Add SBOM generation on release (mattermost#27733)

* Add SBOM generation on release * Fix release-note NONE in PR template
devinbinnie · Aug 14, 2024 · 4c91ad8 · 4c91ad8
1 parent 061ff0f
commit 4c91ad8
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -56,7 +56,7 @@ Added new API endpoints POST /api/v4/foo, GET api/v4/foo, and GET api/v4/foo/:fo
 Added a new config setting ServiceSettings.FooBar. Added a new column Foo to the Users table.
 ```
 
-```
+```release-note
 NONE
 ```
 -->

diff --git a/.github/workflows/snyk-sbom.yml b/.github/workflows/snyk-sbom.yml
@@ -0,0 +1,34 @@
+name: Snyk - Software Bill of Materials (SBOM)
+on:
+  release:
+    types: [published]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Node
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: '22.6.0'
+
+      - name: Install Snyk CLI
+        run: npm install -g [email protected]
+
+      - name: Generate SBOM
+        run: snyk sbom --format=cyclonedx1.5+json --all-projects > sbom.json
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload SBOM
+        uses: Shopify/upload-to-release@c77c9b3e5d288adaef98a7007bf92340ec6ce03b # v2.0.0
+        with:
+          name: sbom.json
+          path: sbom.json
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          content-type: application/json
-Original file line number
+Diff line change
@@ Expand Up @@
     Added a new config setting ServiceSettings.FooBar. Added a new column Foo to the Users table.
     ```
-    ```
+    ```release-note
     NONE
     ```
     -->
@@ Expand Down @@