a3bc6eb3c7a805905c6779f543072ec75397a2c3
Bumps [@github/dependency-submission-toolkit](https://github.com/github/dependency-submission-toolkit) from 1.2.2 to 1.2.3. - [Release notes](https://github.com/github/dependency-submission-toolkit/releases) - [Commits](https://github.com/github/dependency-submission-toolkit/compare/v1.2.2...v1.2.3) --- updated-dependencies: - dependency-name: "@github/dependency-submission-toolkit" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
SPDX to Dependency Graph Action
This repository makes it easy to upload an SPDX SBOM to GitHub's dependency submission API. This lets you quickly receive Dependabot alerts for package manifests which GitHub doesn't directly support like pnpm or Paket by using existing off-the-shelf SBOM generators.
Example workflow
This workflow uses the Microsoft sbom-tool.
name: SBOM upload
on:
workflow_dispatch:
push:
branches: ["main"]
jobs:
SBOM-upload:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- uses: actions/checkout@v3
- name: Generate SBOM
run: |
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x $RUNNER_TEMP/sbom-tool
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ${{ github.repository }} -pv 1.0.0 -ps OwnerName -nsb https://sbom.mycompany.com -V Verbose
- uses: actions/upload-artifact@v3
with:
name: sbom
path: _manifest/spdx_2.2
- name: SBOM upload
uses: jhutchings1/spdx-to-dependency-graph-action@v0.0.1
with:
filePath: "_manifest/spdx_2.2/"
Description
Languages
TypeScript
96.4%
JavaScript
3.6%