add artifactory #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release SBOM Uploader | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' # Triggers on version tags like v1.2.3 | |
| branches: | |
| - 'artifactory' | |
| permissions: | |
| contents: write | |
| packages: write | |
| jobs: | |
| build: | |
| name: Build Cross-Platform Binaries | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| goos: [linux, windows, darwin] | |
| goarch: [amd64, arm64] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.24 | |
| - name: Build ${{ matrix.goos }}-${{ matrix.goarch }} | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| run: | | |
| mkdir -p dist/ | |
| OUTPUT=sbom-uploader-${GOOS}-${GOARCH} | |
| if [ "$GOOS" = "windows" ]; then | |
| OUTPUT="${OUTPUT}.exe" | |
| fi | |
| go build -o dist/$OUTPUT ./main.go | |
| - name: Upload binary | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: binaries-${{ matrix.goos }}-${{ matrix.goarch }} | |
| path: dist/ | |
| docker: | |
| name: Build Docker Image | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract version from tag | |
| id: vars | |
| run: | | |
| VERSION="${GITHUB_REF#refs/tags/}" | |
| echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" | |
| - name: Build Docker image | |
| run: | | |
| docker build -t upload-sbom-go:${{ steps.vars.outputs.VERSION }} . | |
| - name: Tag and Push to GHCR | |
| run: | | |
| IMAGE=ghcr.io/${{ steps.vars.outputs.OWNER }}/upload-sbom-go | |
| docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:${{ steps.vars.outputs.VERSION }} | |
| docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:latest | |
| docker push $IMAGE:${{ steps.vars.outputs.VERSION }} | |
| docker push $IMAGE:latest | |
| - name: Log in to Artifactory | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.ARTIFACTORY_DOMAIN }} | |
| username: ${{ secrets.ARTIFACTORY_USERNAME }} | |
| password: ${{ secrets.ARTIFACTORY_TOKEN }} | |
| - name: Tag and Push to Artifactory | |
| run: | | |
| IMAGE=ghcr.io/${{ steps.vars.outputs.OWNER }}/upload-sbom-go | |
| docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:${{ steps.vars.outputs.VERSION }} | |
| docker tag upload-sbom-go:${{ steps.vars.outputs.VERSION }} $IMAGE:latest | |
| docker push $IMAGE:${{ steps.vars.outputs.VERSION }} | |
| docker push $IMAGE:latest | |
| - name: Generate SBOM with Trivy | |
| uses: aquasecurity/trivy-action@0.32.0 | |
| with: | |
| format: 'cyclonedx' | |
| scan-type: 'fs' | |
| scan-ref: 'go.mod' | |
| output: 'sbom.json' | |
| - name: Upload SBOM as Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom.json | |
| path: sbom.json | |
| overwrite: true | |
| - name: Upload SBOM to Dependency Track. How meta 🤯 | |
| run: | | |
| docker run --rm \ | |
| -e SBOM_UPLOADER_URL='${{ secrets.DTRACK_URL }}' \ | |
| -e SBOM_UPLOADER_API_KEY='${{ secrets.DTRACK_KEY }}' \ | |
| -e SBOM_UPLOADER_NAME='upload-sbom-go' \ | |
| -e SBOM_UPLOADER_VERSION='${{ steps.vars.outputs.VERSION }}' \ | |
| -e SBOM_UPLOADER_PARENT='upload-sbom-go' \ | |
| -e SBOM_UPLOADER_TAGS='upload-sbom-go' \ | |
| -v "$(pwd)/sbom.json:/tmp/sbom.json" \ | |
| upload-sbom-go:${{ steps.vars.outputs.VERSION }} \ | |
| --sbom /tmp/sbom.json \ | |
| --latest | |
| release: | |
| name: Create GitHub Release | |
| runs-on: ubuntu-latest | |
| needs: [build, docker] | |
| steps: | |
| - name: Download all binary artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: all-binaries/ | |
| - name: Collect all binaries into release-assets | |
| run: | | |
| mkdir -p release-assets | |
| find all-binaries -type f -exec cp {} release-assets/ \; | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| name: "SBOM Uploader ${{ github.ref_name }}" | |
| tag_name: ${{ github.ref_name }} | |
| draft: false | |
| prerelease: false | |
| files: | | |
| release-assets/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |