harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

ci(release): add SBOM generation with syft (#699)

Browse source 
Generate CycloneDX and SPDX Software Bill of Materials during
release builds. SBOMs are included in release artifacts and
covered by SHA256 checksums and cosign signatures.

Addresses item #5 in #618.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Alex Gorevski 2026-02-17 15:25:53 -08:00 committed by GitHub
parent 5afff7b6d7
commit 41da46e2b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
.github/workflows/release.yml vendored
View file

@ -98,10 +98,21 @@ jobs:
with: with:
path: artifacts path: artifacts
- name: Install syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM (CycloneDX)
run: |
syft dir:. --source-name zeroclaw -o cyclonedx-json=artifacts/zeroclaw.cdx.json -o spdx-json=artifacts/zeroclaw.spdx.json
echo "### SBOM Generated" >> "$GITHUB_STEP_SUMMARY"
echo "- CycloneDX: zeroclaw.cdx.json" >> "$GITHUB_STEP_SUMMARY"
echo "- SPDX: zeroclaw.spdx.json" >> "$GITHUB_STEP_SUMMARY"
- name: Generate SHA256 checksums - name: Generate SHA256 checksums
run: | run: |
cd artifacts cd artifacts
find . -type f \( -name '*.tar.gz' -o -name '*.zip' \) -exec sha256sum {} + | sed 's| \./[^/]*/| |' > SHA256SUMS find . -type f \( -name '*.tar.gz' -o -name '*.zip' -o -name '*.cdx.json' -o -name '*.spdx.json' \) -exec sha256sum {} + | sed 's| \./[^/]*/| |' > SHA256SUMS
echo "Generated checksums:" echo "Generated checksums:"
cat SHA256SUMS cat SHA256SUMS