, 2025 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rajbos rajbos Awaiting requested review from rajbos

Assignees

@rajbos rajbos

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SBOM information to the release
2 participants
@Copilot @rajbos