Release npm package and container images

Update packages #1518

Workflow file for this run

.github/workflows/npm-release.yml at d8600aa

	name: Release npm package and container images

	on:
	push:
	branches:
	- master
	- release/*
	tags:
	- 'v*'
	paths-ignore:
	- 'docs/**'
	- 'contrib/**'
	- '*.md'
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io

	jobs:
	pkg:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '23.x'
	registry-url: https://registry.npmjs.org/
	- name: Trim CI agent
	run: \|
	chmod +x contrib/free_disk_space.sh
	./contrib/free_disk_space.sh
	- name: Release npm package
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	npm install --global corepack@latest
	corepack enable
	corepack pnpm install --config.strict-dep-builds=true
	npm config set //registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN
	echo "cyclonedx:registry=https://registry.npmjs.org" > ~/.npmrc
	NPM_CONFIG_PROVENANCE=true corepack pnpm publish --access=public --no-git-checks
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	- name: jsr publish
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	npm install --global corepack@latest
	corepack enable
	corepack pnpm install --config.strict-dep-builds=true
	npx jsr publish --allow-dirty
	continue-on-error: true
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	containers-ruby-builder-amd64:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: 'ubuntu-24.04'
	outputs:
	image-uri: ghcr.io/cyclonedx/cdxgen-ruby-builder@${{ steps.build.outputs.digest }}
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-ruby-builder
	flavor: latest=false,suffix=-amd64
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	id: build
	with:
	context: .
	file: ci/images/al10/Dockerfile.ruby-builder
	platforms: linux/amd64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- uses: cloudposse/github-action-matrix-outputs-write@v1
	id: out
	with:
	outputs: \|-
	image-uri: ghcr.io/cyclonedx/cdxgen-ruby-builder@${{ steps.build.outputs.digest }}
	containers-ruby-builder-arm64:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: 'ubuntu-24.04-arm'
	outputs:
	image-uri: ghcr.io/cyclonedx/cdxgen-ruby-builder@${{ steps.build.outputs.digest }}
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-ruby-builder
	flavor: latest=false,suffix=-arm64
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	id: build
	with:
	context: .
	file: ci/images/al10/Dockerfile.ruby-builder
	platforms: linux/arm64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- uses: cloudposse/github-action-matrix-outputs-write@v1
	id: out
	with:
	outputs: \|-
	image-uri: ghcr.io/cyclonedx/cdxgen-ruby-builder@${{ steps.build.outputs.digest }}
	containers-ruby-builder-deploy-manifest:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ubuntu-24.04
	needs: [ containers-ruby-builder-amd64, containers-ruby-builder-arm64 ]
	outputs:
	image-uri: ghcr.io/cyclonedx/cdxgen-ruby-builder@${{ steps.build.outputs.digest }}
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- uses: docker/metadata-action@v5
	id: metadata
	with:
	images: ghcr.io/${{ github.repository }}
	- uses: int128/docker-manifest-create-action@v2
	id: build
	with:
	index-annotations: ${{ steps.metadata.outputs.labels }}
	tags: ghcr.io/cyclonedx/cdxgen-ruby-builder:master
	sources: \|
	${{ needs.containers-ruby-builder-amd64.outputs.image-uri }}
	${{ needs.containers-ruby-builder-arm64.outputs.image-uri }}
	containers:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ["self-hosted", "metal", "amd64"]
	needs: [containers-ruby-builder-deploy-manifest]
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Setup docker cache dir
	run: \|
	mkdir -p /tmp/containers-cache
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ci/Dockerfile
	platforms: linux/amd64,linux/arm64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=local,src=/tmp/containers-cache
	cache-to: type=local,dest=/tmp/containers-cache,mode=max
	- name: nydusify
	run: \|
	nydusify convert --oci --oci-ref --source ${{ steps.meta.outputs.tags }} --target ${{ steps.meta.outputs.tags }}-nydus --prefetch-dir /opt/cdxgen
	nydusify check --target ${{ steps.meta.outputs.tags }}-nydus
	if: github.ref == 'refs/heads/master'
	continue-on-error: true
	- name: Attach cdx sbom
	run: \|
	corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
	node bin/cdxgen.js -t docker -o cdxgen-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i cdxgen-oci-image.cdx.json --public-key contrib/bom-signer/public.key
	oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-oci-image.cdx.json:application/json
	oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
	continue-on-error: true
	env:
	SBOM_SIGN_ALGORITHM: RS512
	SBOM_SIGN_PRIVATE_KEY_BASE64: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
	- name: Attach cdx sbom to release
	uses: softprops/action-gh-release@v2
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	cdxgen-oci-image.cdx.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	containers-secure:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ["self-hosted", "metal", "amd64"]
	needs: [containers]
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Setup docker cache dir
	run: \|
	mkdir -p /tmp/containers-cache
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-secure
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ci/Dockerfile-secure
	platforms: linux/amd64,linux/arm64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=local,src=/tmp/containers-cache
	cache-to: type=local,dest=/tmp/containers-cache,mode=max
	- name: Attach cdx sbom
	run: \|
	corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
	node bin/cdxgen.js -t docker -o cdxgen-secure-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i cdxgen-secure-oci-image.cdx.json --public-key contrib/bom-signer/public.key
	oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-secure-oci-image.cdx.json:application/json
	oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
	continue-on-error: true
	env:
	SBOM_SIGN_ALGORITHM: RS512
	SBOM_SIGN_PRIVATE_KEY_BASE64: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
	- name: Attach cdx secure sbom to release
	uses: softprops/action-gh-release@v2
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	cdxgen-secure-oci-image.cdx.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	containers-deno:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ubuntu-latest
	needs: [containers-ruby-builder-deploy-manifest]
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '23.x'
	registry-url: https://registry.npmjs.org/
	- uses: oras-project/setup-oras@v1
	- name: Trim CI agent
	run: \|
	chmod +x contrib/free_disk_space.sh
	./contrib/free_disk_space.sh
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-deno
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ci/Dockerfile-deno
	platforms: linux/amd64,linux/arm64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Attach cdx sbom
	run: \|
	corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
	node bin/cdxgen.js -t docker -o cdxgen-deno-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i cdxgen-deno-oci-image.cdx.json --public-key contrib/bom-signer/public.key
	oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-deno-oci-image.cdx.json:application/json
	oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
	continue-on-error: true
	env:
	SBOM_SIGN_ALGORITHM: RS512
	SBOM_SIGN_PRIVATE_KEY_BASE64: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
	- name: Attach cdx deno sbom to release
	uses: softprops/action-gh-release@v2
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	cdxgen-deno-oci-image.cdx.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	containers-ppc64:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '23.x'
	registry-url: https://registry.npmjs.org/
	- uses: oras-project/setup-oras@v1
	- name: Trim CI agent
	run: \|
	chmod +x contrib/free_disk_space.sh
	./contrib/free_disk_space.sh
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-ppc64
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ci/Dockerfile-ppc64
	platforms: linux/ppc64le
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=cdxgen-ppc64
	cache-to: type=gha,mode=max,scope=cdxgen-ppc64
	containers-bun:
	if: github.repository == 'CycloneDX/cdxgen'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '23.x'
	registry-url: https://registry.npmjs.org/
	- uses: oras-project/setup-oras@v1
	- name: Trim CI agent
	run: \|
	chmod +x contrib/free_disk_space.sh
	./contrib/free_disk_space.sh
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/cyclonedx/cdxgen-bun
	- name: Build and push Docker images
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ci/Dockerfile-bun
	platforms: linux/amd64,linux/arm64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Attach cdx sbom
	run: \|
	corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
	node bin/cdxgen.js -t docker -o cdxgen-bun-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i cdxgen-bun-oci-image.cdx.json --public-key contrib/bom-signer/public.key
	oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-bun-oci-image.cdx.json:application/json
	oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
	continue-on-error: true
	env:
	SBOM_SIGN_ALGORITHM: RS512
	SBOM_SIGN_PRIVATE_KEY_BASE64: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
	- name: Attach cdx bun sbom to release
	uses: softprops/action-gh-release@v2
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	cdxgen-bun-oci-image.cdx.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Update packages #1518

Workflow file

Update packages #1518

Uh oh!

Jobs

Run details

Workflow file for this run