diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml new file mode 100644 index 0000000000..e8f6e60d06 --- /dev/null +++ b/.github/workflows/generate_sbom.yml @@ -0,0 +1,66 @@ +name: Generate SBOM + +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'releases/**' + - 'CXX**' + +env: + BUILD_TYPE: Release + BUILD: ${{github.workspace}}/build + CXX_STANDARD: 17 + ENDOR_NAMESPACE: mongodb.${{github.repository_owner}} + +jobs: + configure-and-scan: + permissions: + id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs + #packages: write + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v6 + with: + submodules: recursive + + - name: Install dev libs + run: sudo apt install -y libsasl2-dev libsnappy-dev libssl-dev libmongocrypt-dev + + - name: Configure CMake and fetch dependency source + run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} + working-directory: ${{env.BUILD}} + + - name: Install endorctl and Scan with Endor Labs + uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8 + with: + additional_args: --languages=c + log_level: info + log_verbose: false + namespace: ${{env.ENDOR_NAMESPACE}} + pr: false + scan_dependencies: true + tags: github_action + env: + ENDOR_SCAN_EMBEDDINGS: true + + # - uses: actions/setup-python@v6 + # with: + # python-version: '3.10' + # - run: python my_script.py + + # ${{ github.sha }} + # - name: Run Endorctl + # env: + # ENDOR_GITHUB_ACTION_TOKEN_ENABLE: true + # ENDOR_SCAN_DEPENDENCIES: true + # ENDOR_SCAN_EMBEDDINGS: true + # ENDOR_SCAN_INCLUDE_PATH: + # ENDOR_SCAN_LANGUAGES: c + # ENDOR_SCAN_SUMMARY_OUTPUT_TYPE: json + # ENDOR_SCAN_TAGS: github_action + # run: | + # endorctl scan