remove anchore/sbom-action (#45)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2024-04-22 09:22:27 -07:00
committed by GitHub
parent 38c481ec87
commit 36d21cdc72
3 changed files with 5 additions and 81 deletions
-28
View File
@@ -69,31 +69,3 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-sbom.outputs.bundle-path }}
test-attest-sbom:
name: Test attest-sbom action
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run attest-sbom with spdx format
uses: ./
with:
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
sbom-format: 'spdx'
- name: Run attest-sbom with cyclonedx format
id: attest-sbom
uses: ./
env:
INPUT_PRIVATE-SIGNING: 'true'
with:
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
sbom-format: 'cyclonedx'
+5 -15
View File
@@ -5,9 +5,8 @@ the [@actions/attest][1] package.
Attestations bind some subject (a named artifact along with its digest) to a a
Software Bill of Materials (SBOM) using the [in-toto][2] format. The action
accepts SBOMs which have been generated by external tools or can generate one
automatically by invoking the [anchore/sbom-action][3]. Externally generated
SBOMs must be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.
accepts SBOMs which have been generated by external tools. Provided SBOMs must
be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.
A verifiable signature is generated for the attestation using a short-lived
[Sigstore][6]-issued signing certificate. If the repository initiating the
@@ -45,12 +44,12 @@ attest:
- uses: actions/attest-sbom@v1
with:
subject-path: '<PATH TO ARTIFACT>'
sbom-path: '<PATH TO SBOM>'
```
The `subject-path` parameter should identity the artifact for which you want
to generate an SBOM attestation. When no other inputs are specified, the
action will automatically generate an SPDX SBOM by scanning the
`github.workspace` directory.
to generate an SBOM attestation. The `sbom-path` parameter should identify
the SBOM document to be associated with the subject.
### Inputs
@@ -77,15 +76,6 @@ See [action.yml](action.yml)
# "scan-path" and "sbom-format" inputs are ignored.
sbom-path:
# Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
# is specified. Defaults to ${{ github.workspace }}
scan-path:
# Format to use for the generated SBOM output. Supported formats are
# "spdx" and "cyclonedx". Ignored if "sbom-path" is specified. Defaults to
# "spdx".
sbom-format:
# Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false.
-38
View File
@@ -24,18 +24,6 @@ inputs:
Path to the JSON-formatted SBOM file to attest. When specified, the
"scan-path" and "sbom-format" inputs are ignored.
required: false
scan-path:
description: >
Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
is specified.
default: ${{ github.workspace }}
required: false
sbom-format:
description: >
Format to use for the generated SBOM output. Supported formats are "spdx"
and "cyclonedx". Ignored if "sbom-path" is specified.
default: 'spdx'
required: false
push-to-registry:
description: >
Whether to push the provenance statement to the image registry. Requires
@@ -57,32 +45,6 @@ outputs:
runs:
using: 'composite'
steps:
- name: Generate random SBOM output file name
if: inputs.sbom-path == ''
id: sbom-output
run:
echo "path=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_OUTPUT
shell: bash
- name: SBOM format check
id: check-sbom-format
if: inputs.sbom-path == ''
run: |
if [ "${{inputs.sbom-format}}" != "spdx" ] && [ "${{inputs.sbom-format}}" != "cyclonedx" ] ]; then
echo "Invalid SBOM format. Supported formats are spdx and cyclonedx."
exit 1
elif [ "${{inputs.sbom-format}}" == "spdx" ]; then
echo "format=spdx-json" >> $GITHUB_OUTPUT
elif [ "${{inputs.sbom-format}}" == "cyclonedx" ]; then
echo "format=cyclonedx-json" >> $GITHUB_OUTPUT
fi
shell: bash
- name: Generate SBOM
if: inputs.sbom-path == ''
uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10
with:
path: ${{ inputs.scan-path }}
output-file: ${{ steps.sbom-output.outputs.path }}
format: ${{ steps.check-sbom-format.outputs.format }}
- uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
id: generate-sbom-predicate
with: