diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml new file mode 100644 index 000000000..bb7b281c5 --- /dev/null +++ b/.github/workflows/generate-sbom.yml @@ -0,0 +1,71 @@ +name: Generate SBOM + +on: + release: + types: [published] + workflow_dispatch: + inputs: + version: + description: "Version" + default: "main" + required: true + +env: + REGISTRY_URL: "https://registry.npmjs.org" + CDXGEN_VERSION: "11.7.0" + +permissions: + contents: read + +jobs: + generate-sbom: + name: Generate SBOM + runs-on: ubuntu-latest + outputs: + project-version: ${{ steps.version.outputs.PROJECT_VERSION }} + permissions: + packages: read + + steps: + - name: Extract version + id: version + run: | + VERSION="${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.version }}" + echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "Product version: $VERSION" + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + ref: ${{ steps.version.outputs.PROJECT_VERSION }} + + - name: Setup Node SDK + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + with: + node-version-file: '.nvmrc' + registry-url: ${{ env.REGISTRY_URL }} + + - name: Install cdxgen + run: | + npm install -g @cyclonedx/cdxgen@${{ env.CDXGEN_VERSION }} + + - name: Generate SBOM + run: | + cdxgen -r -o bom.json --filter=examples + + - name: Upload SBOM as artifact + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: sbom + path: bom.json + + store-sbom-data: # stores sbom and metadata in a predefined format for otterdog to pick up + needs: ["generate-sbom"] + uses: eclipse-csi/workflows/.github/workflows/store-sbom-data.yml@main + with: + projectName: "langium-workspaces" + projectVersion: ${{ needs.generate-sbom.outputs.project-version }} + bomArtifact: "sbom" + bomFilename: "bom.json" + parentProject: "9f4d61ec-852d-4270-b6f5-31c7ad58c1a4" diff --git a/README.md b/README.md index 1d0af61a0..acbd28026 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,10 @@ More complex examples are available as separate repositories in [our GitHub orga * **[lox](https://github.com/langium/langium-lox)**: Implementation of the Lox language from the popular book [Crafting Interpreters](https://craftinginterpreters.com/the-lox-language.html). * **[minilogo](https://github.com/langium/langium-minilogo)**: Implementation of a [logo](https://el.media.mit.edu/logo-foundation/what_is_logo/logo_programming.html) language dialect. Shows how to integrate Langium in the browser. +## SBOM + +To enhance supply chain security and offer users clear insight into project components, Eclipse Langium now generates a Software Bill of Materials (SBOM) for every release. These are published to the Eclipse Foundation SBOM registry, with access instructions and usage details available in this [documentation](https://eclipse-csi.github.io/security-handbook/sbom/registry.html). + ## Contributing If you want to contribute to Langium, please take a look at [our contributing guide](https://github.com/eclipse-langium/langium/blob/main/CONTRIBUTING.md).