janhouse/sbom-tools-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 2 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

sbom-tools-action

Composite action that installs Trivy and the CycloneDX CLI with caching, ready for SBOM generation workflows.

Why

The previous setup pinned TRIVY_VERSION and CYCLONEDX_CLI_VERSION in every consuming workflow. When the upstream trivy/contrib/install.sh started failing for older release-asset layouts, every repo needed a PR to bump. This action centralises the install logic and reads versions as inputs (typically wired to the gitea instance variables vars.TRIVY_VERSION / vars.CYCLONEDX_CLI_VERSION).

Usage

- uses: https://git.janhouse.lv/janhouse/sbom-tools-action@v1
  with:
    trivy-version: ${{ vars.TRIVY_VERSION }}
    cyclonedx-version: ${{ vars.CYCLONEDX_CLI_VERSION }}

After this step, trivy and cyclonedx-cli are on PATH. Cache is keyed on the runner OS + both versions, so a bump invalidates and reinstalls automatically.

Inputs

Name Description Required
trivy-version Trivy release tag, e.g. v0.70.0. yes
cyclonedx-version CycloneDX CLI release tag, e.g. v0.27.1. yes

Both inputs are required so the consumer is explicit about source. Wire them to gitea instance vars to avoid hardcoding.

Versioning

The repo follows lightweight tags: v1, v1.0.0, etc. Consumers pin to @v1 for in-major updates, or @<sha> for full pinning.

Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 28 KiB