1- name : Release npm package and container image
1+ name : Release npm package and container images
22
33on :
44 push :
@@ -132,12 +132,12 @@ jobs:
132132 - name : Attach cdx sbom
133133 run : |
134134 corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
135- node bin/cdxgen.js -t docker -o cdxgen-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen:latest
135+ node bin/cdxgen.js -t docker -o cdxgen-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
136136 node bin/verify.js -i cdxgen-oci-image.cdx.json --public-key contrib/bom-signer/public.key
137- oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen:latest ./cdxgen-oci-image.cdx.json:application/json
138- oras discover --format tree ghcr.io/cyclonedx/cdxgen:latest
137+ oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-oci-image.cdx.json:application/json
138+ oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
139+ node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
139140continue-on-error : true
140- if : startsWith(github.ref, 'refs/tags/')
141141 env :
142142 SBOM_SIGN_ALGORITHM : RS512
143143 SBOM_SIGN_PRIVATE_KEY : ${{ github.workspace }}/private.key
@@ -169,7 +169,7 @@ jobs:
169169 username : ${{ github.actor }}
170170 password : ${{ secrets.GITHUB_TOKEN }}
171171 - name : Extract metadata (tags, labels) for Docker
172- id : meta2
172+ id : meta
173173 uses : docker/metadata-action@v5
174174 with :
175175 images : |
@@ -181,8 +181,8 @@ jobs:
181181 file : ci/Dockerfile-secure
182182 platforms : linux/amd64,linux/arm64
183183 push : true
184- tags : ${{ steps.meta2 .outputs.tags }}
185- labels : ${{ steps.meta2 .outputs.labels }}
184+ tags : ${{ steps.meta .outputs.tags }}
185+ labels : ${{ steps.meta .outputs.labels }}
186186 - name : save private key to file
187187 run : |
188188 echo "$SBOM_SIGN_PRIVATE_KEY_DATA" | base64 -d > $GITHUB_WORKSPACE/private.key
@@ -191,12 +191,12 @@ jobs:
191191 - name : Attach cdx sbom
192192 run : |
193193 corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
194- node bin/cdxgen.js -t docker -o cdxgen-secure-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-secure:latest
194+ node bin/cdxgen.js -t docker -o cdxgen-secure-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
195195 node bin/verify.js -i cdxgen-secure-oci-image.cdx.json --public-key contrib/bom-signer/public.key
196- oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-secure:latest ./cdxgen-secure-oci-image.cdx.json:application/json
197- oras discover --format tree ghcr.io/cyclonedx/cdxgen-secure:latest
196+ oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-secure-oci-image.cdx.json:application/json
197+ oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
198+ node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
198199continue-on-error : true
199- if : startsWith(github.ref, 'refs/tags/')
200200 env :
201201 SBOM_SIGN_ALGORITHM : RS512
202202 SBOM_SIGN_PRIVATE_KEY : ${{ github.workspace }}/private.key
@@ -239,7 +239,7 @@ jobs:
239239 username : ${{ github.actor }}
240240 password : ${{ secrets.GITHUB_TOKEN }}
241241 - name : Extract metadata (tags, labels) for Docker
242- id : meta2
242+ id : meta
243243 uses : docker/metadata-action@v5
244244 with :
245245 images : |
@@ -251,8 +251,8 @@ jobs:
251251 file : ci/Dockerfile-deno
252252 platforms : linux/amd64,linux/arm64
253253 push : true
254- tags : ${{ steps.meta2 .outputs.tags }}
255- labels : ${{ steps.meta2 .outputs.labels }}
254+ tags : ${{ steps.meta .outputs.tags }}
255+ labels : ${{ steps.meta .outputs.labels }}
256256 - name : save private key to file
257257 run : |
258258 echo "$SBOM_SIGN_PRIVATE_KEY_DATA" | base64 -d > $GITHUB_WORKSPACE/private.key
@@ -261,12 +261,12 @@ jobs:
261261 - name : Attach cdx sbom
262262 run : |
263263 corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
264- node bin/cdxgen.js -t docker -o cdxgen-deno-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-deno:latest
264+ node bin/cdxgen.js -t docker -o cdxgen-deno-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
265265 node bin/verify.js -i cdxgen-deno-oci-image.cdx.json --public-key contrib/bom-signer/public.key
266- oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-deno:latest ./cdxgen-deno-oci-image.cdx.json:application/json
267- oras discover --format tree ghcr.io/cyclonedx/cdxgen-deno:latest
266+ oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-deno-oci-image.cdx.json:application/json
267+ oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
268+ node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
268269continue-on-error : true
269- if : startsWith(github.ref, 'refs/tags/')
270270 env :
271271 SBOM_SIGN_ALGORITHM : RS512
272272 SBOM_SIGN_PRIVATE_KEY : ${{ github.workspace }}/private.key
@@ -308,7 +308,7 @@ jobs:
308308 username : ${{ github.actor }}
309309 password : ${{ secrets.GITHUB_TOKEN }}
310310 - name : Extract metadata (tags, labels) for Docker
311- id : meta3
311+ id : meta
312312 uses : docker/metadata-action@v5
313313 with :
314314 images : |
@@ -320,8 +320,8 @@ jobs:
320320 file : ci/Dockerfile-ppc64
321321 platforms : linux/ppc64le
322322 push : true
323- tags : ${{ steps.meta3 .outputs.tags }}
324- labels : ${{ steps.meta3 .outputs.labels }}
323+ tags : ${{ steps.meta .outputs.tags }}
324+ labels : ${{ steps.meta .outputs.labels }}
325325 cache-from : type=gha,scope=cdxgen-ppc64
326326 cache-to : type=gha,mode=max,scope=cdxgen-ppc64
327327 containers-bun :
@@ -355,7 +355,7 @@ jobs:
355355 password : ${{ secrets.GITHUB_TOKEN }}
356356
357357 - name : Extract metadata (tags, labels) for Docker
358- id : meta5
358+ id : meta
359359 uses : docker/metadata-action@v5
360360 with :
361361 images : |
@@ -367,8 +367,8 @@ jobs:
367367 file : ci/Dockerfile-bun
368368 platforms : linux/amd64,linux/arm64
369369 push : true
370- tags : ${{ steps.meta5 .outputs.tags }}
371- labels : ${{ steps.meta5 .outputs.labels }}
370+ tags : ${{ steps.meta .outputs.tags }}
371+ labels : ${{ steps.meta .outputs.labels }}
372372 - name : save private key to file
373373 run : |
374374 echo "$SBOM_SIGN_PRIVATE_KEY_DATA" | base64 -d > $GITHUB_WORKSPACE/private.key
@@ -377,12 +377,12 @@ jobs:
377377 - name : Attach cdx sbom
378378 run : |
379379 corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
380- node bin/cdxgen.js -t docker -o cdxgen-bun-oci-image.cdx.json ghcr.io/cyclonedx/cdxgen-bun:latest
380+ node bin/cdxgen.js -t docker -o cdxgen-bun-oci-image.cdx.json ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
381381 node bin/verify.js -i cdxgen-bun-oci-image.cdx.json --public-key contrib/bom-signer/public.key
382- oras attach --artifact-type sbom/cyclonedx ghcr.io/cyclonedx/cdxgen-bun:latest ./cdxgen-bun-oci-image.cdx.json:application/json
383- oras discover --format tree ghcr.io/cyclonedx/cdxgen-bun:latest
382+ oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.meta.outputs.json).tags[0] }} ./cdxgen-bun-oci-image.cdx.json:application/json
383+ oras discover --format tree ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
384+ node bin/verify.js -i ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
384385continue-on-error : true
385- if : startsWith(github.ref, 'refs/tags/')
386386 env :
387387 SBOM_SIGN_ALGORITHM : RS512
388388 SBOM_SIGN_PRIVATE_KEY : ${{ github.workspace }}/private.key
0 commit comments