chore: Generate SBOM. Fixes #7672 (#7690)

Signed-off-by: Alex Collins <[email protected]>
argoproj · Feb 3, 2022 · 8acaa33 · 8acaa33
1 parent f890dc8
commit 8acaa33
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -323,13 +323,13 @@ jobs:
  - uses: actions/[email protected]
  with:
  node-version: "16"
+ - uses: actions/setup-go@v2
+ with:
+ go-version: "1.17"
  - uses: actions/cache@v2
  with:
  path: ui/node_modules
  key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
- - uses: actions/setup-go@v2
- with:
- go-version: "1.17"
  - uses: actions/cache@v2
  with:
  path: /home/runner/.cache/go-build
@@ -338,6 +338,17 @@ jobs:
  with:
  path: /home/runner/go/pkg/mod
  key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }}
+ - run: go install sigs.k8s.io/bom/cmd/[email protected]
+ - run: go install github.com/spdx/spdx-sbom-generator/cmd/[email protected]
+ - run: mkdir -p dist
+ - run: generator -o dist -p .
+ - run: yarn --cwd ui install
+ - run: generator -o dist -p ui
+ - run: bom generate --image quay.io/argoproj/workflow-controller:${GITHUB_REF##*/} -o dist/workflow-controller.spdx
+ - run: bom generate --image quay.io/argoproj/argocli:${GITHUB_REF##*/} -o dist/argocli.spdx
+ - run: bom generate --image quay.io/argoproj/argoexec:${GITHUB_REF##*/} -o dist/argoexec.spdx
+ # pack the boms into one file to make it easy to download
+ - run: tar -zcf dist/sbom.tar.gz dist/*.spdx
  # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
  - run: make release-notes VERSION=${GITHUB_REF##*/}
  - run: cat release-notes
@@ -364,5 +375,6 @@ jobs:
  dist/argo-*.gz
  dist/argo-*.gz.sha256
  dist/manifests/*.yaml
+ dist/sbom.tar.gz
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}