feat(ci): generate and validate SBOM (#299)

* generate and validate SBOM * add generate-and-validate workflow for main Signed-off-by: Rahul Tiwari <[email protected]>
opensbom-generator · Aug 18, 2023 · 485a891 · 485a891
1 parent 935cdb9
commit 485a891
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 17 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -13,9 +13,9 @@ jobs:
         go: [ "^1.20" ]
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: ${{ matrix.go }}
       - name: Setup
@@ -26,3 +26,22 @@ jobs:
         run: make check-headers
       - name: Build
         run: make build
+  generate-and-validate:
+    name: Generate and validate SBOM file
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ "^1.20" ]
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ matrix.go }}
+      - name: Generate SBOM
+        run: make generate
+      - name: Validate SBOM
+        uses: chainguard-dev/actions/setup-spdx@main
+        with:
+          sbom-path: examples/sbom.spdx
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -30,21 +30,23 @@ jobs:
         run: make check-headers
       - name: Build
         run: make build
-  generate:
-    name: Generate sbom file
+  generate-and-validate:
+    name: Generate and validate SBOM file
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ "^1.20" ]
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v2
-      - name: gh-action-spdx-sbom-generator
-        uses: niravpatel27/[email protected].0
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          version: '0.0.3'
-      - name: Check if sbom file generated
-        run: |
-          if [ ! -f "bom-go-mod.spdx" ]; then
-            echo "::error::bom-go-mod.spdx is missing. Must generate using the spdx-sbom-generator cli."
-            exit 1
-          else
-             echo "Success!"
-          fi
+          go-version: ${{ matrix.go }}
+      - name: Generate SBOM
+        run: make generate
+      - name: Validate SBOM
+        uses: chainguard-dev/actions/setup-spdx@main
+        with:
+          sbom-path: examples/sbom.spdx
+
diff --git a/Makefile b/Makefile
@@ -30,12 +30,15 @@ mod:
 generate: mod
 	@echo "Running cli on version: $(VERSION)"
 	@GO111MODULE=on GLFLAGs=-mod-vendor go run cmd/generator/generator.go $(ARGS)
+	@GO111MODULE=on GLFLAGs=-mod-vendor go run cmd/sbomgen/sbomgen.go $(ARGS) > examples/sbom.spdx
 
 .PHONY: build
 build: mod
 	@echo "Building spdx-sbom-generator for Linux Intel/AMD 64-bit version: $(VERSION)"
 	env GOOS=linux GOARCH=amd64 go build $(LD_FLAGS) -o bin/spdx-sbom-generator cmd/generator/generator.go
+	env GOOS=linux GOARCH=amd64 go build $(LD_FLAGS) -o bin/sbomgen cmd/sbomgen/sbomgen.go
 	@chmod +x bin/spdx-sbom-generator
+	@chmod +x bin/sbomgen
 
 .PHONY: build-mac
 build-mac: mod

diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/go-git/go-git/v5 v5.7.0
 	github.com/google/uuid v1.2.0
 	github.com/opensbom-generator/parsers v0.0.0-20230627202907-fc5a182b1325
+	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spdx/tools-golang v0.5.2
 	github.com/spf13/cobra v1.7.0
@@ -40,7 +41,6 @@ require (
 	github.com/montanaflynn/stats v0.6.6 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect