From 5c723611b1f8a31e3f09fcdf43bfb10e2d705c71 Mon Sep 17 00:00:00 2001
From: Janis Jansons <janhouse@gmail.com>
Date: Mon, 11 May 2026 15:47:45 +0300
Subject: [PATCH] Initial composite action: install Trivy + CycloneDX with
 caching

---
 README.md  | 31 +++++++++++++++++++++++++++++++
 action.yml | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 README.md
 create mode 100644 action.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..763b686
--- /dev/null
+++ b/README.md
@@ -0,0 +1,31 @@
+# sbom-tools-action
+
+Composite action that installs Trivy and the CycloneDX CLI with caching, ready for SBOM generation workflows.
+
+## Why
+
+The previous setup pinned `TRIVY_VERSION` and `CYCLONEDX_CLI_VERSION` in every consuming workflow. When the upstream `trivy/contrib/install.sh` started failing for older release-asset layouts, every repo needed a PR to bump. This action centralises the install logic and reads versions as inputs (typically wired to the gitea instance variables `vars.TRIVY_VERSION` / `vars.CYCLONEDX_CLI_VERSION`).
+
+## Usage
+
+```yaml
+- uses: https://git.janhouse.lv/janhouse/sbom-tools-action@v1
+  with:
+    trivy-version: ${{ vars.TRIVY_VERSION }}
+    cyclonedx-version: ${{ vars.CYCLONEDX_CLI_VERSION }}
+```
+
+After this step, `trivy` and `cyclonedx-cli` are on `PATH`. Cache is keyed on the runner OS + both versions, so a bump invalidates and reinstalls automatically.
+
+## Inputs
+
+| Name | Description | Required |
+| --- | --- | --- |
+| `trivy-version` | Trivy release tag, e.g. `v0.70.0`. | yes |
+| `cyclonedx-version` | CycloneDX CLI release tag, e.g. `v0.27.1`. | yes |
+
+Both inputs are required so the consumer is explicit about source. Wire them to gitea instance vars to avoid hardcoding.
+
+## Versioning
+
+The repo follows lightweight tags: `v1`, `v1.0.0`, etc. Consumers pin to `@v1` for in-major updates, or `@<sha>` for full pinning.
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..1da9376
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,43 @@
+name: 'Install SBOM Tools'
+description: 'Installs Trivy and CycloneDX CLI to ~/.local/bin with caching, adds them to PATH'
+author: 'janhouse'
+
+inputs:
+  trivy-version:
+    description: 'Trivy release tag (e.g. v0.70.0). Defaults to ${{ vars.TRIVY_VERSION }} via the caller workflow env.'
+    required: true
+  cyclonedx-version:
+    description: 'CycloneDX CLI release tag (e.g. v0.27.1). Defaults to ${{ vars.CYCLONEDX_CLI_VERSION }} via the caller workflow env.'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Cache SBOM tools
+      id: cache-tools
+      uses: actions/cache@v4
+      with:
+        path: ~/.local/bin
+        key: sbom-tools-${{ runner.os }}-trivy-${{ inputs.trivy-version }}-cyclonedx-${{ inputs.cyclonedx-version }}
+
+    - name: Install Trivy
+      if: steps.cache-tools.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        TRIVY_VERSION: ${{ inputs.trivy-version }}
+      run: |
+        mkdir -p ~/.local/bin
+        curl -sSfL "https://raw.githubusercontent.com/aquasecurity/trivy/${TRIVY_VERSION}/contrib/install.sh" | sh -s -- -b ~/.local/bin "${TRIVY_VERSION}"
+
+    - name: Install CycloneDX CLI
+      if: steps.cache-tools.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        CYCLONEDX_CLI_VERSION: ${{ inputs.cyclonedx-version }}
+      run: |
+        curl -sSfL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/${CYCLONEDX_CLI_VERSION}/cyclonedx-linux-x64" -o ~/.local/bin/cyclonedx-cli
+        chmod +x ~/.local/bin/cyclonedx-cli
+
+    - name: Add tools to PATH
+      shell: bash
+      run: echo "$HOME/.local/bin" >> "$GITHUB_PATH"