Add --enable-github-action-token

jasonhills-mongodb · jasonhills-mongodb · commit dc1865701df2 · 2025-11-26T10:07:23.000-05:00
diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
@@ -52,4 +52,4 @@ jobs:
     - name: Install dependencies
       run: uv sync --group make_release
     - name: generate_sbom.py
-      run: uv run etc/sbom/generate_sbom.py --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json
+      run: uv run etc/sbom/generate_sbom.py --enable-github-action-token --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json
diff --git a/etc/sbom/endorctl_utils.py b/etc/sbom/endorctl_utils.py
@@ -145,12 +145,14 @@ def __init__(
         sleep_duration=30,
         endorctl_path="endorctl",
         config_path=None,
+        enable_github_action_token=False
     ):
         self.namespace = namespace
         self.retry_limit = retry_limit
         self.sleep_duration = sleep_duration
         self.endorctl_path = endorctl_path
         self.config_path = config_path
+        self.enable_github_action_token = enable_github_action_token
 
     def _call_endorctl(self, command, subcommand, **kwargs):
         """https://docs.endorlabs.com/endorctl/"""
@@ -159,6 +161,8 @@ def _call_endorctl(self, command, subcommand, **kwargs):
             command = [self.endorctl_path, command, subcommand, f"--namespace={self.namespace}"]
             if self.config_path:
                 command.append(f"--config-path={self.config_path}")
+            if self.enable_github_action_token:
+                command.append(f"--enable-github-action-token")
 
             # parse args into flags
             for key, value in kwargs.items():
diff --git a/etc/sbom/generate_sbom.py b/etc/sbom/generate_sbom.py
@@ -400,6 +400,7 @@ def main() -> None:
         default=None,
         type=str,
     )
+    endor.add_argument("--enable-github-action-token", help="Enable keyless authentication using Github action OIDC tokens", action="store_true")
     endor.add_argument(
         "--namespace", help="Endor Labs namespace (Default: mongodb.{git org})", type=str
     )
@@ -479,6 +480,7 @@ def main() -> None:
     # endor
     endorctl_path = args.endorctl_path
     config_path = args.config_path
+    enable_github_action_token = args.enable_github_action_token
     namespace = args.namespace if args.namespace else f"mongodb.{git_info.org}"
     target = args.target
 
@@ -529,7 +531,7 @@ def main() -> None:
     # region export Endor Labs SBOM
 
     print_banner(f"Exporting Endor Labs SBOM for {target} {getattr(git_info, target)}")
-    endorctl = EndorCtl(namespace, retry_limit, sleep_duration, endorctl_path, config_path)
+    endorctl = EndorCtl(namespace, retry_limit, sleep_duration, endorctl_path, config_path, enable_github_action_token=enable_github_action_token)
     if target == "commit":
         endor_bom = endorctl.get_sbom_for_commit(git_info.project, git_info.commit)
     elif target == "branch":
