-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
40 lines (30 loc) · 1.17 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# yamllint disable rule:line-length
---
name: generate software bill-of-materials for docker image
description: generate software bill-of-materials for docker image
inputs:
working-directory:
description: set working directory. Default is ./.
required: false
default: "."
registry:
description: name of registry
required: false
default: docker.io
sbom-filename:
description: name of generate sbom file
required: false
default: "sbom.spdx"
runs:
using: "composite"
steps:
- name: generate sbom
working-directory: ${{ inputs.working-directory }}
shell: bash
run: syft --verbose --output spdx-json $(cat manifestid) > ${{ inputs.sbom-filename }}
- name: write manifest locally for sbom generation
working-directory: ${{ inputs.working-directory }}
shell: bash
run: |
echo $DOCKER_PASSWORD | oras login ${{ inputs.registry }} -u $DOCKER_LOGIN --password-stdin
oras push --artifact-type 'application/vnd.unknown.config.v1+json' ${{ inputs.registry }}/$(cat manifestid | sed 's/${{ inputs.registry }}\///g' | sed 's/:/-/g' | sed 's/@/:/g').spdx ${{ inputs.sbom-filename }}:application/json