IONOS(github): add SBOM generation workflow #191
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thlehmann-ionos
force-pushed
the
feature/sbom-generation
branch
2 times, most recently
from
86bfd71 to
9031d38
Compare
1. Generate SBOMs for composer and NPM dependencies 2. Merge composer + NPM into one SBOM 3. Upload the SBOM to dependency track == NPM SBOMs SBOMS can be generated without installing dependencies. However, the SBOMs would not contain description and source information, which is only available after install of the dependencies. == Merged SBOM The merged SBOM may contain invalid values derived from the branch name, which prevents the SBOM from being uploaded. This is fixed using an awk command after merge. == CycloneDX cyclonedx-cli is used as container image. It was pushed from its original source [1] into our container registry. [1]: https://github.com/CycloneDX/cyclonedx-cli?tab=readme-ov-file#docker-image Signed-off-by: Thomas Lehmann <[email protected]>
printminion-co
force-pushed
the
feature/sbom-generation
branch
from
9031d38 to
58a7a66
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds a complete GitHub Actions workflow to generate, merge, and upload SBOMs for Composer and NPM dependencies across the main codebase, theme, and various apps.
- Introduces
generate-sbomjob to produce SBOMs for Nextcloud, theme, and custom/external apps - Adds
merge-sbomsjob to combine Composer and NPM SBOMs (and strip problematic metadata) - Implements
upload-sbomsjob to send final SBOMs to Dependency Track
Comments suppressed due to low confidence (3)
.github/workflows/sbom.yaml:79
- [nitpick] The SBOM generation steps for each app and theme are largely repetitive; consider using a YAML matrix or anchors to reduce duplication and simplify maintenance.
# Theme
.github/workflows/sbom.yaml:100
- [nitpick] The output BOM filename 'bom.hidrive-next-theme.xml' uses a different naming pattern than the 'bom.app-*.xml' files; consider renaming it for consistency (e.g., 'bom.app-ionos-theme.xml').
npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../../bom.hidrive-next-theme.xml'
.github/workflows/sbom.yaml:375
- This AWK script strips metadata based on exact indentation; it may fail if the XML format changes. Consider using an XML-aware tool (e.g., xmlstarlet) or matching tags irrespective of whitespace for robustness.
awk '/^ <metadata>/ { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.${1}.xml ;
printminion-co
requested changes
Jul 21, 2025
printminion-co
left a comment
printminion-co
left a comment
There was a problem hiding this comment.
Let's do changes in order to simplify configuration, add versions for dependency track for better track-a-bility.
See #193 for inspiration.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
== NPM SBOMs
SBOMS can be generated without installing dependencies. However, the
SBOMs would not contain description and source information, which is
only available after install of the dependencies.
== Merged SBOM
The merged SBOM may contain invalid values derived from the branch name,
which prevents the SBOM from being uploaded. This is fixed using an awk
command after merge.
== CycloneDX
cyclonedx-cli is used as container image. It was pushed from its
original source 1 into our container registry.