mirror of
https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git
synced 2025-12-16 17:46:45 +00:00
109 lines
3.6 KiB
YAML
109 lines
3.6 KiB
YAML
name: 'Release: Attach SBOM'
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
n8n_version:
|
|
description: 'N8N version to generate SBOM for'
|
|
required: true
|
|
type: string
|
|
release_tag_ref:
|
|
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
SLACK_WEBHOOK_URL:
|
|
required: true
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
n8n_version:
|
|
description: 'N8N version to generate SBOM for'
|
|
required: true
|
|
type: string
|
|
release_tag_ref:
|
|
description: 'Git reference to checkout (e.g. n8n@1.2.3)'
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
|
|
jobs:
|
|
generate-sbom:
|
|
name: Generate and Attach SBOM to Release
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
continue-on-error: true
|
|
steps:
|
|
- name: Checkout release tag
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
with:
|
|
ref: ${{ inputs.release_tag_ref }}
|
|
|
|
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
|
with:
|
|
node-version: 22.x
|
|
|
|
- name: Setup corepack and pnpm
|
|
run: |
|
|
npm i -g corepack@0.33
|
|
corepack enable
|
|
|
|
- name: Install dependencies for SBOM generation
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Generate CycloneDX SBOM for source code
|
|
uses: anchore/sbom-action@b9a8bc8d2c19e9396f663e53c7b55848e98cf17c # v0.17.6
|
|
with:
|
|
path: ./
|
|
format: cyclonedx-json
|
|
output-file: sbom-source.cdx.json
|
|
|
|
- name: Attest build provenance for source release
|
|
uses: actions/attest-build-provenance@977bb37082e0bfde04bb18e63b0632b7b5a1c4a3 # v3.0.0
|
|
with:
|
|
subject-path: './package.json'
|
|
|
|
- name: Attest SBOM for source release
|
|
uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
|
|
with:
|
|
subject-path: './package.json'
|
|
sbom-path: 'sbom-source.cdx.json'
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@9e9de2292db7abb3f51b7f4808d98f0d347a8919 # v3.7.0
|
|
|
|
- name: Sign SBOM (keyless)
|
|
run: |
|
|
# Sign SBOM using Cosign keyless signing with GitHub OIDC
|
|
# This provides cryptographic proof of authenticity and integrity
|
|
cosign sign-blob --yes --output-signature sbom-source.cdx.sig --output-certificate sbom-source.cdx.pem sbom-source.cdx.json
|
|
|
|
- name: Attach SBOM files to release
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
# Upload SBOM files to the existing release
|
|
gh release upload "${{ inputs.release_tag_ref }}" \
|
|
sbom-source.cdx.json \
|
|
sbom-source.cdx.sig \
|
|
sbom-source.cdx.pem \
|
|
--clobber
|
|
|
|
COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
|
|
echo "✅ SBOM workflow completed"
|
|
echo "📊 SBOM contains $COMPONENT_COUNT components"
|
|
echo "🛡️ GitHub attestations created for source release"
|
|
|
|
- name: Notify Slack on failure
|
|
if: failure()
|
|
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
|
|
with:
|
|
status: ${{ job.status }}
|
|
channel: '#alerts-build'
|
|
webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
message: |
|
|
<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ inputs.release_tag_ref }} > |