| name: 'Release: Attach SBOM' |
|
|
| on: |
| workflow_call: |
| inputs: |
| n8n_version: |
| description: 'N8N version to generate SBOM for' |
| required: true |
| type: string |
| release_tag_ref: |
| description: 'Git reference to checkout (e.g. n8n@1.2.3)' |
| required: true |
| type: string |
| secrets: |
| SLACK_WEBHOOK_URL: |
| required: true |
|
|
| workflow_dispatch: |
| inputs: |
| n8n_version: |
| description: 'N8N version to generate SBOM for' |
| required: true |
| type: string |
| release_tag_ref: |
| description: 'Git reference to checkout (e.g. n8n@1.2.3)' |
| required: true |
| type: string |
|
|
| permissions: |
| contents: write |
| id-token: write |
| attestations: write |
|
|
| jobs: |
| generate-sbom: |
| name: Generate and Attach SBOM to Release |
| runs-on: ubuntu-latest |
| timeout-minutes: 15 |
| continue-on-error: true |
| steps: |
| - name: Checkout release tag |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 |
| with: |
| ref: ${{ inputs.release_tag_ref }} |
|
|
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 |
| with: |
| node-version: 22.x |
|
|
| - name: Setup corepack and pnpm |
| run: | |
| npm i -g corepack@0.33 |
| corepack enable |
| |
| - name: Install dependencies for SBOM generation |
| run: pnpm install --frozen-lockfile |
|
|
| - name: Generate CycloneDX SBOM for source code |
| uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b |
| with: |
| path: ./ |
| format: cyclonedx-json |
| output-file: sbom-source.cdx.json |
|
|
| - name: Attest build provenance for source release |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a0 |
| with: |
| subject-path: './package.json' |
|
|
| - name: Attest SBOM for source release |
| uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 |
| with: |
| subject-path: './package.json' |
| sbom-path: 'sbom-source.cdx.json' |
|
|
| - name: Install Cosign |
| uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 |
|
|
| - name: Sign SBOM (keyless) |
| run: | |
| # Sign SBOM using Cosign keyless signing with GitHub OIDC |
| # This provides cryptographic proof of authenticity and integrity |
| cosign sign-blob --yes --output-signature sbom-source.cdx.sig --output-certificate sbom-source.cdx.pem sbom-source.cdx.json |
| |
| - name: Attach SBOM files to release |
| env: |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| run: | |
| # Upload SBOM files to the existing release |
| gh release upload "${{ inputs.release_tag_ref }}" \ |
| sbom-source.cdx.json \ |
| sbom-source.cdx.sig \ |
| sbom-source.cdx.pem \ |
| --clobber |
| |
| COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown") |
| echo "✅ SBOM workflow completed" |
| echo "📊 SBOM contains $COMPONENT_COUNT components" |
| echo "🛡️ GitHub attestations created for source release" |
|
|
| - name: Notify Slack on failure |
| if: failure() |
| uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d |
| with: |
| status: ${{ job.status }} |
| channel: '#alerts-build' |
| webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} |
| message: | |
| <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ inputs.release_tag_ref }} > |
| |
