Generate SBOM #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generates and uploads SBOMs for a specific EPPlus version without running the full build pipeline. | |
| # Useful for backfilling SBOMs for older releases. | |
| # Triggered manually via workflow_dispatch with a version input. | |
| name: Generate SBOM | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'EPPlus version to generate SBOMs for (e.g. 8.4.1)' | |
| required: true | |
| type: string | |
| jobs: | |
| sbom: | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Check out the release branch so that the csproj reflects the correct | |
| # version and dependencies for the requested version | |
| ref: release/epplus${{ github.event.inputs.version }} | |
| - name: Fetch sbom-metadata-template.xml from develop8 | |
| run: | | |
| git fetch origin develop8 | |
| git checkout origin/develop8 -- src/EPPlus/sbom-metadata-template.xml | |
| shell: pwsh | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 9.0.x | |
| 10.0.x | |
| - name: Read target frameworks from csproj | |
| run: | | |
| $xml = [xml](Get-Content ./src/EPPlus/EPPlus.csproj) | |
| $tfms = $xml.Project.PropertyGroup.TargetFrameworks | Where-Object { $_ } | Select-Object -First 1 | |
| echo "VERSION=${{ github.event.inputs.version }}" >> $env:GITHUB_ENV | |
| echo "TFMS=$tfms" >> $env:GITHUB_ENV | |
| shell: pwsh | |
| - name: Restore dependencies | |
| run: dotnet restore ./src/EPPlus.sln | |
| - name: Install CycloneDX | |
| run: dotnet tool install --global CycloneDX | |
| - name: Generate combined SBOM | |
| run: dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn epplus-${{ env.VERSION }}.sbom.json -imp ./src/EPPlus/sbom-metadata-template.xml --spec-version 1.6 | |
| - name: Generate per-TFM SBOMs | |
| run: | | |
| $tfms = "${{ env.TFMS }}" -split ";" | |
| foreach ($tfm in $tfms) { | |
| $tfm = $tfm.Trim() | |
| if ([string]::IsNullOrEmpty($tfm)) { continue } | |
| Write-Host "Generating SBOM for $tfm" | |
| dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn "epplus-${{ env.VERSION }}.$tfm.sbom.json" -imp ./src/EPPlus/sbom-metadata-template.xml --framework $tfm --spec-version 1.6 | |
| } | |
| shell: pwsh | |
| - name: Generate SHA-256 checksums for all SBOMs | |
| run: | | |
| Get-ChildItem -Path "./sbom" -Filter "*.sbom.json" | ForEach-Object { | |
| $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash.ToLower() | |
| "$hash $($_.Name)" | Out-File -FilePath "$($_.FullName).sha256" -Encoding utf8NoBOM | |
| Write-Host "Checksum generated for $($_.Name): $hash" | |
| } | |
| shell: pwsh | |
| - name: Authenticate to Azure | |
| uses: Azure/login@v2 | |
| with: | |
| creds: '{"clientId":"${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }}","clientSecret":"${{ secrets.EPPLUS_CODE_SIGNING_SECRET }}","subscriptionId":"${{ secrets.EPPLUS_CODE_SIGNING_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }}"}' | |
| - name: Upload all SBOMs to Azure Blob Storage | |
| run: | | |
| Get-ChildItem -Path "./sbom" | ForEach-Object { | |
| Write-Host "Uploading $($_.Name)" | |
| az storage blob upload ` | |
| --account-name eppluswebprod ` | |
| --container-name sbom ` | |
| --name $_.Name ` | |
| --file $_.FullName ` | |
| --auth-mode login ` | |
| --overwrite | |
| } | |
| shell: pwsh | |
| - name: Upload all SBOMs as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-${{ github.event.inputs.version }} | |
| path: ./sbom/ |