Skip to content

Add workflow code to generate SBOMs and upload them to the release/pre-release #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jsf9k wants to merge 21 commits into
base: develop
Choose a base branch
from
Open

Add workflow code to generate SBOMs and upload them to the release/pre-release #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
8483eb6
Use pyproject.toml instead of setup.py when generating cache keys
jsf9k Jan 20, 2026
e5806d4
Add code to generate SBOMs and attach them to the release as assets
jsf9k Jan 20, 2026
f34b78e
Add (commented out) Dependabot ignore directives for SBOM-related act…
jsf9k Jan 21, 2026
281d5aa
Manipulate the repo name and use that in the SBOM file name
jsf9k Jan 26, 2026
11e73ea
Upgrade to the latest release of the check-jsonschema pre-commit hook
jsf9k Jan 26, 2026
b1526cd
Add a comment explaining why an if statement is present
jsf9k Jan 27, 2026
4db07ae
Update comment for correctness
jsf9k Feb 13, 2026
ea7885d
Update references to point to the correct Python version
jsf9k Feb 13, 2026
6e666cf
Upgrade actions/cache to match version used in parent skeleton
jsf9k Feb 23, 2026
3d03aef
Clean up definitions of cache keys to match upstream
jsf9k Feb 23, 2026
2b0e646
Word wrap some comment text
jsf9k Mar 9, 2026
3ef4839
Upgrade to the latest name and version for the attestation action
jsf9k Mar 9, 2026
03bd84e
Add provenance attestation for the SBOM
jsf9k Mar 10, 2026
26e7ea5
Add provenance attestation for distribution
jsf9k Mar 10, 2026
000c695
Pare down permissions
jsf9k Mar 10, 2026
5411050
Merge remote-tracking branch 'origin/develop' into feature/add-sbom
jsf9k Apr 13, 2026
10267a1
Upgrade instance of actions/download-artifact to v8
jsf9k Apr 13, 2026
ff1220f
Merge remote-tracking branch 'origin/develop' into feature/add-sbom
jsf9k Apr 13, 2026
e731855
Update job name in SBOM portion of workflow
jsf9k Apr 13, 2026
fa900f6
Remove manual installation of wheel
jsf9k Apr 13, 2026
cb7fb8b
Merge remote-tracking branch 'origin/develop' into feature/add-sbom
jsf9k Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ updates:
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
# # Managed by cisagov/skeleton-python-library
# - dependency-name: actions/attest
# - dependency-name: actions/download-artifact
# - dependency-name: actions/upload-artifact
# - dependency-name: anchore/sbom-action
labels:
# dependabot default we need to replicate
- dependencies
Expand Down
151 changes: 150 additions & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,8 +340,17 @@ jobs:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
# Allows us to read artifacts
actions: read
# Necessary to create the artifact storage record
artifact-metadata: write
attestations: write
# Allows actions/checkout to fetch code; write access is not
# required for this build job.
contents: read
# Allows the workflow to mint the OIDC token necessary to
# request a Sigstore signing certificate.
id-token: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand Down Expand Up @@ -408,6 +417,10 @@ jobs:
with:
name: dist-${{ matrix.python-version }}
path: dist
- name: Create provenance attestation for distribution
uses: actions/attest@v4
with:
subject-path: dist
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
Expand Down Expand Up @@ -502,3 +515,139 @@ jobs:
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
generate-sbom:
Copy link
Copy Markdown
Member

@mcdonnnj mcdonnnj Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a release workflow still makes sense here. We should be uploading a wheel to releases and it does not need to be built with different Python versions. I think a release workflow that builds a wheel for the release and then uploads the built wheel and SBOMs generated from that wheel makes more sense than band-aiding it to this workflow.

# Generate SBOMs for the built Python wheel packages and, if there
# is a release, upload them as assets to the release.
#
# This job is located in this workflow as opposed to a separate
# release workflow because it can only run after the wheels have
# been generated in the build job. Putting it in a separate
# release workflow would require us to introduce a dependency of
# the release workflow on this one.
#
# This if statement is present to keep the push and pull_request
# events from both causing the job to be run.
if: github.event_name != 'pull_request'
Comment thread
jsf9k marked this conversation as resolved.
name: Generate and upload SBOM
needs:
- build-wheel
- diagnostics
permissions:
# Allows us to read the SBOM artifact
actions: read
# Necessary to create the artifact storage record
artifact-metadata: write
attestations: write
# Allows us to add the SBOM to the release. Also,
# actions/checkout needs read permission to fetch code.
contents: write
# Allows the workflow to mint the OIDC token necessary to
# request a Sigstore signing certificate.
id-token: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.10"
- "3.11"
- "3.12"
- "3.13"
- "3.14"
sbom-format:
- cyclonedx-json
- spdx-json
steps:
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-docker#224 for more details.
monitor_permissions: "false"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: setup-env
uses: cisagov/setup-env-github-action@v1
- uses: actions/checkout@v6
- id: setup-python
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v5
Comment thread
jsf9k marked this conversation as resolved.
env:
BASE_CACHE_KEY: >-
${{ github.job }}-${{
runner.os }}-${{ runner.arch }}-py${{
matrix.python-version }}-
with:
path: ${{ env.PIP_CACHE_DIR }}
key: >-
${{ env.BASE_CACHE_KEY }}${{
hashFiles('pyproject.toml') }}
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Retrieve the built wheel
uses: actions/download-artifact@v8
with:
name: dist-${{ matrix.python-version }}
path: dist
- id: find-wheel
name: Get the name of the retrieved wheel (there should only be one)
run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT
- name: Update core Python packages
run: python -m pip install --upgrade pip setuptools
- name: Install pipenv
run: pip install --upgrade pipenv
- name: Install the built wheel into a Pipfile
run: pipenv install ${{ steps.find-wheel.outputs.wheel }}
- name: Lock the Pipfile
run: pipenv lock
- name: Manipulate the repo name into the preferred format
id: manipulate-repo-name
run: |
NEW_NAME=$(echo "${{ github.repository}}" \
| tr '[:upper:]' '[:lower:]' \
| tr '/ ' '-')
echo "repo-name=${NEW_NAME}" >> $GITHUB_OUTPUT
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
artifact-name: >-
${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{
matrix.python-version }}.${{ matrix.sbom-format }}
file: Pipfile.lock
Copy link
Copy Markdown
Member

@mcdonnnj mcdonnnj Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An issue here is the SBOM may not accurately reflect the result of installing the Python package. The Pipfile.lock file is a snapshot in time of the dependency chain, but there is no guarantee of the same result if you install the wheel at a later point.

format: ${{ matrix.sbom-format }}
output-file: >-
${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{
matrix.python-version }}.${{ matrix.sbom-format }}
- name: Create provenance attestation for SBOM
uses: actions/attest@v4
with:
subject-path: >-
${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{
matrix.python-version }}.${{ matrix.sbom-format }}
- name: Create SBOM attestation for distribution package
uses: actions/attest@v4
with:
sbom-path: >-
${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{
matrix.python-version }}.${{ matrix.sbom-format }}
subject-path: dist
Loading