Skip to content

Commit 1629779

Browse files
committed
PHP-1688: SBOM generation workflow
1 parent b8f569e commit 1629779

File tree

3 files changed

+158
-0
lines changed

3 files changed

+158
-0
lines changed
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
name: Generate SBOM
2+
description: Generates CycloneDX SBOM using cdxgen
3+
inputs:
4+
output-file:
5+
description: "Output filename for the SBOM"
6+
required: false
7+
default: "sbom.json"
8+
9+
runs:
10+
using: composite
11+
steps:
12+
- name: Generate SBOM
13+
shell: bash
14+
working-directory: ${{ inputs.working-directory }}
15+
run: |
16+
echo "Generating SBOM for 'php' project..."
17+
cdxgen -t 'php' --json-pretty --spec-version 1.5 -o ${{ inputs.output-file }} .
18+
19+
- name: Validate SBOM
20+
shell: bash
21+
run: |
22+
if [ ! -f "${{ inputs.output-file }}" ]; then
23+
echo "Error: SBOM file not found"
24+
exit 1
25+
fi
26+
27+
echo "SBOM file validated: ${{ inputs.output-file }}"
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
name: Setup PHP SBOM
2+
description: Sets up environment for generating SBOM in PHP projects
3+
inputs:
4+
working-directory:
5+
description: "The directory where composer.json is located"
6+
required: false
7+
default: "."
8+
9+
runs:
10+
using: composite
11+
steps:
12+
- name: Setup Node.js (for cdxgen)
13+
uses: actions/setup-node@v4
14+
with:
15+
node-version: '20'
16+
17+
- name: Install cdxgen
18+
shell: bash
19+
run: npm install -g @cyclonedx/cdxgen

.github/workflows/sbom.yml

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
name: Post-Merge SBOM Update
2+
3+
on:
4+
push:
5+
branches:
6+
- v1.21
7+
paths:
8+
- 'composer.json'
9+
- 'composer.lock'
10+
workflow_dispatch:
11+
permissions:
12+
contents: write
13+
pull-requests: write
14+
env:
15+
PHP_VERSION: "8.2"
16+
DRIVER_VERSION: "mongodb/[email protected]"
17+
SBOM_FILE: "sbom.json"
18+
jobs:
19+
sbom:
20+
name: Generate SBOM and Create PR
21+
runs-on: ubuntu-latest
22+
23+
concurrency:
24+
group: sbom-${{ github.ref }}
25+
cancel-in-progress: false
26+
27+
steps:
28+
- name: Checkout repository (Base Branch)
29+
uses: actions/checkout@v4
30+
with:
31+
ref: ${{ github.event.pull_request.base.ref }}
32+
token: ${{ secrets.GITHUB_TOKEN }}
33+
fetch-depth: 0
34+
35+
- name: Setup PHP environment
36+
uses: ./.github/actions/setup
37+
with:
38+
php-version: ${{ env.PHP_VERSION }}
39+
driver-version: ${{ env.DRIVER_VERSION }}
40+
working-directory: '.'
41+
42+
- name: Generate/Update composer.lock
43+
run: |
44+
echo "Resolving dependencies and generating composer.lock..."
45+
composer update --lock --no-install --ignore-platform-reqs
46+
echo "composer.lock generated with resolved versions"
47+
48+
- name: Setup SBOM environment
49+
uses: ./.github/actions/setup-sbom
50+
51+
- name: Run SBOM Generator
52+
uses: ./.github/actions/sbom-update
53+
with:
54+
php-version: ${{ env.PHP_VERSION }}
55+
working-directory: '.'
56+
output-file: 'sbom.json'
57+
output-format: 'json'
58+
59+
- name: Check for Changes in sbom.json
60+
id: git_status
61+
run: |
62+
# Filter to remove/normalize serialNumber and timestamp fields
63+
JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
64+
65+
# Check if the base file exists in Git (to prevent errors on first commit)
66+
if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then
67+
echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
68+
exit 0
69+
fi
70+
71+
# Compare the normalized committed version vs. the normalized current version
72+
if diff -q \
73+
<(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \
74+
<(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then
75+
76+
echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
77+
echo "No changes detected in sbom.json"
78+
else
79+
echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
80+
echo "Changes detected in sbom.json"
81+
fi
82+
83+
- name: Create Pull Request
84+
if: steps.git_status.outputs.HAS_CHANGES == 'true'
85+
uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22
86+
with:
87+
token: ${{ secrets.GITHUB_TOKEN }}
88+
commit-message: 'chore: Update SBOM after dependency changes'
89+
branch: auto-update-sbom-${{ github.run_id }}
90+
delete-branch: true
91+
title: 'chore: Update SBOM'
92+
body: |
93+
## Automated SBOM Update
94+
95+
This PR was automatically generated because dependency manifest files changed.
96+
97+
### Changes
98+
- Updated `sbom.json` to reflect current dependencies
99+
100+
### Verification
101+
The SBOM was generated using SilkBomb v1.0.
102+
103+
### Triggered by
104+
- Commit: ${{ github.sha }}
105+
- Workflow run: ${{ github.run_id }}
106+
107+
---
108+
_This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_
109+
labels: |
110+
sbom
111+
automated
112+
dependencies

0 commit comments

Comments
 (0)