1.3 KiB
sbom-tools-action
Composite action that installs Trivy and the CycloneDX CLI with caching, ready for SBOM generation workflows.
Why
The previous setup pinned TRIVY_VERSION and CYCLONEDX_CLI_VERSION in every consuming workflow. When the upstream trivy/contrib/install.sh started failing for older release-asset layouts, every repo needed a PR to bump. This action centralises the install logic and reads versions as inputs (typically wired to the gitea instance variables vars.TRIVY_VERSION / vars.CYCLONEDX_CLI_VERSION).
Usage
- uses: https://git.janhouse.lv/janhouse/sbom-tools-action@v1
with:
trivy-version: ${{ vars.TRIVY_VERSION }}
cyclonedx-version: ${{ vars.CYCLONEDX_CLI_VERSION }}
After this step, trivy and cyclonedx-cli are on PATH. Cache is keyed on the runner OS + both versions, so a bump invalidates and reinstalls automatically.
Inputs
| Name | Description | Required |
|---|---|---|
trivy-version |
Trivy release tag, e.g. v0.70.0. |
yes |
cyclonedx-version |
CycloneDX CLI release tag, e.g. v0.27.1. |
yes |
Both inputs are required so the consumer is explicit about source. Wire them to gitea instance vars to avoid hardcoding.
Versioning
The repo follows lightweight tags: v1, v1.0.0, etc. Consumers pin to @v1 for in-major updates, or @<sha> for full pinning.