Skip to content

build(deps): update github/codeql-action action to v3.27.9 (#6100) #895

build(deps): update github/codeql-action action to v3.27.9 (#6100)

build(deps): update github/codeql-action action to v3.27.9 (#6100) #895

Workflow file for this run

# Workflow for generating a software bill of materials (SBOM).
#
# Currently, this uses the slsa-framework/github-actions-demo action to
# generate an in-toto attestation. This is the pushed to a remote repository
# for storage.
name: sbom
on:
push:
branches:
- master
env:
JAVA_DISTRIBUTION: temurin
jobs:
sbom:
runs-on: ubuntu-latest
environment: SBOM-store
env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
name: Generate and store SBOM
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
java-version: 17
distribution: ${{ env.JAVA_DISTRIBUTION }}
- name: Get date for cache # see https://github.com/actions/cache README
id: get-date
run: echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
shell: bash
- name: Use Maven dependency cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ~/.m2/repository
key: ${{ runner.os }}-${{ steps.get-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-maven-
- name: Build project
run: |
mvn -B test-compile
- name: Generate provenance
# Note that this action is a demo, meaning that it works fine now, but
# there are no guarantees of future support and development.
uses: slsa-framework/github-actions-demo@9474e92bbf825d5b4b46810fc9367dfc73429a2a # tag=v0.1
with:
artifact_path: .
output_path: provenance.json
- name: Add deployment SSH private key to agent
run: |
ssh-agent -a ${{ env.SSH_AUTH_SOCK }} > /dev/null
ssh-add - <<< "${{ secrets.SBOM_DEPLOY_SSH }}"
echo ${{ env.SSH_AUTH_SOCK }}
- name: Push provenance to remote
env:
# Target repo to upload provenance file
REMOTE_REPO_URL: [email protected]:chains-project/sbom-files.git
GIT_USER: provenance-bot
GIT_EMAIL: [email protected]
run: |
git config --global user.name "${{ env.GIT_USER }}"
git config --global user.email "${{ env.GIT_EMAIL }}"
git clone $REMOTE_REPO_URL
mkdir -p sbom-files/spoon/slsa
cp provenance.json sbom-files/spoon/slsa/$(date +%s)-${{ github.sha }}.sbom.json
cd sbom-files
git add .
git commit -m "Spoon: ${{ github.sha }}"
git push